How do you audit risk management?
You can’t audit what you don’t understand.
That doesn’t mean you have to be an expert with years of experience as a risk practitioner.
But you have to know enough about risk management to be able to assess whether it is effective.
X
What does “effective” mean?
It means, in my opinion, that it meets the needs of the organization.
Unfortunately, too many see it as about managing or mitigating the downside of risk, rather than knowing how much risk to take. They use risk registers and heat maps and call that effective risk management. It’s not. These are not tools that help people make informed and intelligent decisions that enable the achievement of enterprise objectives.
Any assessment of risk management has to be broader and more useful to leaders of the organization.
X
If you pass the IIA’s exam and hold a Certification in Risk Management Assurance (CRMA), a certification I hold, does that mean you have the knowledge you need to audit risk management?
Certainly not. Many have those initials after their name but don’t have more than rudimentary knowledge.
X
How do you gain sufficient knowledge?
There are good books on the topic (of course, I recommend my own: World Class Risk Management, Risk Management in Plain English, and Risk Management for Success). Others can add their favorites in the comments.
A number of organizations have training on risk management. But be careful to sign up only for classes that discuss both downside risks and upside opportunities. (ISO 31000 includes both the upside and downside effects of uncertainty in their definition of risk). Too many teach and practice risk management as the mitigation of the downside of risk, rather than how to make informed and intelligent decisions and take the right level of risk.
You can also engage an expert to partner with you on the audit. That is what I did when we needed to audit the use of derivatives at Tosco Corporation.
X
One of the experts you might consider engaging is my friend, Alexei Sidorenko.
He has shared with us a free guide to auditing risk management.
In my opinion, it is well worth downloading and can be a helpful guide.
Is it complete? No. How can it be?
Effective risk management needs to be practiced in every nook and cranny of the organization, with a focus on enabling the decisions that matter and addressing the more significant risks (and risk includes “opportunities”) to the achievement of enterprise objectives.
Risk management should include how objectives and strategies are set, as well as how the organization executes to achieve them. Every decision relies on understanding what might happen (my preferred definition of risk) under each scenario.
It includes not only avoiding harms, but also seizing opportunities – making the right business decision. Sometimes, it is right to take more downside risk to gain upside potential.
It is not about the activities of any risk office. It is about the activities of every decision-maker.
An audit that seeks to provide an opinion on the effectiveness of risk management would be a major endeavor. It’s almost like assessing whether the system of internal control of the organization is effective, given that risk is both created and treated in every decision – both strategic and tactical.
We break down audits of internal control into manageable chunks. Each audit addresses one or more small pieces.
Do the same with risk management. Break it down into manageable chunks, such as:
- risk reporting to and discussion by the board
- supply chain risk management
- inventory risk management
- safety risk management for the Liverpool plant
- competitor risk management
- major project risk management
- quality risk management in Guadalajara.
Identify the possible engagements and risk rank them (the risk to enterprise objectives if risk management is poor, combined with the likelihood that the risk management is insufficient).
X
I haven’t written a book on the topic, although I might take on the massive project at a later date.
But I have provided a road map, especially in Risk Management for Success.
My advice to anybody wanting to audit risk management is to use the maturity model in the book. It is extensive.
I am a big fan of using maturity models in auditing topics like this, as the opinion will be on where the organization’s maturity level is rather than whether it is effective or not.
X
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Thank you, Norman. I find that at least one person on the audit team must be a risk management and risk modelling expert to audit risk management.
“It is not about the activities of any risk office. It is about the activities of every decision-maker.” This is a great truth I believe most internal auditors, and maybe many risk managers, miss.
The corollary is that an audit of internal controls is merely a scope-shackled audit of addressing risk related to decisions.
Very good article Norman. Too often either the wrong issue is the focus or they seize on the right issue, but do not know where to go with it. The result, in either case, is wasted time for all involved attempting to understand the issue and then explaining it to the audit team.
thought provoking as usual Norman.
The definition of effectiveness needs improvement. I suggest it may be improved by adding needs of ‘the organisation and primary stakeholders’. That is, not just the organisation. And needs could be enhanced by adding something about success in meeting needs. For example, meeting the critical needs or 95% of needs.
I recommend you become knowledgeable about Open FAIR. Available at no cost from The Open Group.
Chris, thank you for the reference. I was familiar with FAIR, but not this guide.
Unfortunately, it fails for the same reasons as FAIR itself – which are described in “Understanding the Business Risk that is Cyber: A guide for both business executives and InfoSec managers to bridge the gap” (available on Amazon). It does not express risk in business terms and is only about the downside.
Book Suggestion: Try the Failure of Risk Management by Douglass Hubbard.
I had the pleasure of meeting Doug last week. I think its fair to say we don’t disagree on risk management. I approach it from the perspective of the executives and the board, and how they decide how much to invest in addressing any risk or uncertainty. He is much more involved in the sophisticated modeling of uncertainty.
If you are charged with risk quantification or modeling, his book should be excellent.
If you are charged with helping management and the board make quality decisions, I think my books are more appropriate.
Norman, the simplest way to audit enterprise risk management is to assess the following:
What and how are they using risk criteria to ensure a consistent understanding of risk sources across the organization in order to prioritize risk sources and resource allocation.
How are they having meaningful conversations (e.g. via risk workshops) about risks.
Not much point going further unless these two processes are robust and working well.
Thanks for the thought provoking read Norman.
I thought I was well versed in Risk Management until last week. I was interviewing a candidate for a role and they replied to a question on risk management, the reply has had my brain on overdrive ever since.
The candidate explained that they conduct full 8D and Root Cause analysis on processes that are going well. Then flow the lessons out to the business to minimise risk elsewhere.
As you say most of us concentrate on the negatives when it comes to risk… flipping it on its head is a game changer!