Home > Risk > Aligning the board, risk management, and internal audit

Aligning the board, risk management, and internal audit

What is the executive leadership team (ELT) and the board worrying about? What are the topics on their agenda?

They are discussing these topics because they represent either opportunities to add shareholder value (such as major projects, acquisitions, etc.) or threats to that value – to the achievement of corporate goals, strategies, and objectives (such as the actions of competitors). They determine what actions to take and measure progress.

When the ELT and the board evaluate these opportunities and threats, then decide what actions to take, they are managing risk. They are understanding and responding to uncertainty with the objective of optimizing outcomes: increasing the likelihood of positive results and minimizing the negative.

If the ELT and board are to be successful, they need both the risk management and internal audit functions to be aligned with them. Risk management helps ensure they have all the information they need to steer the organization. Internal audit provides assurance that the processes involved in obtaining information can be relied on, and that the ship will respond to directions from the bridge.

Do the leaders of risk management and internal audit always understand what is on the ELT and board agendas? Do they have access to the bridge of the organization, so they understand what the captain is trying to do?

If the craft is to successfully navigate treacherous waters, taking advantage of tailwinds and clear channels:

1. The ELT and board must ensure they communicate to risk management and internal audit leaders what items are on their agenda
2. The latter leaders must ensure that they receive they receive and act on that information

Do you agree?

  1. Andy B.
    March 12, 2013 at 8:26 AM

    Norman –

    I agree with your thoughts and would also make what I consider to be a couple of equally important additions. It is also imperative that RM and IA foster the type of relationship with the ELT and Board so that, not only do those two groups see the need and value in sharing their agendas with RM and IA, but also to view them as a valuable resource for not necessarily confirming their action items, but validating the methodology being used to arrive at their conclusions. There is a role to be played here by RM and IA evaluating whether the action items and agenda topics being considered by the ELT and communicated to the Board, are representative of the organization’s true risk profile. This is where RM and IA can truly be advocates on behalf of the Directors in making sure that the limited information being provided to the Directors is a proper representation of the Company’s risk environment, free from any type of underlying agenda or corporate politics.

  2. March 12, 2013 at 4:15 PM

    Norman – great post and I completely agree. I work for Symantec and we have found that it is imperative for the ELT and board to work together to manage risk. It is also important for the CISO or CTO on the ELT to help the board understand risk by clearly communicating what is at stake, and what plan is in place to remediate the risk. Having security metrics in place is another must. Metrics ensure that everyone is communicating and on the same page about the risk, deciding what will be done about the risk, and properly reporting the risk. Metrics also help the ELT and board measure the effectiveness of security controls and show accountability.

  3. Elizabeth Valentine
    March 12, 2013 at 5:33 PM

    An excellent post. I’d also go a step further in suggesting that the practical way of ensuring that this happens is for Executive and Senior Management KPIs to reflect simple performance measures relating to communicating key board decisions and issues raised to RM and IA. The board must in turn actively monitor any action items arising from the meeting and recorded in the minutes, and then place these on the agenda each board meeting. These simple processes worked well for us in the last organization I was Chief Executive of. It’s a combination of board minutes / action items and the organization’s and board’s use of the risk register as living documents.

  4. Thijs Elling
    March 13, 2013 at 2:53 AM

    Excellent post and nice discussion!!! Question: wouldn’t it be even better to align the whole organisation with ELT and Board’s evaluation of opps and risks? Eventually employees on operational level are increasing the likelihood of positive results and minimizing the negative!

  5. March 15, 2013 at 8:37 AM

    While I agree with your thoughts and ideas, I’m left with a question as to the extent to which internal audit (and perhaps Risk Management as well) should be involved in Strategic Issues; for instance would it be within the Internal Audit/Risk Management scope to identify missed/potential/under utilised opporunities as part of the risk assessment process.

    • Norman Marks
      March 15, 2013 at 2:44 PM

      When it comes to strategic issues, my view is that internal audit should consider whether the processes involved in setting and managing strategy are in good shape. I don’t look to audit to identify missed opportunities, just the fact that management’s processes don’t provide reasonable assurance they will be identified by management.

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Evangelist and Mentor for better run business

  6. July 7, 2013 at 10:25 PM

    Thrilled I stumbled upon this excellent website.
    I work within the financial accounting discipline but writing is my personal love.
    My name is Iesha. I’m browsing the internet often for like minded writers and thought this was interesting post.

  1. March 12, 2013 at 7:57 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: