Here’s an interesting question. What is risk? Risk to what? I’ve always taken business risk to mean risk to an organisation’s objectives. Risks that opportunities and actions in pursuit of those objectives are not taken and that the actions taken do not ensure the achievement of those objectives. The UK Government’s definition via HM Treasury’s Orange Book is:
‘uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.’
The real question is that of the boundary. The boundary of risks to what? The Orange Book makes clear that this flows from an organisation’s objectives. It also makes clear that the public sector has more complex, public good, objectives. I wonder if the confusion over boundary comes when a government department has a policy role, i.e. they are making policy for the country and public as a whole. Does then the risk not distinguish between this wider remit and the more specific business plan remit?
It is tempting then for risk management in a government context to be managing the risk to the country as a whole. This, however, then makes risk management in an organisational setting much more problematic. For no country or government has the power or the risk management capacity to really manage the world’s risks. I would suggest therefore, that it would be appropriate to partition a risk management system between managing the macro risk (be it political, economic etc) and the business plan of the government to deal with that. That way, organisationally, you can exercise the organisation’s risk management system to manage organisational risk, a task it is better suited and more capable of doing. As long as the macro is mapped to the micro elements of the system this would then work I think.
The other relevant risk boundary question for us as internal auditors is one of our ability to manage them. This is an old chestnut as far as my blog is concerned and one I have thought about a few times. For the cry goes up from the audited business that internal audit does not have the skills to really understand business risk. As soon as we begin to ask real risk based audit questions this becomes difficult and one of professional challenge to those audited. So how can internal audit really challenge an experienced HR, IT, estates, music, food, international development, surveyor or whatever other professional and ask meaningful questions?
One answer is to tool up internal audit departments with those professionals and then train them to audit. This I think makes sense for the core elements of the business for the client. In my current role it makes sense for me to have a range of guest auditors from the business that really understand the business and can add this context-dependent information to their work. This, however, taken too far is not helpful. Not only does it signal that internal audit is not a worthy skill set in the first place, something I do not agree with. Second, it makes internal audit no more than a management self review – whither objectivity and independence? In other words, where is the context independent knowledge the the ‘strong objectivity’ to ask the really difficult questions outside of professional and organisational group think?
There is however, a need for internal audit not to seem two dimensional and a poor reflection of the professions it audits, however. I do not buy the idea that internal audit can audit anything per se. This argument is normally grounded in the idea that you can audit process. So audit the rules (that management set because they know what they are doing professionally).
This is, simply, not risk based. For what if the rules are rubbish? What if the management decisions and frameworks of control and delivery don’t really mitigate risk? Audit is just a compliance police in this model. This is not risk based, not thinking, not rewarding for the internal auditor and most importantly not risk based for IA standards purposes. More than this, the world is social and most business operations (to form a truly risk based opinion) need to look beyond the rules. They need to look, with professional judgement, at whether the rules are the right ones. i.e. are we doing the right things? Much more than this, lots of businesses and their operations are simply not prone to systematised controls. This is true of governments. Their work is heterogenous in the main, not systematised, complex, social, political and difficult. Simple rules do not apply.
So how can internal audit be credible in this world? Pushed by stakeholder expectations to omni-competent, yet, challenged by the business for being two dimensional, crass, and not understanding. Well I think first internal auditors the world over need to be better. They need to be brighter, more intelligent, the very best thinkers. In short they need to be consultants and consultancy standard. This requires better pay. Better marketing to the brightest and best of our youth. The profession needs
to be clear about what good internal audit is to its recruits. It’s not finance, not a shadow of accounting, not pseudo consultancy, it’s the very best of all of these. It is risk analysts and business consultants using context dependent and independent knowledge to engage with managers in a peer-to-peer conversation about risk.
Where I have had engagement of a management leader, the very best leaders in my view do engage, an audit is able to really challenge, not in a win-loss way, but in a conversation. It can really move a department, process, culture or activity forwards. All good businesses need excellent internal audit. We are the disruptive influence that promotes growth and change.
So does this mean internal audit can audit anything? Of course. But this is not in the facile, compliance, or process manner that some mean it in. It is through acting more like organisational consultants, something in my view, very few internal audit functions are really up to. As CAEs we really need to ask ourselves – are our teams really able to do this? Do we have the breadth and depth of skills to do this work? If not, document what you have and fill those gaps. For the time is coming when someone will ask – what does internal audit really contribute? If it’s just low level compliance and checking and not fundamental challenge and consultancy style work then you should be concerned.