So I’ve been thinking about risk. Risk, as we all know, is uncertainty of outcome, which in a business sense is linked to the achievement of corporate objectives. For this simple model to work then we need clear objectives and a clear understanding of the risks that flow from these objectives. Both of these are missing in most, of not all, corporate bodies. Why? I think because humans do not like to face the idea that everything not possible, humans do not like having to make choices, and humans like to deal with issues (i.e the here and now) not risks (which are far off).
I think it may be deeply ingrained into the way we are brought up. In films the seemingly impossible is always somehow miraculously achieved. When we are taught in schools we are educated that our first draft must be perfect. We like the idea of things being human scaled (i.e. we can understand the whole in one go, deal with the problem and solve it in a short period, and deliver our desired outcomes without hard work and long-term effort).
So I think the idea that we, or organisations, face long term risk is difficult for us. We approve business cases and projects on the basis of assumed success. This will work. This will not be risky. Only a few organisations are really brave enough to do something really hard. Take Virgin’s space travel disaster this week; it will take some bravery to pioneer this travel in the face of this disaster. I guess much as the early pilots in the first aeroplanes did.
So I have spent time thinking about how internal audit really works in this environment – an environment where risk is needed to succeed, where an organisation runs towards risk. First, internal audit needs to lead the business in thinking about risk in terms of being neutral – risk can be either good or bad. What turns risk from one to the other is appetite or tolerance. This tolerance must, and should, vary – certainly within an overall portfolio structure.
So how does internal audit support risk taking behaviour? I believe internal audit needs to move away from reports that are risk averse. So red or high risk reports are seen as bad. Nonsense. Risk is risk. The question of the value judgement over the risk depends on whether the organisation wants that process, area of the business, activity or process to be high risk. If it does, then red is good. If it does not, then red is bad. Clearly, if at a corporate level risk is very high overall (and how many audits really audit the risk of an entire organisation? – its scope is simply not possible to deliver in a single piece of work) then that would be bad, no governing body should sign off high overall risk to the organisation in totality.
So internal audit is for me an independent risk assessment exercise, done in collaboration, but with independence, from the business. For as an internal auditor I’ve spent every single day at work learning. As internal auditors we are always at the edge of our ignorance, yet using our cross business view and breadth of coverage, we have learned enough to add value to each audit I’ve ever delivered and commissioned. It is a chance for audit and the business to really face up to the risks in a business area or the scope of the review, to enable the business and audit to think about how it can be mitigated further (if not already within the risk appetite of the organisation).
The other side of internal audit is to provide consultancy type assurance reports – designed to think about a complex and messy risk world and provide a sensible set of suggestions to mitigate risk.
For internal audit and organisations to face and seek risk, risk based internal audit needs to move away from only looking at high risk items. For real risk is buried in the detail of organisations, not in the theoretical processes and controls we all imagine occur and operate effectively to manage risk. Risk builds up in culture, practice, behaviour and organisational detail. So the traditional model (normally a risk universe) that prioritises and limits audit work by high gross risk (or if you are lucky some measure of net risk) is, in my view, unhelpful. Internal audit should have reasonable coverage to be able to delve into the organisation.
I was once challenged – why would you want to look at anything not at a strategic level? My response is to question is what is strategic? Sure, you can cover key organisational processes, you can address some processes through data analytics etc. Real risk however, is in the detail of organisations, in the detail of complex reality on the ground, in the remote geographic and process areas of the business. It builds up in culture and in risk practice. So you need a blended and comprehensive approach to assuring risk in all or its messy complexity.
So do you have enough coverage to really, meaningfully, address and assure organisational risk? Do you really run to risk and provide part of the organisational brakes to allow your client organisations to take more?