20 September 2018

A Selection of Risk Management and Internal Audit Posts

Over the past year, I have posted a number of articles relating to Risk Management and/or Internal Audit. the objective of these has been to focus on the practical yet strategic, and not on individual risks or reporting standards. A selection of those articles includes:

  1. Strategic Audit or Strategic Auditing, and horror story
  2. Risk Geography and Waterfalls
  3. Delegations of Risk Authority
  4. Inherent and Residual Risk is Inadequate; What is the Appetite?
  5. What about your Target Risk?
  6. Single Points of Failure (SPOFs)
  7. Risk Quantification and Physics Envy
  8. Three Lines of Assurance
  9. Beyond Three Lines of Defence; Risk Management and Internal Audit
  10. After 22 years, InfoSec remains important
  11. The Importance of Emergency Lighting; a cautionary tale

Strategic Audit or Strategic Auditing. The ability to perform audits or strategy, or to perform strategic audits it a critical element of successful Internal Audit. The willingness and ability to report the findings and recommendations requires courage; something too often lacking. I provide a specific example, that I believe contributed to the fall of a very major financial services company.

In Risk Geography and Waterfalls I discuss a simple methodology to add to your suite of risk identification and assessment tools, and how the use of Waterfall diagrams can reduce the likelihood of missing important risks. We've used this to some success, and the direct linkage of risk identification to the critical income and expenses waterfall improves coverage. Bringing the right people to the table is facilitated by this methodology, further improving risk identification and assessment.

Delegations of Risk Authority: Too often we hear people say "We've accepted that risk" when what they really mean is "this is too hard; either I'm not able to explain it adequately, or I know remediation costs won't be approved, so I'm not going to try". Just as companies have Delegation of Financial Authority, so should there be a Delegation of Risk Authority. This article discusses this in more depth, and suggests are way forward.

Inherent and Residual Risk is Inadequate: What is the Appetite? Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite. Without understanding the agreed Risk Appetite, Internal Audit risks imposing its assumptions of what the Risk Appetite should be, not what Senior Management and the Board have agreed.

What about your Target Risk? following on from assessing the Inherent and Residual risk levels, if you do not know what your target risk level is, you will not know if your controls are effective, you will not know if the investment in remediation is appropriate, and most of all, you will not know when you have reached a level of control that meets the Risk Appetite of Senior Management and the Board.

Single Points of Failure:  While not a Risk Management or Internal Audit issue specifically, SPOFs (Single Points of Failure) are probably what will take the company down, at least for a short time. Yet these are also the area where you will probably see the most examples of "we've accepted that risk" from people with no authority to accept such risks.

Risk Quantification and Physics Envy: There is no question that the quantification of the potential negative (and positive) impact of the actualisation of a risk can help to clarify thinking, and support activities required to manage the risk. Yet quantification can also be a waste of time, and can be used to create rubbish results that mask as science. Poor quantification and simulation are easily as bad as or worse than poor subjective assessments.

ee Lines of Defence: The preferred model of various financial regulator and that has been embraced by the Insititute of Internal Audit, provides a sound framework, as long as we recognise that all lines of defence provide assurance. These two articles address the importance of Assurance from all three lines, and the linkage between Risk Management and Internal Audit.

Three Lines of Assurance:  It is time for a fundamental shift in the thinking about the concept of Three Lines of Defence and the value that Internal Audit and Risk Management deliver, and an equally fundamental shift in the role of management in the delivery of assurance and value creation. Over the past decade, the role of provider of assurance to the Board has been defined by the Internal Audit profession, and enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model. That presentation of the TLD model and the associated assumption of who provides assurance undermines the responsibility of professionals across businesses, and presents an overt statement that management is not to be trusted. As such, it is time to review that model and introduce new thinking.

Beyond the Three Lines; Risk Management and Internal Audit: This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

Meanwhile, some stories never get old, and those tend to be around the practical, head-shaking events that we remember, but that could well manifest themselves again.

22 years later, and InfoSec remains a problem. In fact, it is probably a much bigger problem. How to convince the IT Manager that he really needs to take security seriously? Sometimes it takes a practical lesson.

The importance of Emergency Lighting. Have you ever been in a situation where you were simply bumbstruck by the lack of thought that went into a potentially life threatening situation?

No comments:

Post a Comment