I have begun to think through how these two concepts interrelate. It is obvious that they must, as the three lines are a defence against risks’ crystallisation into issues within an organisation. Risk appetite is an organisation’s expression of how much risk it is prepared to tolerate, bear and take.
So, where do they interact? Most models of the three lines omit any conversation about risk appetite. The goal is to mitigate risk and prevent issues arising. Yet this is not the reality of organisations. Organisations clearly tolerate and deal with both risks and issues.
I have commented before on models of three lines, that is taking the three lines of defence model from some theoretical statement of absolutes and the law, and recognising it is model to simplify and help us understand the world of organisational risk and control. It is important to re-iterate that it is not the law or absolute requirements, it is just a theoretical model within which a set of real life choices need to be taken and applied.
I see a number of choices that I have enumerated before on this blog, see Audit Methodology and Heterogeneous Auditing. You can characterise these by shapes across the three lines – ‘n’, ‘u’ and ‘v’. So the lines of defence can all be pitched at different points. The lesson for internal audit in my view is that this organisational choice (or how it operates even if not consciously chosen) of model matters. In other words, internal audit as the third line, whilst formally independent of the rest of the organisation is, in fact, not. It is a third line. It is one of (at least) three. It makes no sense, therefore, for internal audit to be weak and have a light touch audit programme where the second line is proportionately weaker. Weaker audit functions rely on strong, systematised, management controls. If that is not culturally or functionally in place then internal audit is not serving its clients properly.
There is another layer to this lesson learning for internal audit. One that says that internal audit should be sited within a model of three lines that is organisationally appropriate. So I would expect for a systematised and organised business, such as an airline, to have an ‘n’ shaped model. As a passenger I would want an organisation with strong systems and rules, strongly and completely policed by a second line, with the whole model assured by a proportionate independent third line. Yet for a complex and heterogeneous operation, say a university or international development organisation I would want a system that allows flex and variation; to take account of local circumstances and to allow innovation.
So we’ve identified that the type of the organisation’s business affects the three lines, and that this, in turn, changes the role of internal audit. So what about risk appetite? Broadly the lower appetite for risk, the more controlled you would want the business. This would incline you towards a ‘n’ shaped model. A strong set of designed, extensive and centrally policed rules. Lots of ‘quality assurance’ of the conformance type. So internal audit in this model would spend time reviewing the system, the sausage machine. It would assume, if the machine was well designed and operating that the resulting ‘sausages’ are good.
The usual scientific model of internal audit, of conformance and compliance, here would be fine. This would have an interesting consequential effect on the model of internal audit. People would perhaps be less needing of complex subtlety and require less experience and academic qualities. You could have fewer of them, using data analytics and machines to test the machine. Risk based judgements would be fewer, as the risk judgements would be embedded into the machine. In reality you are less likely to attract the very best people, as the work would be less stimulating or interesting than policy work. The reporting would be more straightforward and less difficult to produce.
Compare this to an ‘u’ shaped model. You need bright, challenging, academic and thoughtful audit. You can have an almost completely risk based plan – there’s little need for compliance work. This requires more flexible reporting, engagement, support and co working with clients. The internal audit team would attract bright and enthusiastic people, the very best. Reporting would be complex, nuanced and take time. You would probably need an overall larger function to get suitable coverage of the overall heterogeneous portfolio.
So these models matter. They really matter to internal audit at its very soul and core.
Yet the world is more complex (as ever). So risk appetite varies by type of activity. So control over general activity is less likely to be as strong as say control over activity using complex financial instruments. HR controls may be lesser in some areas (say recruitment) and stronger over say people health and safety. So you have a complex picture of ‘n’s, ‘u’s, ‘v’s and any over shape you could imagine. As a consequence internal audit is not simply big, small, scientific, socially scientific, compliance or risk based.
Internal audit needs to interpret a complex multilayer picture of models of three lines of defence. Any service that does not have a clear understanding of and then a clearly articulated response is at risk of being misaligned to its task in my view. Do you?