Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.
Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.
1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:
“Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.
3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.
4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.
5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.
6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.
Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.
Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
Does internal audit have an appropriate mix of consulting and assurance activities?
Does internal audit have the stature and access necessary to maximize its effectiveness?
Jim DeLoach is managing director with Protiviti, a global consulting firm.
It has become clear that Britain’s vote to leave the European Union (EU) is a major disruption to global business plans, and its consequences clearly rise to the board level. Ongoing political chaos in the United Kingdom (UK) is having seismic economic effects and has already amplified downside political risks across Europe.
“Wait and see” is a dangerous response to a highly uncertain situation. Proactive board leaders can undertake several immediate initiatives that will minimize the damage to 2016 results in Europe and improve the resiliency of your company’s plans for 2017 and beyond.
What we know today: The UK’s economy will contract next year. Frontier Strategy Group’s (FSG) Europe, the Middle East, and Africa (EMEA) Team forecasts a sharp slowdown in UK growth in the second half of 2016, deepening into a recession of -0.5 percent in 2017. Regardless of the pace and the aim of its exit negotiations with the EU, deep splits within the UK’s major political parties and energized independence movements in Scotland and Northern Ireland guarantee governmental dysfunction and depressed sentiment among consumers and businesses.
Beyond the UK, certain economies are especially vulnerable. Ireland, Norway, and the Netherlands will be hurt quickly as UK demand shrinks. Around the world, UK and European economic woes are likely to hit Poland, South Africa, Algeria, Azerbaijan, Bangladesh, and Costa Rica especially hard in their respective regions.
What we won’t know anytime soon: As of yet, it is impossible to predict (1) whether the European Union will change fundamentally or lose additional members, (2) the political and economic effects of energized populist parties in many European countries, (3) the downside risk to the UK from regional separatism, or (4) the new destinations for foreign investment that may leave the UK. Scenarios and contingency plans are essential tools to manage risk and identify targeted opportunities in this environment.
Bolster Commercial Execution in the Second Half of 2016
Boards should expect to receive a rapid-response sales strategy review from UK executives and risk assessments for Europe overall. Is management being sufficiently proactive in managing new risks?
Prioritize risks to 2016 sales targets—In the UK, business investment is most likely to see near-term declines as companies worried about growth move to limit expenditures (hiring is sharply down in London), while consumer sentiment will be dragged down by housing-price shocks. Sterling and euro depreciation will hit specific customer segments hard. Expect management to proactively engage customers about changes to their expected spending, and redeploy sales and marketing resources to the least vulnerable territories.
Target contingency plans on talent and finance—Uncertainty about visa requirements for Europeans in the UK (and for non-UK citizens generally) is a serious engagement and retention risk. Currency effects are wiping out margins for some UK subsidiaries and should force a near-term rethink of hedging and payment terms. Expect management to document contingency plans with signposts and priority actions by function, especially for finance and human resources (HR).
Track leading indicators of changes in demand—Volatility in currency markets and commodities markets will have global ripple effects on business and consumer sentiment, and on government finances—especially in emerging markets. Ask if European management teams are adjusting their dashboards and monthly/quarterly agendas accordingly.
Stress-Test Strategic Plans for 2017 and Beyond
The next planning cycle will be more demanding than usual. Updating forecast data is a small part of the needed response. So much will remain uncertain that plans for Europe (and for markets with links to Europe) should be stress-tested for resiliency against downside scenarios. Contingency plans should be put in place for big bets.
Use scenarios to model UK and EU demand—FSG’s benchmarking found that simple scenarios are key to organizational alignment and resilience; the companies that do this best grow market share 2.1 times faster than their competition in volatile markets. My pre-Brexit vote NACD post highlights a range of risks worthy of incorporating into scenario plans.
Evaluate risk exposure in European operations and the supply chain—Profitability and pricing power for imported products will diminish if barriers to trade with the UK increase and European currencies weaken further. Scenario analysis can help evaluate potentially improved returns from localized production and supply-chain structure.
Rethink Europe/EMEA hub locations—Potential changes that affect HR, legal, regulatory, and finance teams may tip the scales in favor of revisiting the UK as a hub for EMEA, Europe, or Western Europe leadership and operations. Balance financial and political/reputational considerations along with change-management costs. Retention of European nationals currently based in the UK is becoming a factor as well.
Reassess global market-portfolio prioritization—Long-term investment plans for Europe must be rebalanced given the likelihood of a UK recession in 2017 and ripple effects varying among other European countries. Moreover, investment cases for Europe are likely to face sharply skeptical review even as EMEA leaders strive to make up the gap that UK underperformance will create. At the global level, Asia-Pacific and Latin America leaders have an opportunity to put forward more aggressive plans for 2017 and beyond. India in particular is a substantial market that remains under-penetrated by foreign companies; higher-risk big bets there may be more warmly received when Europe looks so uncertain.
When uncertainty is high, boards have a valuable role in helping management bring focus to the most important decisions rather than falling victim to firefighting and analysis paralysis. Companies that set a proactive agenda now for a mid-year course correction and forward planning will be well positioned despite market volatility in the year ahead.
Joel Whitaker is Senior Vice President of Global Research at Frontier Strategy Group (FSG), an information and advisory services firm supporting senior executives in emerging markets.
For more on the Brexit fallout and what it means for your board, join us for:
Risk governance varies radically across industries and organizations because a one-size-fits-all approach simply does not exist. There are, however, five interrelated principles that underlie effective risk management within all organizations in both good times and bad: integrity in the discipline of risk management, constructive board engagement, effective risk positioning, strong risk culture, and appropriate incentives.
Integrity in the Discipline of Risk Management
Integrity in the discipline of risk management means having a firm grasp of business realities and disruptive market forces. It also means engaging in straight talk with the board and within executive management about the related risks in achieving the organization’s objectives and the capabilities needed to reduce those risks to an acceptable level.
Integrity in the discipline is tied to strong tone at the top. If tone at the top is lacking, the executive team is not likely paying attention to the warning signs.
Consider the following common examples of integrity failures:
Not clearly grasping business realities. The 2008 global financial crisis is a good example of what can happen when the inherent risks associated with aggressive, growth-oriented market strategies are discounted, ignored, or never considered. Breakdowns in time-tested underwriting standards, failures to consider concentration risks, and excessive reliance on third-party assessments of structured products were among the root causes of the crisis.
Not integrating risk with strategy-setting. When risk is an afterthought to strategy, risk management fails to reach its full potential. The critical assumptions underlying the corporate strategy must be understood at the highest levels of the institution, and the external environment must be monitored to ensure that these assumptions remain valid over time.
Not tying risk tolerance to performance. Risk is often treated as an appendage to performance management. But how does management or the board know if risk is being efficiently managed if risk appetites and tolerances have not been delineated? Performance and risk must be integrated, and to that end, defining thresholds is essential.
Limiting risk management to a compliance activity. Integrity in the discipline means knowing that undertaking initiatives to manage risk in the pursuit of business objectives is not strictly a regulatory compliance measure. Viewing risk management as a “regulatory” check-the-box matter restrains its value proposition.
Hoping that risks are managed sufficiently while knowing that business realities are not actively monitored, risk is not really understood, tolerance levels are not set, and risk management is addressed solely to meet regulatory guidelines is a clear indicator that integrity in the discipline is lacking.
Constructive Board Engagement
Effective risk oversight by the board begins with defining the role of the full board and its standing committees with regard to the oversight process and working with management to understand and agree on the types of risk information the board requires. Directors need to understand the company’s key drivers of success, assess the risks in the strategy, and encourage a dynamic dialogue with management regarding strategic assumptions and critical risks.
The scope of the board’s risk oversight should consider whether the company’s risk management system—the people and processes—is appropriate and has sufficient resources. The board should pay attention to the potential risks in the company’s culture and monitor critical alignments in the organization: strategy, risk, controls, compliance, incentives, and people. Finally, the board should consider emerging and interrelated risks.
Effective Risk Positioning
The expectations of the board and executive management for the chief risk officer (CRO) and the risk management function must be carefully considered and, given those expectations, the function positioned for success. To this end, six key success factors constitute a significant step toward a successful and effective risk management function.
The CRO (or equivalent executive) is viewed as a peer with business-line leaders in virtually all respects (e.g., compensation, authority, and direct access and reporting to the CEO) and likewise down through the business hierarchy and across the organization.
The CRO has a dotted reporting line to the board or a committee of the board and faces no constraints of any kind in reporting to the board.
The board, senior management, and operating personnel believe that managing risk is an organizational imperative and everyone’s job.
Management values risk management as a discipline equal to opportunity pursuit.
The organization clearly views the CRO as undertaking a broader risk focus than compliance.
The CRO’s position, and how it interfaces with senior line and functional management, is clearly defined.
Taking one or more of these elements away should send up a red flag indicating that the risk management function may be unable to fulfill its expected role and lacks real authority or influence. Depending on the expectations, the function may be set up to fail.
Strong Risk Culture
An actionable risk culture helps to balance the inevitable tension between creating enterprise value through the strategy and driving performance on the one hand, and protecting enterprise value through risk appetite and managing risk on the other hand. While risk culture has gained traction in terms of relevancy in financial services institutions in the post-global financial crisis era, the decision-making preceding the occurrence of reputation-damaging risk events and lack of response readiness when those events occur have made risk culture a topic of interest in other industries as well.
Culture is influenced by many factors. In addition to tone at the top and the quality of the board’s risk discussions, other factors include:
Accountability. Successful risk management requires employees at all levels to understand the core values of the institution and its approach to risk, be capable of performing their prescribed roles, and be aware that they are held accountable for their actions in relation to expected risk-taking behaviors.
Effective challenge. A sound risk culture encourages an environment in which decision-making processes allow expression of a range of views, manage the effect of bias and facilitate reality testing of the status quo.
Collaboration and open communications. A positive, freely open and collaborative environment engages the most knowledgeable people and leads to the best decisions.
Incentives that encourage risk awareness help shape risk culture, as discussed below.
Performance and talent management should encourage and reinforce maintenance of the organization’s desired risk behavior. The old saying “What gets rewarded, gets done” is as true with risk management as it is with any other business process. Disconnects in the organization’s compensation structure and an excessive near-term focus can lead to the wrong behaviors, neutralizing otherwise effective oversight by the board, CRO and other executives.
For example, if lending officers are compensated based on loan volumes and speed of lending without regard for asset quality, reasonable underwriting standards and process excellence, the financial institution may be encouraging the officers to game the system to drive up their compensation, exposing the company to unacceptable credit risk.
This principle requires more than focusing on C-suite executive compensation and upper management. Equally important is an understanding of the incentive plans driving behavior in the sales force and on the “factory floor” where production takes place, as this is where the individual “moments of truth” occur that add, subtract or neutralize the buildup of risk within the organization’s processes, each and every day.
Questions for Boards
The following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
Has the board articulated its risk oversight objectives and evaluated the effectiveness of its processes in achieving those objectives? If there are any gaps that may impede risk oversight effectiveness, is the board taking steps to address them?
Are there any elements of ineffective positioning of the risk management function present in the organization? Is the CRO (or equivalent executive) viewed as a peer with business-line leaders? Does the board leverage the CRO in obtaining relevant and insightful risk reports? Does the CRO have a direct reporting line to the board?
Does executive management openly support each line of defense (e.g., the primary risk owners [business-line leaders and process owners whose activities create risk], independent risk and compliance management functions, and internal audit) to ensure it functions effectively and that there is timely consideration of escalated matters by executive management and the board?
Do primary risk owners identify and understand their respective risks and risk appetites? Do they escalate issues to executive management in a timely manner? Is the board of directors engaged in a timely manner on significant risk issues?
Is risk management a factor in the organization’s incentives and rewards system? Is risk/reward an important factor in key decision-making processes? Do information systems provide sufficient transparency into the entity’s risks?
Jim DeLoach is a managing director with Protiviti (www. protiviti.com), a global consulting firm.