CLICK HERE to download the full article
Article by Hanief Mohamed
Compliance, Quality and Continuous Improvement: Johnson Controls
Declaration: Statements made in this article are the personal views of the author and do not necessarily represent the Company’s views.
Risk is a necessary part of human life and affects every aspect of it. We live with it every day and learn to manage its influence on our lives. In most cases this is done as an unstructured activity, based on common sense, relevant knowledge, experience and instinct. The management of risk is innate in human nature as we strive to continuously improve our conditions. On a daily basis we make decisions under uncertainty, with imperfect information, and incorporate elements of risk management into the process. Our minds constantly assess risks as we drive our cars, pay our bills, cross the road, consider home security measures, plan for the future, plan for our health and plan for our children’s future. In each of these instances, the mind calculates the risks associated with the activity, quantifies the risk, and then compels us to make a decision based on this assessment. We are therefore constantly engaged in risk management.
It can be said that though we may not apply structured educational methods in the way we conduct most of our affairs as explained above, our conduct is essentially a microcosm of the functioning of society’s broader economic and commercial activity. Planning, decision-making and choosing amongst alternatives is inherent and pervasive in economic and commercial activity and this occurs under conditions of uncertainty and with imperfect information at our disposal. Any plan of action, decision or choice thus made, whether at the strategic or operational level, incorporates an element of risk and automatically triggers our risk management response.
In the corporate world, boards of directors typically oversee strategy, approve corporate policies and plans, approve material capital expenditures and transactions, select executives and compensate them, monitor performance, plan for succession, ensure the integrity of financial disclosures and provide oversight of compliance with applicable laws and regulations. Though this list of responsibilities is by no means exhaustive and is rather long, each item requires the making of decisions under uncertainty and with imperfect information, and essentially all its elements fall under a single umbrella phrase: risk management. As risk management has always been a part of human life, so too, since the beginnings of commercial activity, has it always been a part of the management of organisations, even if not formally acknowledged. Risk management is now universally acknowledged to be part of real management life and has evolved into a cornerstone of modern-day corporate governance.
“There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.” Though this statement by twentieth century US president John F. Kennedy captures the essence of the importance of risk and its effective management, risk and its effective management is not a new phenomenon.
The first insurance against the misfortune of loss of cargo by shipwreck had its origin in the Hammurabi Code, promulgated in Babylonia in about 1850 BC. In the framework of that Code an entrepreneur could purchase and equip a ship and repay the loan with interest only if the ship returned safely; otherwise the loan was forgiven. The sea loan, as it was known, is an example of a debt instrument used to finance maritime commerce. It incorporated a package of contracts including a debt contract and an insurance contract. Though it was an imperfect attempt to separate the casualty risk from the business or credit risk, the sea loan represented an exchange of risk which features in present-day commerce as a key risk management strategy.
Credit risk (as distinct from one of the embedded components of the Babylonian sea loan) is the oldest form of risk in the financial markets and is as old as lending itself, dating as far back as 1800 BC and has remained essentially unchanged from its ancient Egyptian origins. Now as then, there is always the uncertainty as to whether any given borrower will repay a particular loan.
Insurance companies as we know them today came to prominence in and rapidly dominated much of the eighteenth century’s commercial activity. In 1752 Benjamin Franklin founded, in the USA, a fire insurance company called First American. Across the Atlantic The Society of Lloyd’s of London was established in 1771 when several English businessmen combined their resources to insure their clients against potential losses when involved in sea transportation enterprises, and began what is known today as maritime insurance.
The twentieth century however, witnessed the development of probability theory as a concept in management science and with it the birth of formal risk management. The focus was initially predominantly on investment and project risk management. Project risk management developed rapidly throughout the 1970s, firstly in relation to quantitative assessment and then to methodologies.
The 1980s was characterised by quantitative analyses of just about everything, and saw project risk management applications essentially focussing on time- and cost-saving objectives. The use of methods based on risk-and-response diagrams which graphically depicted the trade-offs, also featured prominently during this decade. These methods were based on the notion that it was not possible to model a risk situation realistically without taking into account possible responses.
Some important principles established in the 1980s retained their usefulness into the 1990s.The use of questionnaires and checklists were extensively developed in the 1990s and ongoing development has led to the concept of knowledge-based systems.
The advent of the twenty-first century has witnessed a shift of focus away from quantitative risk analysis to the current emphasis on understanding and improving entity-wide risk management processes, commonly referred to Enterprise-wide Risk Management (ERM).
Risk management undoubtedly remains an important function of business management and has been present since the beginnings of commercial activity. Historically, organisations have looked at risk management in a somewhat fragmented way, though its consideration was always present. The benefits that effective risk management practices generate are often unseen, while the costs are all too visible. Organisations today are opting for a much more holistic approach. Those at the forefront of risk management now have risk committees chaired by a board member, and also have a Chief Risk Officer (CRO) with overall responsibility for risk across the organisation.
Organisations, whether incorporated for profit or not, exist to create value for their stakeholders. As such, regardless of size, structure, nature or industry, all encounter uncertainty at all levels of their business activities. An uncertainty could manifest itself as an opportunity or as a risk. When value is created it must be preserved and grown. Uncertainty has the potential to prevent or support value creation, or to erode or enhance existing value.
Effective risk management enables management to effectively deal with uncertainty and the associated risks and opportunities, thus enhancing the capacity to build and retain value. An enterprise-wide approach to risk management enables an organisation to consider the potential impact of risks on all processes, activities, stakeholders, products and services. Organisations are under pressure to identify all the business risks they face – social, ethical, environmental, as well as financial and operational – and to explain how they manage them to an acceptable level. Regulatory and economic pressures are forcing organisations to do a more thorough job when conducting enterprise-wide risk assessments, pursuing strategic opportunities in a risk-effective manner, increasing the effectiveness of risk-mitigation efforts, and focusing on a more holistic approach to risk management.
The challenge for management though, is to determine how much uncertainty to accept as it strives to grow stakeholder value. Thus, for risk management to be effective it is crucial that risk management strategies are embedded in the organisation’s activities at both the strategic and operational levels. The embedding of risk management within business processes requires the identification and evaluation of all significant risks and the development of an appropriate management strategy. The use of a “bottom up” approach to embedding risk management requires preliminary assessments to be performed by junior “risk identification” teams, with follow-up “risk evaluation” by more senior teams. Alternatively, control self-assessment (CSA) can be used to identify risks, by making use of questionnaires or workshops that are often facilitated by internal audit. CSA can provide a “tool-kit” for helping management to understand the risk management mindset and to become involved in the process. Workshops can be effective in bringing out key risks and how they should be assessed and managed, but only if there is free-flow of information and debate. Risk prioritisation usually involves using a matrix of probability of occurrence and associated potential damage, and classifying risks as high, low or medium, through a traffic light system.
A common framework of concepts and language specific to risk is the hallmark of modern risk management. In sharing a common language and standard definitions, managers from all disciplines are able to discuss and contribute knowledge to help them manage in an uncertain environment. Some organisations use workshops to improve consistency in risk management language and familiarity with risk prioritisation criteria in use across the organisation. The search for consistency and a common language is made easier if workshops are facilitated by risk managers familiar with the fullest extent of the business. The chief risk manager should give informational presentations to line management in order to promote further discussion (and discover current concerns) and to clarify thinking about risk, using corporate models familiar to all, for reference.
Once systems for the identification of risk and prioritisation of responses have been designed, a centralised risk register is typically established to ensure that risk management is carried out comprehensively and consistently, and that issues and implications are appreciated by all. Risks are usually correlated so that one adverse event may result in the immediate recognition of other risks. The risk management system must be capable of responding to continuous change, by addressing new risks as they emerge and reassessing the potential impact of other risks.
Continuous education encourages staff at all levels to think constantly about risk when planning, monitoring and reviewing activities. Ultimately, the key to a successful process for identifying and assessing risks lies in the quality of staff. Thus the recruitment policy is the first point of control in risk management.
It is imperative that boards accept responsibility for setting the risk management agenda and for putting into operation an effective system that addresses the significant risks facing the organisation, all in a manner appropriate to its risk appetite. However, while ultimate responsibility for risk management rests with boards, they require support from functions with organisation-wide presence and reach such as internal audit, to be able to report comprehensively on risk management and on the material risks facing the organisation.
Imagine yourself behind the wheel of the vehicle leading the pack in the Paris-to-Dakar rally. At the extreme speed required to maintain your lead, you suddenly encounter a sharp bend. With your heart racing and sub-conscious mental processes kicking in, all energies are suddenly directed to keeping your car on the road. In an instant you have to reduce speed and apply all your skills to guard against the cars behind from ramming you while simultaneously avoiding the trees and spectators on either side of the track. You are lucky this time, you make it. As you pick up speed again to re-establish your lead, your co-driver looks in his rear-view mirror and lets you know that you have just made a sharp turn. Well, we can all imagine your reaction.
Imagine now that at the extreme speed needed to maintain your lead, you co-driver, looking at his map, alerts you to the imminent arrival of a sharp bend to the right, about 200 metres away. You have sufficient time to reduce your speed appropriately, gear down and make the turn calmly, all the while maintaining your lead. You now also have a better chance of increasing your lead. Your envelope of concern remains more to the front and sides: those cars behind you are not an imminent threat. You can better assess your response to the upcoming turn, and to avoid ramming into the trees to your side. You are also alert for anything that might appear in front of you without warning.
Imagine further that you are the CEO and your co-driver is the chief audit executive (CAE) and that you have to choose between the two co-drivers described above: well, as the saying goes, ‘You do the math’.
Being able to perform the job with proficiency and due professional care are cardinal requirements of internal auditors. The internal audit profession has evolved from an accounting-based profession to an interdisciplinary management-oriented profession with a continuous focus on risk. Internal auditors need to be as confident discussing business risks and ways of managing them, as they are in discussing controls and carrying out audits of operational and financial processes. In addition to possessing competency as professional auditors, the internal audit departments now also need internal auditors who have been trained as business professionals, changing the function from being control-focussed to being risk–focussed in the performance of audit work. Internal auditors need to embrace this change in their role if they are to continue delivering value-added services to their organisations.
Risk-based auditing requires a broadening of the perspective of internal auditing to include mastery of all risk management techniques in addition to those dealing with control activities. Such an approach will give internal audit the added vehicle for examining the business’ processes for excessive controls and will allow the auditor the opportunity and authority to recommend fewer controls, as outdated and no longer efficient methods are identified through risk-based auditing, and terminated.
The internal audit function that ventures into building links with risk management creates immense opportunities for itself and management through the aligning of the audit universe and the audit plan with the organisation’s strategic objectives and operational plans.
Both internal audit and risk management have a shared objective, that of contributing to the achievement of organisational objectives. Whilst there is congruence of end objectives, their roles are not identical as the two functions consider risk from different starting points. The risk management function focuses on the process of identification and management of risk whilst the internal audit function has an oversight role, focussing on the robustness of that process.
Recent research suggests that CAEs worldwide struggle to complete the annual internal audit plan – only 21% having indicated success (African Journal of Business Management, 3(13):959-968). The internal audit function is furthermore tasked with a high percentage of ad hoc management requests which could be symptomatic that the annual internal audit plan does not focus on the crucial issues identified by management. In view of risk management functions interacting with internal auditing, internal control and governance structures, the joining of forces between risk management and internal audit for purposes of achieving a common objective holds immense advantages. The overwhelmingly apparent advantage of an effective interface is that it provides a single total framework for improving the internal audit function and, by implication, the added value of the services it provides to the organisation.
Potential benefits to be derived from having an effective interface between the risk management function and the internal audit function, whilst still maintaining the independence and objectivity of the internal audit function, include:
Risk management principles must be integrated into the overall management and governance processes. The establishment of a risk committee overseeing a risk management group that comprises specialists from diverse backgrounds that counsel operational management about risk is crucial to the effective governance of risk. Frequent and scheduled discussions of risk between the audit committee and the risk committee should take place. Such discussions would provide an environment for creating a common framework and language about risk and would grant the CAE ready access to critical information on risk early in the strategic planning process. It might be desirable for the CAE to be a member of the risk committee.
Information from the strategic planning group provides the organisation’s business objectives, identifies its key processes and its business risks and opportunities. It is crucial for the CAE to have access to this information in order to function effectively in audit planning.
Effective governance characterized by a continuous focus on risk would furthermore contribute to creating a risk-conscious culture. As members of the organization become aware of what leaders and powerful organizational members pay attention to, what they measure and control, and how they react to critical incidents and organizational crises, their norms and beliefs become shared and embedded within the organization.
Most organisations have vision and mission statements that set out what the organisation wants to achieve. Within the context of an entity’s established mission and vision statements, management establishes strategic objectives, selects strategies for the achievement of the objectives, and sets aligned objectives cascading through the organisation that are also consistent with the organisation’s risk appetite, i.e. a high-level view of how much risk management and the board are willing to accept. In setting the strategy for achieving its strategic objectives, management considers risks relative to alternative strategies, as a preferred strategy may in fact have a higher or lower risk than an initially less favoured alternative.
The strategic plan, having been assessed from a risk exposure point of view, provides an overview of the organisation’s business objectives and how those objectives will be achieved. In order for internal auditing to contribute its maximum value to the organization IA’s efforts need to mirror the strategic and operational plans.
The strategic plan is translated into an audit universe by focusing on key assets, projects and processes that support the strategic objectives. These key elements are the basis for the auditable units contained in the audit universe.
The annual business plan can be viewed as a subset of the strategic plan and is developed to meet operational needs. The interface between the audit universe and the strategic planning phase is cascaded into the annual business planning process, serving as a major driver of the annual audit planning process. Thus, the annual audit plan should address the equivalent topics from the audit universe, in order to support the annual business plan.
The natural flow of business objectives and goals exists through the annual business planning process and further down to work unit goals and objectives, so that the organization remains focused and coherent throughout. If goals are not linked, work units risk working at cross-purposes, and overall organizational goals may be threatened. Risks identified at the audit planning level therefore should be linked to the risks identified at the strategic planning level. If a mismatch occurs, there may be a flaw in the risk identification process at either level. Feedback on goals and risk alignment is therefore critical to keep the system focused.
A requirement of effective risk management is that it should be applied continuously, as new risks emerge almost daily. The risk management framework should thus be reviewed on a regular basis, at least quarterly. In order for the annual audit plan to remain risk-focused, such a review necessitates a review of the annual audit plan as well. The review should be based on a current assessment of business risks and management concerns regarding the need to ensure proper management of risk exposures.
Using business risk to determine when and where auditors need to go, and the periodic review of this information throughout the year, makes the need for an audit cycle redundant. With the annual audit plan being continually focused on risk, a particular function or department will be audited using a risk-based approach and not depending on its position in an arbitrarily determined audit cycle, as it becomes due.
Controls in and of themselves do not necessarily guarantee success. The business process therefore should be evaluated in an environment of risk and not necessarily in a system of control. If the auditor focuses on risk, the audit is more likely to address a full range of issues that concern management. The auditor should identify the risks and test the ways in which management mitigates these risks. The majority of risk mitigation techniques will still involve controls; however, the audit will test how well these risks are being managed rather than whether the controls are adequate and effective.
Control activities are only one of a number of methods that can be used to mitigate risk. Risk management techniques also include changing the operation to avoid risk, and sharing or transferring the risk through contractual arrangements. In many cases, these may be more cost-effective means of managing the risk than applying yet more controls. There should therefore be a logical progression from the organisation’s mission to the individual audit test performed. This requires that the audit test objective be related to the risk faced by the auditable unit in its effort to meet its established objectives. The audit tests are then linked to support the audit objective.
Internal audit can be viewed as the other side of the risk coin. An effective interface between internal audit and risk management requires the participation of both in the determination and understanding of strategic risk. Such participation enables the audit universe to be derived from the strategic plan and not merely be related to it. Similarly, the annual audit plan is derived in such a way so as to support the annual business plan while still remaining risk focused. A shift in focus from control to risk at the audit unit level will reap benefits in that it will reduce audit friction and increase audit communication, both of which improve audit efficiency and effectiveness.