We need both to get through life. But friendships are what make the difference between success and failure. Now, you may view this as a weak analogy for the relationship between risk and audit, but stick with me, the light will come on.
Stakeholders in risk management are critical to the effective and successful management of risk for any entity. Unfortunately, "success" is often misunderstood, especially under the "enterprise risk management" rubric. But as I've also argued -- and about which I will not relent -- successful risk management is all about performance and mission accomplishment. And, yes, that includes complying with the expectations of third parties such as regulators and rating agencies that are part of the external stakeholder group. If my premise is correct, where does internal audit come into the success paradigm for risk management? Well, let's examine the relationship.
Internal auditors are typically viewed as corporate cops, looking for the mistakes or intentional malfeasance that occurs with uneasy regularity in many quarters. They have at their core an accountability for "control testing," usually for effectiveness, but hopefully also for efficiency. Their focus is, of course, much more than this, but at the end of the day, the most common view of their core purpose is to ensure that controls are designed correctly to mitigate risk, albeit often small, expected and/or inconsequential risks when viewed in isolation.
Notwithstanding this view, I have always viewed the chief auditor as a key partner/stakeholder, with whom a strong relationship is critical to a risk manager's success. Consider, for example, the result for a risk manager if the auditor gave the C-suite or board a materially different perspective on a risk profile and current state of exposure.
While auditors typically have "risk reporting" accountability, particularly at board level, it is unlikely the organization's "risk story" will be consistent without a fundamental alignment with the risk manager. Not a good operating mode.
What about this relationship from an operational standpoint? Auditors, like progressive risk managers, spend the majority of their time reviewing, investigating, understanding and ideally, helping management do the right things for the ultimate success of the entity. In other words, the auditor focuses on ensuring that the entity meets or exceeds its objectives and that it delivers on its mission.
How often does management even think of auditors or, for that matter, risk managers, this way?
Too frequently, both are often viewed as just the opposite: impediments to management getting the job done, naysayers, cops, doom-and-gloom guys. Those guys who always say "no," who focus on what's done wrong and without care for helping management succeed. Not a reputation I'd want to have.
So auditors and risk managers need to be more than acquaintances; they need to be friends, and given careful recognition and respect for the independence that, in my opinion, both functions should have. That independence should not preclude alignment in message and functional mission; it should in fact drive both toward the ultimate success of the entity, i.e., mission accomplishment.
CHRIS MANDEL is the president, Excellence in Risk Management LLC, and executive vice president, rPM3 Solutions LLC, a long-term risk management leader and former president of RIMS.
August 22, 2012
Copyright 2012© LRP Publications