As auditors, we all know that internal audit is uniquely positioned to understand where risks lay within an organization. But sometimes audit doesn’t get the opportunity to communicate the company’s risks to a broader audience beyond the audited entity. How does audit get the word out about how great they are at mitigating risk? How can audit foster a community centered on understanding risk within the organization? And how can audit be at the forefront of the strategy instead of another cog in the wheel?
Below are a few ideas to help internal audit build bridges between knowing, communicating, and fixing risk in a company.
Strategy #1: Market Internal Audit
Surprisingly, internal audit needs to toot their horn. I worked for a large company whose Chief Audit Executive (CAE) was constantly working to keep the internal audit name at the forefront of conversation with executives. Acquiring a new company? Send audit to investigate the risks of purchasing. Need better risk awareness with management? Try a rotational program between groups. This CAE was always looking for ways to infiltrate the business with risk understanding and send auditors in to do the job. In other words, the CAE will be instrumental in how much audit’s name gets out to the company.
With the director on the front line, the audit team needs to support the director with processes in place to help define and mitigate risk.
Strategy #2: Use an Enterprise Risk Management (ERM) Framework
An ERM framework contains an expandable universe of risks that auditors can use to assess risk. Think of an ERM framework like a building with rooms of risk that are similar to what other companies have found useful to define risk. Different groups use ERM frameworks differently. If you haven’t used an ERM framework, check out how different companies use an ERM framework here, or here, and even here.
Being part of the front-line team that assesses and communicates risk sometimes places auditors as unintentional leaders in the risk management process. However, at this point, auditors have to gracefully bow out of the ownership process and let a management team take over and own the risk.
Strategy #3: Set Boundaries in the Risk Management Process
Defining boundaries between audit and management are necessary. Early on in the process, internal audit should communicate what they can do and where they’ll hop off the project. What can the business expect from audit? (Knowledge and experience on risk frameworks and mitigation strategies.) What is audit to do in risk management? (Internal audit consults, defines risks, and makes recommendations.) What can internal audit expect from the business? (The business reviews, interprets and implements risk management.) What is audit not going to do? (Fix or own the problem.)
The idea is that you make risk assessment recommendations that will be used as a springboard for organizations to use to fix their problems on their own. Your recommendations are not God-given – they are recommendations after all, not edicts. You may be able to provide management with some tools to fix the problem, but management is responsible to fix the problem.
Strategy #4: Know Your Options for Mitigating Risk and Think Outside the Box
I’m a huge believer in, “Where there’s a will, there’s a way.” Here are four quick-and-dirty strategies to remember to mitigate risk:
- Avoid. Exit the business, cancel the project, or establish procedures to avoid high-risk situations. Avoidance is an option, but it might be too safe or allow too little room for growth.
- Accept. Any product comes with a risk, but when the failure rate is low, you can accept the risk.
- Reduce. Use risk prioritization tools, improve accuracy with controls, or limit high risks to an acceptable level.
- Transfer. Change contract terms, give up some control over a product, or purchase insurance.
This brief synopsis may pique an idea in how to solve a current or future problem. By profession (or maybe by design), auditors are pretty risk-averse people. With a little out-of-the-box thinking, risks can be mitigated and the company can continue to grow with risk in mind.
As a final say, just because you are part of the team that begins the risk management process doesn’t mean you have to own the entire project. After all, you and your audit group are still a consulting organization. You’ve understood risk for a long time. Now you get to communicate it to a broader audience.