Against the prevailing wind?

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

I have been to the cinema to see the film Belle. So as not to spoil it for you, it is about a black lady and her role in British society in the 18th century and the challenges she faced. This is not just within a society that still tolerated the abomination of human slavery, but also one that was highly status and class-oriented.

The point that struck me about the film, and it is a good film all round, was the stand taken by Belle and her guardian, the then Lord Chief Justice, against slavery and the prevailing views of society at the time. I pondered whether this required extreme courage on the part of the Lord Chief Justice, and risked his professional status, standing and respect.

That then brought me back to being a CAE. I recalled how hard it has been in my career to take a view that prevails not just against an organisational and senior management view but also against the underlying professional view. I have done this is the past over health and safety, where I came up with what I thought made much more sense as a delivery model, splitting delivery of health and safety oversight from delivery, but leaving expertise in each camp.

I have also done so in less obvious and dramatic ways over all sorts of issues. I have believed in the assessments I have made, but not to the point that I think I have all of the answers, but more a belief that the challenge is of value of itself. The strong objectivity that internal audit has I often take for granted and don’t really understand why others cannot see things afresh.

I had a good example recently the other way that taught me how this happens. I was trying to explain my audit approach in plain English. A member of my team wrote an excellent paper, another reviewed it, I then attempted it again. A member of the management reviewed it and had a go, and just used a simple clear way to explain it. I was surprised at my inability to see beyond my audit technical bubble.

So if it is a natural thing for us to lose our own objectivity does this make, coming back to my original point, the CAE’s job to really, fundamentally, challenge, difficult? Yes, I think so. It is very difficult to take an alternative view, as humans I think we are naturally conflict avoidant; hence group think and other phenomena.

So should a CAE raise a challenge to convention, really go against the prevailing view in a fundamental way? Yes, definitely. It behoves a CAE to do this, because they are best placed to do it. I’ll let you into another secret, in a number of cases, when I have done it, I have not only made a lasting difference to my clients, but actually provided cover for others, of the same opinion, to have confidence to express it. Yes I have been proven wrong in cases, and I cannot foresee the future, but no organisation can truly say, working through a challenging opinion, responding and justifying it, is not of value in itself. For at the very least, it can make the status quo more justified and grounded in analysis and consideration, and that, for almost all organisations, is no bad thing.

Titanic risk management

I have been struck by all of the Titanic centenary memorials and programmes, much like the ship itself, out of my compartmentalised risk management thinking. It is not man’s natural state to risk manage, but have we really progressed so little that scenes from the Costa Concordia in 2012 could be quite happily spliced into footage of the Titanic film relating to 1912? Would I, if they had had internal audit in 1910-14 have raised the question about lifeboats and an effective ‘plan B’ if I were White Star or Harland and Woolff’s auditors?

Well I could do the internal auditor’s ‘told you so dance’ (one of the few and secret pleasures an internal auditor can take when clients do not act on advice), but this is not helpful. I would far rather see companies, organisations and leaders take a more risk managed approach to life and their businesses.

In most risk modelling an element of cost benefit is used. The auditor-perfect world will never be built as it is not cost-effective or competitive to do so. Indeed one could, coldly, take a view that the White Star Line and Harland and Woolff have not been killed off by Titanic. The White Star line was finally taken down by the Great Depression and the moving on of air travel and other technology, not Titanic. Harland and Woolff remain to this day. So their risk management was effective.

So is Titanic a lesson in better risk management? By today’s standards probably not. It is also a lesson for all risk managers in the overstated risk of repetitional damage though. I think it is much more a lesson in moral and ethical standards. Should it be ethical to put individuals in so much danger? After all ice was a reasonable risk at the time, indeed Titanic was warned on April 14th of ice in its path, the message never got to the bridge. Could two men looking into the dark be a reasonable risk mitigation strategy?

I think risk management must have an ethical dimension. When we read that 264 men were injured and 8 died in the construction of Titanic, we rightly, in the West, argue that things have moved on in the last century. Yet have they? We hear about the 1,000s of Chinese workers killed in industrial accidents each year and Apple’s factory suicide nets. Bankers’ decisions to effectively decide they are too big to fail and to make (the right as it turns out) commercial decision to anticipate the taxpayer to bail them out, strike an amoral and perhaps not within the spirit of company law, approach to risk taking and management. Perhaps risk management driven by purely commercial, business, factors is wrong. Risk management is moral and not just business risk.

Thus internal audit should not just be looking at narrow, compartmentalised, business risk but should be considering the ‘rightness’ of risks taken. Most boards I have met in my career are populated by individuals who want to do good and the best for the organisation and the normally, moral objectives of the organisations they serve. Perhaps it is the role of internal audit to push this agenda more.

When you see, hear and read about the lives and communities still affected by one ship sinking 100 years ago, the imperative to get better at managing the community and moral obligations within a lower risk appetite rather than pure commercial considerations becomes apparent. Perhaps this is the true lesson of risk management from the RMS Titanic at the bottom of the Atlantic?

Health and safety risk

This is something that has troubled me as an auditor for a while; the lack of integration of risk management and internal audit and health and safety risk and audit.

At a number of my clients I have dealt with health and safety officers. They invariably continue their work, in the main they are earnest, normally male, normally middle-aged or older and use the word hazard instead of risk. Similarly at my clients I have always been responsible for forming the opinion on the whole of risk, including health and safety risk. The UK is, I’m sure, in line with most countries in that boards and executives have increased legal responsibilities for the management of health and safety. This normally prompts a separate line in health and safety reporting to the board on health and safety issues, often bypassing the Audit Committee and going direct to the Board.

Why is this? Is health and safety not just another legislative, practical, business and financial risk as for any other?

This prompted me at my clients to be much more clear about my remit with regards health and safety. I am happy to audit it directly, or to provide assurance over the arrangements for health and safety; that is the process by which health and safety is risk assessed and assured.

Wherever I have audited health and safety directly I have generally found a shambles. Why? Well like most business risks general managers are not good at systematically managing risk, preferring, as for other business risks, to wait until they become issues and deal with them as and when. This is why incidents continue to occur. Even where intuitive actions take place, the systematic management of health and safety risk, such that an auditor such as myself could take comfort from it is rare. There are of course industries where the inherent health and safety risk is higher, hence they do systematise the management of it. Examples include the chemical and energy industries. Yet BP’s catastrophic failure in the Gulf of Mexico in the last few years suggests that even this enhanced approach is not adequate.

Then there is the health and safety industry itself, which is, I believe, fundamentally flawed. First most health and safety people straddle, in my experience, and unhelpfully a gap between management and audit. They do not have the discipline of being independent, objective and non-executive in the way that the internal audit profession does. They are often not well trained in risk-based audit and thus they focus on compliance and operational ticking. Yet really ‘wicked’ health and safety risks are cross-cutting in businesses. It is these risks that are often not picked up and dealt with on a timely basis. Management often have no ‘health and safety’ experts working for them (apart from the health and safety team which melts away to become ‘advisors’ only if it goes wrong. General managers may know their business but are not specialists. Management is also structured by silo’d structures in most organisations and thus a cross-cutting effort is not applied.

I have learnt therefore that the first audit at any new client is health and safety. Also that this will shake my confidence in the client. So when was the last time you audited health and safety?