Dave Hancock’s ideas are stimulating and I hope you will share your comments after reading Felix’s summary of the highlights.

Felix’s Review

Last October I submitted to a whim and bought a new UK book, simply on the strength of its title: Tame, Messy and Wicked Risk Leadership (Gower, Farnham 2010) by David Hancock, the Head of Project Risk of London Underground and a visiting Fellow at Cranfield University.

Now admit to me, that title is intriguing! So I opened its 88 pages and thought, a “walk-through.”  Unfortunately, other, better-written tomes intervened and I’ve only now finished it.

Hancock starts by re-defining risks as four types: (1) tame – “straight-forward, simple, linear causal relationships” that can be “solved” by analytical methods; (2) messes: with “high levels of system complexity”; (3) wicked problems:  ”with high levels of behavioral complexity”; and (4) wicked messes: in which “behavioral and dynamic complexity coexist and interact. While I like these titles better that the ones we’ve been using, I really wonder: are not all risks “wicked messes?” Do we over-simplify too many situations?

But after trudging through these redefinitions, Hancock does come up with a few zingers:

• “Behavioral and societal aspects of risk are under-represented in risk management processes.”  True!
• “Risk management, constructed in accordance with the rules of probability, can give the illusion of control and understanding when in fact there is only further confusion.”  We think we know what we are doing!
• “The general perception among project and risk managers that we can somehow control the future is, in my opinion, one of the most ill-conceived in risk management.”   Agree!
• “Risk in our world is nothing more than uncertainty about the decisions that other human beings are going to make and how we can best respond to those decisions.”
• ” . . . remember that risk can be considered our friend (opportunity), not just our adversary.”  We must always consider the plus side.
• ” . . . risk (is) an illusory concept that exists in the consciousness of individuals developing a solution.” It is inherently a human perception.

It is Hancock’s summary on page 88 that makes this book worthwhile. He suggests a new title — Risk Leadership — inasmuch as we cannot “manage” risk, with the following characteristics (all direct quotes):

1. Recognizes the possibility of different outcomes and tries to ensure that risk activities are directed towards making an acceptable set of outcomes more likely.
2. Uses concepts and images which focus on social interaction among people, understanding the flux of events and human interaction, and the framing of projects within an array of social agenda, practices, stakeholder relations, politics and power.
3. Develops behaviours (sic!) and confidence in teams through scenario planning and team-building to identify and respond to risks and opportunities. (my italics)
4. Understand the ‘many acceptable futures’ proposition and manages risk to produce the changes needed to achieve acceptable outcomes.
5. Practitioners as reflective listeners (great point!). Learning and development facilitate the development of reflective practitioners who can learn, operate and adapt effectively in complex project environments, through experience, intuition and the pragmatic application of theory in practice.
6. Applies concepts and frameworks which focus on risk management as value creation, whilst aware that ‘value’ and ‘benefit’ will have multiple meanings linked to different purposes for the organization, project and individual.
7. Adapts the risk process to overcome major political, bureaucratic and resource barriers to develop change in behaviours (sic again!) through trust and managing expectations.
8. Based on the development of new risk models and theories that recognize and take cognizance (sic) of the complexity of projects and project management at all levels and that the model is only part of the complex terrain.
9. Has learned to live with chaos, complexity and uncertainty, and leads through example to a successful conclusion.

Isn’t this the beginning of a restatement of the [risk management] discipline? We can certainly simplify and abbreviate these nine points, but I see some new ideas at last. And “risk leadership” is a positive approach in contrast to the heavy burden of negativism that weighs down our discipline these days!

What do you think?

PwC has a fairly vanilla, traditional set of questions, and I have no problem with any audit committee and their advisors making sure these are addressed.

But, is this enough?

Lucy and the BBC interviewer, rightly, address the question of whether boards (and audit committees) are doing enough to represent stakeholders and their interests. I suggest that is a question every board and committee should be asking.

In other words, go beyond the tactical questions such as in the PwC piece, and take on the strategic issue of audit committee performance.

I suggest audit committees consider these questions:

1. Do the members and the committee as a whole have sufficient expertise and understanding of the issues facing the company and the committee to provide effective oversight? Is everybody an active or former CEO, except for a single retired CFO who fills the ‘financial expert’ requirement? Does that really meet the needs for a diverse committee with an understanding of the business environment (including regulatory matters); risk management; how to ensure quality external audit (more below) and internal audit performance; ethics; information technology; and compliance?
2. Does the committee have sufficient, timely, reliable, and current information? As Lucy and the interviewer ask, are you reliant solely on the information provided by top management? Is that sufficient? How will you know if it is incomplete? Are you getting the information you need when you need it to meet your governance responsibilities?
3. Is the committee sufficiently active, asking appropriate penetrating questions of management – and following-up to ensure actions are taken? Referring back to the BBC interview, are members of the committee willing to challenge the CEO, CFO, and general counsel?
4. Does management have effective risk management programs in place that provide reasonable assurance that risks (including opportunities) will be identified, assessed and evaluated, and then treated promptly to ensure they remain within acceptable limits? Ask clarifying questions about whether (a) the company is sufficiently nimble and agile so that it can respond when conditions in the market change, and (b) risk is an integral part of how decisions are made – including how strategy is set by executives and approved by the board. Unfortunately, the PwC commentary on risk management focuses on disasters and preparedness rather than the management of risks across the organization.
5. How can the committee ensure that the external audit team is (a) objective, (b) comprised of quality individuals in every geography, (c) basing their work on a solid understanding of the company’s financial reporting risks, and (d) working effectively with management and leveraging the insights of the internal audit team? Rather than wait for and rely on SEC actions, the committee should consider whether it has the means to evaluate the above and how the external audit firm measures up. There have been too many ‘audit failures’ over the last year or two for this not to be on the audit committee agenda.
6. Are the organization’s external reports driven solely by the need to comply? Do they meet the needs of the stakeholders for clear information? How far should the organization go to improve transparency and the use of plain English? Will the company disclose social responsibility and other information that is not yet required by regulation, but is increasingly sought by investors, the community, and other stakeholders?
7. Is the committee getting the most from internal audit? Does internal audit understand and provide assurance on the more significant risks? Do you get an annual opinion? Is internal audit helping you understand and address the maturity and effectiveness of governance and risk management processes?
8. With so many changes in economic conditions, indicators of a risk in fraud, and a continuing emphasis by so many on short-term results, how does management – with your oversight – monitor the culture of the organization? Consider not only the risk of fraud (in all forms), but the risk-taking culture of managers. Are they rewarded (at all levels, not just at the top) for success without being penalized for failure? Are they always penalized for failure and barely rewarded for success?
9. Are the systems and processes used to run the business, monitor and optimize its performance, and report its results ready for the future? Does management rely on old information to make decisions, or does it have real-time information (including risk information) so it can make quality decisions?
10. How are you measuring the performance and effectiveness of the finance function?

What do you think of these 10 questions? What would you change or add?

• Enterprise performance management: towards profit
• Integrating risk appetite into business strategy
• Why integrating risk and strategy is important

Then there are the risk management standards (such as ISO 31000:2009) and frameworks (such as COSO ERM), which address the need to manage the effect of uncertainty on business objectives so the latter can be achieved (or surpassed).

What I want to do in this post is share my personal perspectives on the flow and relationships between these items. As you will see, it is not a simple relationship at all!

Objective and Strategies

Organizations exist to create value for their stakeholders. Governments provide public services for residents while corporations generate profit and share value for shareholders. (Simplistic version)

Objectives are established to create that value, and strategies are how the objectives will be achieved. They are best set with a solid understanding of risks (I use the word to include potential events that could have either positive or negative effects, as well as the uncertainty around forecasts and projections).

1. If you understand the risks inherent in different objectives and strategies, you can decide which among them to adopt. Which is more likely to succeed and create value (and how much), and can the risks be kept with acceptable limits?
2. If you understand the risks inherent in an objective or strategy, you can set appropriate targets. For example, you might slow down the target date for a product launch so you have time to manage the risk of quality defects and allow a vendor time to ramp up production of a new component.
3. You can also plan to execute in a way that will minimize harmful and maximize potential positive results (which includes planning and resourcing any required actions such as new controls to treat the risks).

So, objectives and strategies are set with an understanding of related risks and how they can be managed to remain within acceptable limits.

Objectives, Strategies, and Risk – Part 1

As advocated in both ISO and COSO guidance, organizations need to manage risks related to the achievement of their objectives. So, organizations should (IMHO) ensure they have a top-down process for identifying, assessing, evaluating, and treating risks to each objective.

So, risks are ‘managed’ within the context of the organization’s objectives and strategies.

Performance Management and Risk

Monitoring and optimizing performance should include consideration of risk levels. Kaplan has recommended that balanced scorecards include not only key performance indicators (KPI) but key risk indicators (KRI) as well.

It’s not enough to know that you are proceeding down the freeway at 80 mph (seemingly ahead of targets) if you don’t know that there is dense fog ahead and a high risk of accidents if you don’t slow down.

Objectives, Strategies, and Risk – Part 2

Risk management includes monitoring and generally keeping tabs on what is happening, whether new risks are emerging, and whether risk levels are changing.

What is often overlooked is that management should consider modifying objectives and strategies based on new assessments of risk and whether they can be managed within acceptable limits. Has the danger of the current course increased? Is there a new potential for a faster route?

If objectives/strategies should perhaps be modified, go back to the start.

In my mind,

1. Risk and objective/strategy-setting are, or should be, inseparable
2. Performance management without considering risk is flying blind
3. Risks are managed within the context of achieving objectives

What say you? Does this make any sense?

I thoroughly endorse and like these points:

• Even in the good times organisations can be caught out by the unexpected. Businesses that can’t respond in a controlled and profitable way will fall behind the competition and ultimately fail.
• Achieving financial forecasts takes more than luck and good foresight. It requires a planning model capable of detecting changes in customer demand and sales trends and then flexing the sales activities and production to secure the targeted financial result.
• Integrated business planning refers to the alignment of planning, budgeting and forecasting across an organisation’s key functions of sales and marketing, supply chain and finance. In executing this process effectively, an organisation can arrive at a planning result that fulfils its overall strategic goals.
• Integrated business planning is about understanding what makes money for your business and ensuring you are equipped to make profitable responses to both market changes and unexpected events. It starts with obtaining a good understanding of which channels, customers and products make money, not just in terms of direct margin, but full end to end costs.
• The benefits of getting the organisation pulling in the same direction, supported by reliable information, cross functional governance, technology and master data management, are substantial

What is the hole? What is the omission?

A four-letter word: RISK

Risk management has to be part of the integrated processes for business planning and then performance management. Risk management is how you consider and respond to uncertainty in the business.

If this article had included the risk management function as one that needs to be a core contributor to enterprise performance management, then I would praise it to the skies.

Have you integrated business planning, performance management, and risk management?

In this post, I am going to try to summarize what the document says. I then will ask your views on whether you agree with this way of assessing the adequacy of internal control. (BTW, I am going to limit the discussion to COSO lingo and not introduce any ISO or other terms.)

We have to start with the definition of internal control, which is unchanged from the 1992 edition:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.
• Reliability of reporting.
• Compliance with applicable laws and regulations.”

Before taking on the issue of evaluation, let’s look at two key phrases in the definition above: “reasonable assurance” and “objectives”:

Reasonable assurance

The discussion in the draft of “reasonable assurance” (in paragraphs 21-22) does not use risk management terms. (What I mean by that is that it doesn’t talk about ensuring the risk to the achievement of objectives is acceptable, within organizational tolerances). It simply acknowledges that factors outside the system of internal control (such as human error or judgment) can affect achievement of objectives. As a reminder, here is the definition of enterprise risk management from the COSO ERM framework:

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Objectives

In paragraph 30, the ICF draft provides a nice summary:

“An organization establishes a mission, sets strategies, establishes the objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity.”

It is arguable whether objectives such as obtaining a 30% operating margin, growing revenue by 10%, or improving customer satisfaction by 10% can be readily placed within the three categories of objectives identified in the draft.

The COSO ERM framework adds a fourth category of objectives to the three in the ICF. It describes the four as:

• Strategic – high-level goals, aligned with and supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.

The examples of business objectives I listed earlier would presumably fit under “Strategic”. I can’t explain why the ICF draft does not include this category. In lieu of a Strategic category, they would have to fit in the Operations group.

Assessing internal control effectiveness

The draft ICF starts the discussion at paragraph 71:

“An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. To have an effective system of internal control relating to one, two, or all three categories of objectives each of the five components must be present and operate together in a manner that reduces, to an acceptable level, the risk of not achieving an objective.”

As a reminder, the three categories of objectives are Operations, Reporting, and Compliance. The five components are the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.

The assessment flow continues at paragraph 76:

“In assessing whether the system of internal control is effective, senior management and the board of directors determine to what extent the principles and, in turn, the corresponding attributes associated with each component are present and functioning.”

For each of the five components, the draft ICF describes principles: 5 for Control Environment, 4 for Risk Assessment, 3 for Control Activities, 3 for Information and Communication, and 2 for Monitoring – a total of 17.

Moving to 78:

“When a principle is deemed not to be present or functioning, an internal control deficiency exists. Management applies judgment in evaluating whether a deficiency prevents the entity from concluding that a component of internal control is present and functioning.”

The key

As I read it, the draft is saying:

1. To have an effective system of internal control, the risk of not achieving an objective is reduced to an acceptable level. CHECK
2. For the risk to be acceptable, all 5 components must be present and functioning. QUESTIONABLE
3. The way to assess whether each component is present and functioning is to examine whether the related principles are achieved. OK IN PRINCIPLE (pun intended)
4. If any of the principles are not achieved, you need to assess the deficiency as to whether the related component is present and functioning. OK

The issues

My major issues are:

1. I struggle with the categories of objectives. I think we are better off talking about achieving the organization’s strategies and objectives to create value, rather than confusing the issue with 3 categories that don’t clearly match to an entity’s strategic plan.
2. I am not persuaded that all 5 components must be present and operating effectively for the risk to be considered acceptable. I am sure that one or more may be ineffective, but the nature of the objective and the other controls mean that the risk level is not excessive.
3. I fear that the 17 principles will become a checklist.

My preference

1. Eliminate the three categories of objectives and replace them with one: the achievement of the entity’s strategies and objectives for creating value. Failures in reporting or compliance, if significant, will result in a failure to achieve strategies and objectives (via penalties, loss of share value, etc.)
2. The system of internal control – as a whole – may be considered effective if the risk to the most significant objectives (i.e., not necessarily all of them) is reduced to an acceptable level. It may be effective even if:
   1. The risk of non-achievement of minor objectives is higher than acceptable, or
   2. The risk of non-achievement is only marginally high for a limited number of objectives, and acceptable when considering the overall success of the organization
   3. Require judgment as to whether the overall risk to achievement of strategies and objectives is acceptable, considering the combination of controls within and across all 5 components.
   4. Retain the principles, but change the language to say that these should be considered if there is a desire to assess each component individually. Remove the inference that we now have a checklist of 17 items.

In other words, simplify the assessment flow to answering one question:

Does the system of internal control provide reasonable assurance regarding achievement of the entity’s objectives?

This question can be applied to the strategies and objectives for creating value – as a whole, for a group of strategies/objectives, or for individual strategies/objectives.

Do you agree? If not, please share your views.

I will later share the top posts on the IIA blog.

James starts out well in this section, with a quote from GE:

“General Electric Corporation once described lean as “the relentless pursuit of the perfect process through waste elimination”, but in an IA context it is about ensuring that IA resources are focussed on delivering value to key customers, streamlining the processes and behaviours that support this, and eliminating those that don’t. Lean principles would define value as “any action or process that a customer would be willing to pay for”.

He goes on to explain how the internal audit team should give a priority to the voice of the audit committee, and not be pulled off track by trying to meet all the demands from management – at the expense of focusing on the needs of its primary stakeholder. That is well said, and I agree 90%.

I differ with James, though, when you move on from there. I would also like to share some tips for achieving lean auditing.

I have worked in companies where the margins were extremely low, resources were thin, and we had to make sure there was no wasted effort (muda in Japanese, the language of Lean). I have also worked at a company that used Lean Six Sigma (see here for a high level explanation) to drive efficiency in its manufacturing and other processes, and received training on the techniques and principles involved. So, I have been thinking about ‘lean auditing’ for many years and would like to share some ideas that extend beyond James’ piece.

• While we need to listen to the voice of our primary stakeholder (for most of us this is the audit committee), we also need to recognize that sometimes the audit committee’s insights into the value we can provide are limited. If they are bound by traditional experiences to believe that internal audit should focus on financial processes and compliance, together with fraud detection, we should work with them to move their expectations up the value chain. We should (IMHO) be providing them with assurance that the more significant risks are managed within acceptable limits, augmented by consulting services to enable improvements to that level. It is not sufficient to listen to the voice of the audit committee when that voice is sending an incomplete message.
• We should look very carefully at all our internal audit processes and drive out activities (muda) that are waste, because they carry cost and provide little value – relative to the cost. One technique is to capture, for a sample of audits, how long people spend on different tasks: planning (generally not enough), testing (frankly, often past the point where you know the results), documentation (see #5 below), reporting and communication (too much of the first and too little of the second), supervision and management, etc.

Here are some of the areas where I have identified muda in the past:

1. As James points out, we should only be auditing what matters. If we are trying to audit a key risk to the business as a whole, the materiality for defining the scope of an audit of processes pertaining to that risk at any individual location should be based on the business as a whole, not based on the risk to the objectives of the individual location.
2. Do we continue auditing after we have identified a weakness? Why? Is it so we can prove the weakness in a court of law? How likely is that? Once management has agreed to the fact that the control is ineffective, why keep auditing it?
3. Do we keep auditing after it is obvious that everything is in great shape and the risk is low? Where is the value in that? (See the Tosco link later on and the reference to “stop-and-go-auditing”.) Once you know the risk is managed within acceptable limits, stop – even if you haven’t finished everything in the audit program!
4. Are we auditing an area where the issues are well-known and are being addressed? It may be high risk, but an internal audit engagement would have low value.
5. Do we spend too much time on working papers? Make sure you understand the value and only spend the resources appropriate to the value. For example, my approach is to review people’s work by talking to them and focusing on the report (the key end product we manufacture). The working papers are not where I spend a lot of time, especially when I know the auditor is experienced and I have no reason to suspect they didn’t perform the tests. If there is a lot of value (for example, the working papers will be re-used the next year to streamline a repeat audit, if management is expected to challenge the results, if a regulator needs to review the work, or if there is a possibility of related litigation) then there is merit in allocating scarce resources to working papers. But, if they are consigned after supervisory review to a file drawer (physical or electronic), never to be seen again, then why spend money creating them? Do enough, not more than enough. [As an aside, years ago I had a benchmarking discussion with the internal audit team at Atlantic Richfield (then a major oil company). They told me that they spent 40% of their time on documentation. How do you stack up? How much time do you spend?]
6. Are you reporting issues that don’t matter (except to your pride)?
7. Are your reports timely? If not, then where is the value?
8. Are you driving change? If management is not accepting your points and making appropriate changes, then you are wasting resources. Something is wrong in your internal processes, and you should look in the mirror for the root cause.
9. Does your audit report get to the point? Does it say more than would be required to explain the results to the CEO in 2 minutes? Say what needs to be communicated, and then stop. Anything else can be handled in memos to operating management.
10. Do you have the staff to be lean? Do they have sufficient experience to perform stop-and-go auditing? Can you trust them to know when the risk is acceptable? Are your managers spending more time on reviews and training of junior staff than they would spend if they did the work themselves?

Years ago, the Journal of Accountancy published a piece about my program at Tosco. As I reread it today, I think I got it mostly right. The only point I would add for a 2012 perspective would be a focus on using the available tools to be efficient and effective. Do you agree?

What do you think of this approach? It is not the ‘traditional’ approach to internal auditing, but I think it necessary if you are to make the best use of resources.

• “It was your idea. Congratulations on the new job.”
• “You really understand risk and risk management, so you are the best person to lead the department.”
• “There is synergy between risk management and internal audit, and we have limited resources.”
• “Risk management and internal audit fit together and we don’t have a better place for it right now.”

Back in 2004, The IIA issued a Position Paper on The Role of Internal Audit in Enterprise-wide Risk Management. That paper, which included the famous fan (below), distinguished between roles that are (a) core internal audit roles, (b) legitimate internal audit roles as long as certain safeguards are in place, and (c) roles internal audit should not undertake.

Activities related to providing assurance on risk management (the left side of the fan) were considered core, but those that involved taking ownership for how the organization assesses and responds to risk (the right side of the fan) are ones that internal audit should not take. The ones in the middle were determined to be acceptable activities as long as these safeguards were in place:

1. It should be clear that management remains responsible for risk management.
2. The nature of internal audit’s responsibilities should be documented in the audit charter and approved by the Audit Committee.
3. Internal audit should not manage any of the risks on behalf of management.
4. Internal audit should provide advice, challenge and support to management’s decision making, as opposed to taking risk management decisions themselves.
5. Internal audit cannot also give objective assurance on any part of the ERM framework for which it is responsible.  Such assurance should be provided by other suitably qualified parties.
6. Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.

Has this position paper stood the test of time? Can it be applied successfully to the current situations where the same individual (formerly the head only of internal audit) runs both internal audit and risk management?

I believe that the fan is in decent but not perfect condition. I would move two roles from the ‘legitimate with safeguards’ group to the group of roles internal audit should not undertake:

• “Maintaining and developing the [enterprise-wide risk management] ERM framework”. Because this would typically include the organization’s risk management policy, at best internal audit should only be involved as a consultant and advisor when management develops and later maintains the framework.
• “Developing [the risk management] RM strategy for board approval”. While internal audit can be a valuable contributor, the strategy for implementing risk management and growing its maturity should be a management responsibility.

I would add another element to the fan (on the right) to the effect that the processes of assessing and evaluating risks are also a management responsibility. I would also add a seventh safeguard:

7. Assuming responsibility for risk management activities should not adversely affect the level or quality of internal audit services. It is too easy for the CAE to shift her time and attention away from internal auditing to establishing the risk management function.

The following dictum in the Position Paper remains the ‘acid test’:

“The key factors to take into account when determining internal audit’s role are whether the activity raises any threats to the internal audit function’s independence and objectivity and whether it is likely to improve the organisation’s risk management, control and governance processes.” If a CAE was asked today to assume responsibility for risk management in addition to internal audit, my advice would be:

1. Make it clear to management and the board that you cannot assume any responsibility that would represent a real or perceived threat to your independence or that of your team when it comes to your internal audit responsibilities.
2. All of the safeguards described above, especially the first five, must be in place.
3. All of the activities on the right side of the fan, plus the three I have added, are management responsibilities.
4. In order to maintain both the reality and perception of internal audit independence and objectivity, I would separate the staff involved in internal audit tasks from those involved in risk management. If at all possible, I would hire a dedicated risk officer.

Some companies have positioned the internal auditing function under a Chief Risk Officer (CRO) who does not have the title of CAE or a background in internal auditing. The CAE in those companies reports functionally to the audit committee and administratively to the CRO.

Is this different from the situation where the CAE assumes responsibility for the ERM program? I believe the most important distinction is that there is a possibility that the CRO might attempt to influence internal audit’s reporting of deficiencies and the risk they represent. After all, in many companies the CRO is responsible for assessing the level of risk and ensuring it is within approved tolerances. So internal audit would be auditing their manager’s work.

I saw this in person when I interviewed for a position as CAE of a major credit card company several years ago. The position would have reported to the CRO and when I met him I was impressed with his knowledge of the business and his working relationships with the top executives and the board; I enjoyed his very personable style. But when the discussion turned to reporting the results of audits to the audit committee, I asked him what would happen if the risk office had assessed the level of risk as low and the internal audit found deficiencies implying the risk was high. He left no doubt that the risk level that would be reported to the audit committee would be that determined the risk office. In fact, he was clearly concerned that internal audit would want to report on risk levels at all.

Some internal audit leaders think that the CAE should only ‘own’ risk management in two situations:

• When the company is starting the program, or
• When the organization is too small to have a separate risk management team

I am going to disagree. If handling both areas meets all the tests described above, all the required safeguards are in place, and (especially) this is good for the organization, then I see no reason why the CAE should not take it on. It represents an opportunity for growth, not only for the CAE but also for the rest of the team. Moving into risk management is a new and interesting career progression opportunity for internal auditors.

What are your views? Do you agree with what I suggest, above/

Note: this article first appeared in the December 2011 issue of the Internal Auditor, in the Governance Perspectives column, which I edit.

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 79,000 times in 2011. If it were an exhibit at the Louvre Museum, it would take about 3 days for that many people to see it.

Click here to see the complete report.

I believe that is the road to ruin.

Our job should be to help the organization succeed, and we do that by helping PREVENT defects. Our primary role is ASSURANCE, not performing audits to report issues.

Contrast these situations:

1. The auditor strolls into the room, which is full of cops, and points to the body. “You have a dead body on the floor.”

2. The auditor works with the building architect and critiques the provision of fire and smoke detection and alarm systems, as well as the fire suppression system and availability of exit routes. She advises on the need for fire safety training and drills.

Which is more valuable to your company?

Which are you?