Just a short post this week, but one that I hope draws on some contemporaneous events. Humans are bad at risk management. There. I’ve said it. Take the flooding in the UK. Suddenly we realise that we needed to do more. We’ve suddenly (despite climatologists saying it for years) identified that ‘extreme’ events are not so extreme. So after having let a risk crystallise into an issue, we’re prepared to do something about it.
Humans always allow risks to crystallise into issues. Why? I think it is because a risk is not seen as ‘real’ until it occurs. This is of course the antithesis of risk management. The whole idea is not to experience the issue in the first place.
Humans also think the absence of issues means the absence of risk. Look at the the way we put too little away for retirement, the way we drive beyond reasonable, the way we don’t prepare for extreme weather events. How many times have I, as an auditor, had the argument – ‘we manage risk, we just don’t write it down’. This is even said when risks have crystallised into issues. My response is usually, well if the risk management is so good (even though I can’t see any evidence of it) how come there are all of these issues?
So given humans are innately optimistic, poor at predicting the future, weak at expressing a real and meaningful risk appetite, should we give up on risk management? Well I think not. In a way, as the world, both in weather and business terms, becomes more volatile, we should increase and double our resolve to manage risk.
So what does that mean for internal audit? Well the risk based approach is a sensible one, as long as it is not used as an ever more elaborate excuse for being under resourced. For whilst no audit function can provide absolute assurance, we should provide, at least, reasonable assurance. I would say a majority of internal audit functions are resourced well below that level of capacity. But why is this? Well in my view it comes back to risk management. Humans will also resource risk mitigation activities once an issue has occurred.
The really good management colleagues and bosses I have worked for have seen the benefit of risk mitigation, not issue mitigation. They have really added value through tackling these items. Perhaps we as auditors should make a greater effort to really focus on long-away, non-proximate, risks in our plans and sell it consciously to our audit committees and management colleagues?