Home > Risk > Critical Actions Needed in Governance, Risk Management, and Internal Audit

Critical Actions Needed in Governance, Risk Management, and Internal Audit

This week, I was honored to present to 220 board directors at Bursa Malaysia, the Malaysia stock exchange (an event coordinated by my friends at IIA Malaysia).

The topic was “Governance, Risk Management, Compliance: What Directors Should Know” and if you are interested you can upload a copy of my slides. I defined GRC as the capability that enables an organization to set objectives that deliver value to stakeholders, optimize performance to achieve or surpass objectives through management of risk, and act with integrity (which includes not only compliance with laws and regulations, but with the expectations of the society within which we live and operate).

During the course of the presentation, and in answer to a number of questions, I made the following observations about critical actions necessary if governance, risk management, and internal audit are to be effective in delivering performance and value to stakeholders:

  1. The board should have a majority of directors who are independent of management (the exception being in a family business)
  2. The audit committee and the risk committee (if there is one) must include individuals with expertise in risk management – which extends beyond financial risks to all risks of significance to the organization, including reputation risk, operational risk, etc.
  3. Risk management must be recognized as being more than covering the back of the organization (i.e., a compliance activity focused on minimizing the potential impact of major disasters). Instead, it needs to be acknowledged as enhancing the ability of the organization to move forward and achieve or surpass its objectives. Risk management has to be embedded in strategy, performance management, and daily decision-making processes – enabling the organization (a) to make better decisions because it has information and is taking action in response to the uncertainty in its path, and (b) to optimize potential outcomes
  4. Board members cannot be effective without reliable, timely information or confidence in management’s processes and controls (including risk management). The best source for assurance on both counts is an internal audit department that is:
    1. Independent of management, reporting directly to the board or a committee of the board
    2. Led by an experienced and competent professional (CAE) that was selected by the board and not by management. (It is not acceptable, in my opinion, for management to manage the hiring process and present its selection to the board for approval)
    3. The CAE’s performance must assessed by the board, not management, and the compensation of the CAE, including bonus, must also be set by the board
    4. The internal audit function has to be sufficiently resourced to meet its obligation to provide assurance and consulting services relative to the more significant risks to the organization
    5. Only the board can terminate or discipline the CAE, and only the CAE can terminate or discipline any of the staff of the internal audit function
    6. The CAE should report not only to the audit committee of the board, but to any committee that is responsible for oversight on areas addressed by internal audit. For example, the CAE should regularly report to a board’s risk committee, compliance committee, governance committee, etc.
    7. The internal audit function must provide assurance to the board or committee of the board in the form of a formal opinion at least annually. That opinion will be based on the work performed (and the CAE should ensure that the audit plan considers all risks of significance to the organization) and include an assessment of whether the organization’s governance, risk management, and related internal control processes provide reasonable assurance that risks of significance to the organization are managed within acceptable levels/criteria
    8. Individuals who possess information about potential violations of the organization’s code of conduct, including but not limited to violations of law or regulation, should be able to report their suspicions to an objective party independent of the management responsible for the area, without fear of retaliation or other harm. That may mean reporting directly and anonymously to the audit committee, but in practice the latter will delegate this important responsibility to a trusted advisor, such as the head of internal audit, who can be relied upon to keep the allegation and related information confidential

Some observations and clarifications on the above:

  1. While many nation’s corporate governance codes or regulations require listed companies to have an internal audit function, there is no requirement to have an independent or competent one. That has to change. Too many organizations are complying with the letter and not the spirit of these codes by hiring an inexperienced individual who reports to lower level management and not the board
  2. While far too few internal audit departments are providing the opinion I say should be mandated (and provided for 20 years as CAE), this should be the #1 priority for every CAE. It may take a couple of years to change not only the activity but the philosophy of the internal audit function, but this is critical if the board is to obtain the assurance it needs to be effective.
  4. The facts that CAEs have not provided an opinion in the past and audit committees have not been asking for it do not change the fact that this is critical. AUDIT COMMITTEES SHOULD DEMAND AN OPINION
  5. Far too many risk professionals and their management have limited the formal risk management program to a few (10-20) so-called ‘high’ risks that deal only with potential adverse events. For risk management to deliver on its potential, it has to enable management to make risk-intelligent decisions that drive performance – optimizing potential upsides as well as minimizing the downside
  6. Managing risk cannot be left to periodic meetings, workshops, and assessments. The business runs every day; risks change all the time; and the consideration and management of risk has to match the speed of decision-making
  7. RISK MANAGEMENT CANNOT BE A ‘CHECK-THE-BOX-ACTIVITY’ to demonstrate compliance. The true test of risk management is whether management at all levels is able to confirm that information about uncertainty, together with related actions to modify risk, is helping them make better decisions and be more successful

I welcome your comments.

  1. Ehtisham Syed
    August 9, 2012 at 9:44 PM

    Hi Norman, another excellent post. How often should the corporate risk profile be reviewed, in your opinion? I think it should be made part of strategy review meetings which I think should take place at least 4 times in a year i.e. quarterly. Thoughts?

  2. Les
    August 10, 2012 at 12:22 AM


    Any progressive organisation that needs to maintain its profitability and reliability should have to keep trackof its relevant daily activities that impact on its overall performance. Indicative key performance metrics and a balanced score card should be built into its business as usual operations. It can be tailored (ratio analysis etc)to provide directors and senior management with a monitoring mechanism to keep track of its pulse rate.This will be an ongoing tool where the data analytics has to be relevant and pertinent to the business objectives of the organisation.
    Quarterly reviews may be performed independently however they are usually compliance and high level reviews. These reviews may not discover potential problems unlike a well designed performance metrics automated tool.

  3. August 10, 2012 at 4:47 AM

    good stuff Norman…just reviewed your IIA Malaysia presentation. The 12 Questions are spot on. I am the president of a non-profit CDC that needs to address these critical board issues. thanks again for this contribution to the art and science of GRC….

  4. August 11, 2012 at 11:23 PM

    Yes, all points are consistent with my views. Having said that it doesn’t mean that risk and IA functions are up to the job, but they never will be unless these requests are made.

  5. Aly Osman
    August 12, 2012 at 4:42 AM

    Great stuff, we at UBL Funds are materially compliant with the said principals. I believe that its high time that internal audit role is enhanced through not only audit but through conducting special assignments that deal with matters expressing opinion on management performance, unaddressed material risks and management decision making process weaknesses, so many times internal audiors are well positioned to identify such gaps and make worthwhile recommendations but are restrained to do so due to the mandate / scope of work issue and not to delve into management judgemental areas although it could be value addition for the company if it gave a serious thought to such recommendations.

    Aly Osman
    GM/ Head of IA & Compliance,
    UBL Funds, Karachi

  6. Ken Lauver
    August 15, 2012 at 1:23 PM

    Thanks for another great discussion. Your recommendations are spot on, but we must keep in mind that ultimately the CEO/CFO must determine the acceptable level of risk that a company is willing to accept!
    As you have questioned in other articles input by IA tends to be on the negative aspects of risk and its potential for disaster to a company. We need to look at your suggestions above to ensure that audit staff looks at the full spectrum of risk management so that management will be more likely to look forward to meeting with the risk and compliance team!
    Information on the risk potential and of course actual occurrences must always be provided ASAP without a schedule so a channel should be provided to communicate findings to management immediately when applicable.

    • Norman Marks
      August 15, 2012 at 1:48 PM

      Ken, thanks for the comment.

      From an internal audit perspective, I would encourage all practitioners to think about whether risks are at acceptable levels rather than trying to eliminate all risks. Too much control, to eliminate risk well below acceptable levels, is highly inefficient.

      As an example, my audit team at Tosco audited risks including theft at our >6,000 convenience stores (Circle K). We focused on whether theft (called ‘shrink’) was above 1% of revenue, because industry experience indicated that trying to drive shrink below 1% typically required controls that cost more than the reduction in theft.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: