Aligning ERM and Internal Audit to Anticipate and Address Risk
A risk is defined by The IIA as the positive or negative effect of uncertainty on objectives. Traditionally, risk management has focused on known or familiar risks, and this remains vital to organisations. However, the macro environment is increasingly characterised by new and emerging risks — it is almost impossible to describe it without using words like volatile, uncertain, complex, and ambiguous. Acronymised as “VUCA” by the Harvard Business Review, it’s a short way of saying “Hey, it’s crazy out there!”
What can we do to remain alert to the most important risks and help our organisations navigate these turbulent waters? In this short article I want to touch on three elements that can be part of an integrated solution:
- Enhancing enterprise-wide risk management (ERM) practices to embrace emerging risks.
- Recognising the human dimension of managing risks.
- Leveraging technological solutions.
AuditBoard recently had the pleasure to lead a discussion on this topic and was joined by Sarah Singh, Vice President of Internal Audit at ING who has a vast wealth of experience.
Stressed Environments
Although commonly discussed, the concept of emerging risk is less often defined. The IRM definition is a risk that is evolving in areas and ways where the body of available knowledge is weak. Crucially, emerging risks are ambiguous, chaotic, complex, and uncontrollable. This makes it difficult to apply our normal risk management tools
Sarah Singh describes the current risk landscape for organisations as “incredibly more challenging and ever more expansive, with complex, simultaneous, and intersecting horizontal risks of high velocity, volume, and volatility in both financial and non-financial areas.” Assurance and risk professionals must rise to the challenge.
While uncertainty is challenging, we can learn from what we know and apply it to these new and unfamiliar situations. There is never zero risk. We must build resilient, efficient, streamlined processes that are agile and adaptable. We should move away from traditional RCSAs (risk and control self-assessments) and operate both a bottom-up and a top-down approach to ERM.
An effective response to new and emerging must include:
- Better horizon scanning through proactive, future-focused scenario planning, looking externally, and staying abreast of global trends in industry and regulatory changes.
- Improved education and upskilling in management, risk functions and internal auditing.
- Adoption of the full potential of technology, including AI, advanced data analytics, and process automation.
People and Culture
The IIA’s Three Lines Model remains as valid today as ever. Clear separation of risk ownership, response and independent assurance is essential in effective ERM, providing both rigour and challenge to the business. With so many risks out there, there is a real danger of missing something relevant and material. That is why it is so important to have well-defined roles, bringing the disparate components of risk management together into a coherent, cohesive whole.
Internal auditing must prove its relevance by asking the right questions, helping management identify risks, offering remedies to improve defective controls and for removing those that are duplicative or obsolete. Auditors can also help ensure enterprise-level systems successfully bring visibility to risks and coordinate assurance without undue gaps or overlaps. Some risks often remain out of view to management – such as third-party risks – and auditing’s perspective must be proactive, agile, and targeted.
Technology
Like Sarah Singh, I am utterly convinced of the importance of technology as an incredible tool for risk management and internal auditing. ERM relies on timely, accurate data from a whole range of sources. AI is increasingly indispensable to optimise data, automate processes, and ensure a truly data-centric approach. There are three essential roles for technology and AI:
1. To streamline risk management and control.
2. To enable continuous, real-time monitoring on a 100% basis.
3. To standardise how risks and controls are defined, making things simpler, better defined, more consistent, and more easily managed across an entity.
Technology provides huge benefits to ERM, including:
- Enhanced monitoring capabilities.
- Timely, relevant data, across a range of metrics, including risk appetite and climate change.
- Increased accuracy.
- Increased understanding of risk profile
- Greater analytics for quantitative and qualitative data (like sentiment analysis).
- Better compliance with regulatory requirements.
- Stronger ability to identify and respond to cyber-attacks earlier.
Developing a Strong Risk Culture
Internal auditors and risk professionals need to remain engaged with stakeholders and ask challenging questions, such as:
- How is scenario planning used and does it accurately reflect the current complexities within the environment?
- Is the organisation using a combination of scenarios?
- Is stress testing kept up to date?
- How rigorous is cyber testing and how resilient are the recovery capabilities?
- Do we have secondary data centres?
- What is our counterparty concentration exposure risk?
So much depends on having a strong risk culture. This starts at the top and is signalled by expressions of risk appetite linked to objectives and tolerances from the board down to desk level – described by Sarah Singh as the fundamental “guardrails” for a responsive ERM framework.
Tony Luciani is a Senior Manager of Product Solutions at AuditBoard. Prior to AuditBoard, Tony served as IT Risk and Compliance Manager at Sony Pictures. As a former InfoSec consultant, PCI QSA, and CCSFP Assessor, his experience ranges from performing gap/attestation assessments (i.e. NIST, ISO, CIS, SOC2, PCI, HITRUST, etc.) to facilitating IT risk management programs for customers across multiple industries. Connect with Tony on LinkedIn.