Critical Role for the Chief Audit Executive: Aligning Risk Assessment
October 2008
When it comes to aligning risk assessment,
the "risk intelligent" chief audit executive provides reassurance that management's
reports are reliable, offers advice on improving risk mitigation, and implements
value-added risk-management activities.
by Mark
Layton and Neil M. Brown
Deloitte & Touche
Risk permeates virtually every aspect of our personal and professional lives.
Yet people and organizations are slow to acknowledge potential calamity and
quick to believe that bad things always happen to the other guy.
For businesses, this flawed perception can be quite dangerous. In today's
environment, which is marked by intensifying competition, increasing scrutiny,
and growing threats, a frank and realistic assessment of the true risks a company
faces is more important than ever.
Enter the chief audit executive (CAE). CAEs have a unique opportunity to
make significant improvements in the efficiency and effectiveness of their organizations'
risk-management initiatives. In previous columns, we've discussed the various
roles of the Risk Intelligent CAE, such as keeping the organization's
risk/reward picture in balance, incorporating
risk-management activities into the internal audit
function, and bridging silos to promote
the sharing of information across organizational boundaries. All of which, in
combination, can boost a company's risk-management capabilities.
This column addresses yet another critical role for the CAE: aligning risk
assessment.
Aligning Risk Assessment
The traditional internal audit risk assessment starts with a blank sheet
of paper as processes, systems, and individual entities are evaluated. In keeping
with this typical approach, internal auditors audit those risks with the highest
impact and probability of occurrence. Often, no distinction is made between
inherent risk (the risk that exists before mitigation and controls are introduced)
and residual risk (the risk that remains after mitigation and controls are implemented).
Furthermore, while vulnerability is certainly considered, too much weight
is usually given to probability. Probability models work well when dealing with
events that regularly occur, and for which reams of data have been compiled.
But when dealing with more uncertain events—situations that have never occurred
or perhaps can't even be imagined—probability should be subordinate to the notion
of vulnerability.
Therefore, the risk intelligent enterprise adopts a different tack. In a
risk intelligent organization, management also takes responsibility for:
- Assessing inherent risk—even those that are high impact, yet low probability.
- Evaluating the effectiveness of existing risk mitigation and controls.
- Determining residual risk.
- Deciding whether the risk exposure is within the appetite of the enterprise
and further mitigating the risk, if necessary.
- Providing reasonable assurance to the board that the controls are both
effective and efficient.
If the risk exposure is not within the corporate appetite, it's internal
audit's responsibility to advise management on how risk mitigation and control
might be improved.
Value-Added Risk-Assessment Activities
In addition, the risk intelligent CAE can lead a number of value-added risk
assessment activities. These include providing reassurance to management and
the board that:
- Key risks that affect both value preservation and value creation have
been identified.
- Different scenarios have been assessed and stress-tested.
- Inherent versus residual risk has been reliably assessed.
- Residual risk appears to be within the risk appetite of the company.
- Controls are both effective and efficient.
- Management's reports can be relied on.
What's Your Risk Intelligence Quotient?
To determine if their current risk-assessment models are risk intelligent,
CAEs should ask themselves the following questions:
- Are we speaking the language of management?
- Are we assessing risks to future growth or are we focused exclusively
on the protection of existing assets?
- Are we assessing risks in isolation or are we looking at how these risks
may interact and cascade?
- Is there a uniform framework to align the various risk specializations
regarding governance, risk, and compliance assessments, which will allow
us to reduce the cost burden on the business?
- Do existing risk assessments reliably and adequately assess inherent
and residual risk exposures?
- Do we have the means to assess whether residual exposures are within
the risk appetite of the company?
- Is there a robust risk-mitigation process?
CAEs can play a unique and important role in the risk intelligent enterprise.
While recognizing that management and the board are responsible and accountable
for risk, CAEs should provide both guidance and reassurance that risk is being
properly and efficiently managed.
Neil Brown
is a partner in the Enterprise Risk Services practice at Deloitte Canada. He
can be reached at 416-643-8414 or at
neibrown@deloitte.ca.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.