The State of Risk Management in Canada
I don’t remember the last time I heavily criticized an IIA publication. While I disagree (heartily) with the naming of the Three Lines of Defense model, it does a decent job of describing the distinction between the responsibilities of operating management and internal audit. So, I don’t call my criticisms of the IIA’s commentary on the model a “heavy criticism”.
I wasn’t looking for anything to criticize when I started reading a publication by Crowe Horwath in collaboration with IIA Canada. Mastering Risk: The State of Risk Management in Canada 2015 is a mish-mash of confused thinking about the management of risk, the design of internal controls, and the effectiveness of the internal audit function.
First, how can anybody “master risk”? Nobody can predict with certainty what might happen, let alone dictate its effects on the organization. The management of risk is riddled with uncertainty; even the most mature risk management activity can only provide their best guesstimate of what might happen and do their best to optimize its consequences.
Second, does this report provide any true insight into the “state of risk management”? Does it indicate whether risk management is effective, helping organizations execute on strategy, make informed decisions, and deliver optimized performance? The report has nothing to say – yet, isn’t that the promise of the title?
Third, since when are risk management professionals defined as including “members of the internal audit, risk management, or internal control functions, along with operational managers who have responsibility for the application and maintenance of internal controls”. By combining these three separate activities, which they have in spite of first promoting the three lines of defense model, they make it difficult to know when they are talking about risk management vs. internal control vs. internal audit.
Only 26% of the respondents were true risk management professionals. The majority, 56%, were internal auditors.
I am not going to list all the problems with this report. I only want to point out one interesting survey statistic.
Exhibit 11 lists the areas of internal audit focus. The survey asked respondents to select areas where “Your organization’s internal audit work provides an ongoing assessment”. The areas from which they had to select do not include any reference to the management of risk!
Why am I taking the time to review and discuss the demerits of this document?
- We all need to recognize that many self-proclaimed risk management experts have a poor understanding of its effective practice
- We need to keep the “thought leaders” and those who ascribe to that title honest. When they publish rubbish, they must be called out
- If you are selecting consultants, make sure they are worth what they charge
- When you read guidance like this, it is not surprising to see surveys of board members and top executives saying that they lack confidence in the management of risk and that it does not make a valuable contribution to the execution of business strategies
By the way, what is the state of risk management in Canada?