A good friend at a large company recently asked me this question. He was looking for skills beyond what is required for any internal audit engagement.
In this post, I want to share my reply and his conclusion to see what we have missed. How would others answer this question?
This is what I said:
Have a look at this: http://normanmarks.wordpress.com/2010/11/25/one-size-fits-all-for-erm/
- I would prefer that the team include somebody with deep experience in risk management. This is one of those audits where I would not want the team to learn on the job, although it is possible for them to do a passable job if you have people with the right (other) skills and experience.
- A business focus, understanding that risks are part of running a business and you neither can nor should eliminate them. If you eliminate risk, you eliminate the business. Risk management is about how you deal with uncertainty, taking advantage of opportunities and limiting downside exposure — deliberately and with knowledge of what you are doing. Take the risks you need to and can afford. Make decisions with knowledge of related risks and with determination of how they will be monitored/managed. Be prepared to change strategies and decisions as risks change.
- An understanding of why you need risk management. What is it? Why do we say that managing risk should not be a separate process, it needs to be embedded in how you run the business?
- What value is needed from the risk management function and process at the company? Understand the "context" for risk management (see the post I referenced).
- Knowledge and understanding of the accepted risk frameworks. Although I prefer ISO:31000, the audit team will probably have to work with the corporate standard. If the company does not use an accepted framework, the audit team needs to be able to not only ask why not but understand whether this is a problem. What does the corporate standard omit or get wrong, if anything?
- The ability to work with all levels of management — including the executives at the top. They need to be interviewed to ensure they are involved in and support risk management, get the risk intelligence they need to make decisions and allocate resources, etc. Assess whether the information needed flows to and from those involved in risk management.
- Sufficient insight to be able to make constructive recommendations for improvement.
My friend decided these were the skills he sought:
Business and industry understanding/knowledge (e.g., knowledge of our risk history, risk and control landscape, risk appetite, internal and external environmental factors that will influence the company, our mission and strategic plan, product lines, and understanding of business drivers).
Facilitation skills (perhaps with knowledge of automated, anonymous voting technology) to facilitate assessment discussions with business unit risk officers.
Knowledge of risk responses (auditors tend to focus on developing controls to manage risks, rather than the full range of risk responses).
Risk evaluation (perhaps basic understanding of risk quantification and risk financing - elements of underwriting, insurable risks).
Understanding corporate strategy and business planning (linkages to risk identification and resource planning).
Knowledge and understanding of the accepted risk management frameworks (COSO, ISO:31000, etc).
Ability to work with, and easily converse with, all levels of management.
What would you add or change?