Home > Risk > Internal audit and ERM accused of failing to hit the mark

Internal audit and ERM accused of failing to hit the mark

The consulting firm CEB (now part of Gartner) published a piece in 2014, Executive Guidance: Reducing Risk Management’s Organizational Drag.

It has been used recently to support an argument by a critic that both internal audit and ERM are failing. This was said in the last few weeks on Twitter:

  • “CEB survey focuses on some key failings of traditional internal audit and ERM.”
  • “CEB survey report does a good job describing problems with IA/ERM but not as good with its prescription to fix the problem.”
  • “CEB/Gartner report puts the spotlight on assurance silo overload.”

Leaving aside the fact that it is a 2014 product based on 2012 and 2014 analysis (and therefore should not have been used to discuss the current situation), how good is the CEB piece and what does it say about (a) internal audit, and (b) risk management? How accurate and relevant are its observations today?

Unfortunately, the critic mistakenly conflates internal audit and risk management. Both have their challenges, but they are different – different challenges for different organizations.

One is part of management and the other is independent.

Lumping to them together confuses and distracts from addressing their individual challenges.

The CEB piece gets off to an awful start with this sentence:

In the present day, when those types of risks [financial and hazard risks such as the effects of a typhoon] can be transferred through hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that assurance functions and business leaders must identify and manage themselves.

First, practitioners know that you cannot really “transfer” a risk. That is dated thinking (sorry, insurers). Instead, you are sharing it more often than not. For example, there is always a possibility that the insurance claim will be denied, the insurer will fail, or not all the effects will be fully compensated.

Secondly, assurance providers do not “identify and manage” risks – that is the responsibility of operating and executive management with oversight from the board.

CEB recovers somewhat when they talk about how the increasingly extended enterprise and the growing volume of data captured by any enterprise has changed at least part of the risk landscape.

But then they start to categorize risks, saying:

With shareholder value as the barometer, the most potentially damaging types of business risks are the strategic ones, such as competitive incursions or declining demand for a core product. CEB’s analysis of significant market capitalization declines in the past decade shows that 86% of them were caused by risks that were strategic in nature—with operational risks as a distant second place.

Risk is the effect of uncertainty on objectives. That means that to properly assess any source of risk you have to consider how it could affect the achievement of specific objectives.

So, the only risks that rate as “high” would be those with a significant potential effect on the achievement of objectives.

Operational miscues can have a dramatic effect on objectives, leading to customer dissatisfaction and loss, product failure, and so on. Just think of Deepwater Horizon.

Compliance failures can similarly impact objectives when they are so severe that operations are constrained or even closed. Consider the Novartis problem in Japan.

CEB’s analysis by categorization is fallacious and misleads more than it helps.

If you say that strategic risks are those that might have a significant effect on objectives, which can include operational and compliance risks, then it is only to be expected that these are the ones that result in failures to execute and deliver on strategies.

Then there is the paragraph that has drawn the attention of the critic:

At most companies, however, assurance departments with the formal responsibility of identifying (and sometimes managing) risks—such as with Internal Audit in the following graphic—consider strategic risks to be out of their scope and instead see them as business owners’ responsibility.

This is simply a misreading of the situation.

While it is true, based on other surveys and my own observations (the CEB offers no evidence to their observation) that many internal audit functions do not include all significant risks to enterprise objectives in their audit plans, it is not because they consider them “out of scope”.

All risks are potentially auditable. CEB gets that 100% wrong.

Further, all risks are business owners’ responsibility, so the statement about strategic risks being business owners’ responsibility carries no weight.

IMHO, it’s true that many internal audit functions don’t include all significant sources of risk to strategies and objectives in the audit plan. But the reasons lie elsewhere.

It may be because:

  • They don’t have the resources or ability to address them and are unwilling to ask for those resources.
  • They simply didn’t think of them.
  • The audit committee doesn’t support their auditing these issues.

That’s all that is said by CEB about internal audit. The rest is about risk management.

The following CEB assertion may be true (again, no evidence is offered but I believe it to be often true):

Operational executives know risk and strategy go hand in hand, but they struggle to address them together. Similar to how enterprise risk management (ERM) efforts rarely link cohesively into corporate strategy, typical strategic planning processes run by line executives do not do enough to incorporate and address risks.

I entirely agree with these excerpts:

  • Too much focus on risk versus reward can encourage “risk aversion,” resulting in lost growth opportunities.
  • The risk prevention activities (i.e., eliminating any chance of risk) that are appropriate for other kinds of risks can lead to avoidance or aversion of strategic risks that companies would be better off taking. When companies overemphasize the risk (not reward) of strategic decisions such as developing new products, entering new markets, or selecting merger and acquisition targets, they can inadvertently foster indecision or inaction among executives and frontline staff by making them too cautious.
  • Leading companies view every decision they make as a risk decision; they explicitly link risk to overall corporate strategy and deliberately choose their risks with great calculation.
  • In short, leading companies win because they empower their employees to take and manage risks, not because they do a better job preventing them
  • Incorporating multiple perspectives on both risk and opportunity removes biases in the planning process and improves confidence in strategic decisions.
  • Scenario planning is a common approach that incorporates strategy and risk. Leading companies are increasingly conducting scenario analyses on hypothetical strategies to identify potential outcomes, associated risks, and alignment with corporate risk thresholds.
  • Embedding risk in strategic planning, and vice versa, is most effective during planning months and for a short time afterward. But during the rest of the year, risk-comfortable executives who lack clear understanding and guidance on what is, and what is not, an acceptable level of risk will expose the company to greater risks through their day-to-day decisions.
  • From our experience, leading companies that ensure a risk-based context for strategic decisions improve decision quality by as much as 42%, and companies that effectively reduce risk aversion can accelerate executive action by 34%.
  • Companies’ greatest risks are their people. Instead of focusing disproportionately on risk processes, leading management teams and assurance groups anticipate and manage the root cause of most risks: human behavior and judgment.

So overall, the CEB has some good stuff. I really like much of their language, especially in the points above about risk aversion and indecision. There is more in their document that has merit, especially about human bias and how it affects judgement and risk-taking.

But does it capture all or even the more significant problems with either internal audit or ERM practices? Does it offer the right solutions?

I am not persuaded that it does on either count.

I am not going to conflate the two separate activities. Let’s take them one by one, starting with internal auditing.

First, I have to say that while there has been significant progress in internal audit practices over the last several years, problems remain. As I have written before, the majority of board members and executives report that they do not believe internal audit addresses the risks that matter to them, the more significant risks to enterprise objectives.

This is critical!

In addition, many internal audit functions:

  • Only update their audit plans annually. They should instead, as recommended by Richard Chambers and me, be updated continuously – at the speed of risk.
  • Do not provide assurance on the management of risks to objectives. Instead, they assess and rate controls without indicating which objectives might be affected and by how much.
  • Do not provide actionable information, helping leaders know not only what might be wrong but whether strategies and even objectives might need to be changed.
  • Limit the insight they provide to what is written in the audit report. It’s so much better to have a conversation.
  • Make it difficult for leaders to find the nuggets of valuable information in their audit communications by burying them in a mountain of trivia in their audit report. Auditors need to communicate what leaders need to know, not what they themselves want to say, and do it clearly, concisely, and promptly. Leaders need actionable information now.

If CAEs and their teams focus on these six points, they are on the way to success.

Turning next to risk management, the CEB identifies some important points.

But there is a huge disconnect between practitioners and leaders at many if not most organizations.

Here are some of the problems, all of which I have written about before. Too many risk management functions:

  • Focus on the possibility of failure instead of how to succeed.
  • Think that the periodic review of a list of risks is risk management. It is not. It is enterprise list management (DeLoach). Risk needs to be managed continuously.
  • Focus on risks out of context instead of the possibility and degree that an enterprise objective might or might not be achieved.
  • Do not set as a goal helping decision-makers make the informed and intelligent decisions necessary for success.
  • Apply their discipline only to the possibility and magnitude of potential bad things, not to both good and bad.
  • Fail to recognize that an event or situation can have multiple effects, some of which are good and some not so much.
  • Talk in their own technobabble (i.e., risk) instead of the language of the business. It is better by far to talk about what might happen and is that ok.
  • Do not understand that risk is taken or modified with every decision. Relying on a corporate-level risk appetite statement doesn’t guide every decision and taking of risk.

There is more, but if risk managers address these eight points, they should be on the way to success.

I discuss both issues, internal audit and risk management effectiveness, in separate books: Auditing that matters and World-Class Risk Management. There is more to be said and done on this topic and hopefully both practitioners and their critics would see value in reading them.

What would you add?

I welcome your comments and perspectives.

  1. Jerry
    July 16, 2017 at 6:49 AM

    interesting indeed. where do i get the CEB document?

    • Norman Marks
      July 16, 2017 at 6:51 AM

      There’s a link in the post. Click on the title of the report.

  2. July 16, 2017 at 8:05 AM

    Norman: With respect, since I think I am “the critic” I don’t confuse risk management and internal audit. In the objective centric approach we promote ERM specialists focus on helping management self-assess and report on the state of risk linked to top value creation and preservation objectives. Internal audit reports on the reliability of management’s risk management framework and reliability of management’s reports to the C-suite and board. I believe this delineation provides far greater clarity in terms of role than exists in many organizations today.

    In terms of how old the CEB report is, I think the fact many IA and ERM groups have not been involved with the top strategic objectives of their organizations is even more important in 2017 than it was in 2014. Institutional investors are calling on CEOs to outline their value creation strategies together with their assessment of risks to those strategies. In my Linked In posts I do indicate I don’t agree with CEB’s prescriptions to fix the problem.

  3. July 16, 2017 at 12:29 PM

    Norman, I suspect many internal audit departments are still using ‘Audit Programmes’ linked to their annual audit plans. Why else does ‘KnowledgeLeader’ exist?

    • Ronald Moyo
      July 17, 2017 at 12:36 AM

      Good day David, I fully support your view, however IA functions must establish their own dedicated thought leadership desk in order to keep abreast or to remain relevant to the organisation they serve.

  4. Ronald Moyo
    July 17, 2017 at 12:31 AM

    Great piece Norman, I like the perspective and all counter-clarity you outlined in your write up. I also like how you particularly magnify axactly what today and tomorrow’s modern IA and ERM practitioner must strive to do better. My input, hinges exactly on your point that distinguishes IA and ERM on the basis that the first is independent while the later is part of management. For me this may be the very perspective that requires more debate. I am of the view that ERM practitioner must also strive to execute their mandate with reasonable degree of independence. I say this particularly recognising one of the best organisational management frameworks ever recommended for businesses to enhance their assurance and risk management capabilities, the famous Combined Assurance Model (CAM). Given the fact that the model seeks to identify and integrate all 1st, 2nd, and 3rd lines of defense (I take it, this is an organised combat on any aspects that may or perceived to significantly derail the organisation from creating and preserving its stakeholder values), objectivity becomes a supreme requirement for each line of defense and independence also becomes a supreme requirement for 2nd and 3rd lines of defense. I do not believe there is any reason why ERM practitioner must not execute their mandate in similar independent fashion like IA practitioner. Secondly most organisation have hardly implemented a C-suite structure for ERM practitioner, which in my opinion severely limits the capability and maturity of the ERM function. On reasons the IA are critisised for wrongfully excluding certain key strategic risk in their execution plan, my own experience and observation is that 1) IA functions continue to believe they are auditors and accountants first before they can transform themselves into business specialist relevant to the type of business their organisation is operating. 2) They have not hit the right nerve when it comes to doing all they must in order to understand the technical nature and strategic imperatives pursued by their organisation 3) As a result of both 1 and 2, they have not found any relevance or justification to expand their IA teams (personnel mix) to identify and recruit technical specialist with skills and expertise that mirrors their organisation 4) They have not made any effort to establish and maintain a dedicated thought leader or a dedicated R&D to act as their light house in navigating the environment within which their business operate. All the above factors will mostly likely better position the IA to be remarkably on top of their game when it matters. I do not concur with a view that the audit committee may ever support the IA to exclude any strategic risk from their plan unless the committee is reasinably satisfied that such risk ate adequately addressed elsewhere. Due to a possible misinterpretation of their independence requirements, most IA practitioners keep a non-rewarding distance between themselves and management. For instance, when most executive management are undergoing some learning and development in certain speciliased areas of their business, IA are hardly in attendance. Just my story and I’m sticking to it! Thanks again for the great initiative.

  1. July 16, 2017 at 11:21 AM
  2. July 18, 2017 at 8:15 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: