How to: Develop an eagle eye

Risk management auditors could learn a thing or two from a bird of prey. The bird scans its area, understands the ground cover and knows the context for its search. It is methodical in its understanding of the terrain but continues at height, checking this way and that as if using a grid pattern. The bird looks for clues to help it spot its prey, just as an auditor would seek to fi ne-tune their understanding of the brief and the organisation they are dealing with.

The bird needs a second set of skills to determine when to swoop and the speed and access needed to get it to ground level.

A third skill is then needed when the bird reaches its target, plucks it up and dissects it morsel by morsel.

Let us now dissect those three skills to analyse more closely what they mean to the process of auditing risk management.

Skill 1: scanning

the territory First and foremost, an auditor must understand the ground rules: the context of the risk management audit that determines the brief. In our experience there are four kinds of organisation, and each needs adifferent approach.

Is this an organisation that is using risk management on a defensive basis (risk-naïve)? Or is it for compliance (risk-aware) or for balancing opportunity and threat (riskmanaged)? Or is it an overt risk-taking organisation (managed risk-taking)?

This step is important, as you need to determine the current culture of risk management and the organisation’s ambitions for moving forwards.

A defensive organisation is risknaïve. It does not seek to change much – in fact, it is averse to change – but suffers many changes that are not of its doing. It operates tactically and might have cloudy or mixed strategic statements; certainly there is no dynamic vision for change or development.

When auditing such an organisation, you would probably fi nd a risk management programme that is mainly operational with a heavy focus on safety and prevention programmes. There will not be much awareness or leadership of risk management from the top.

Leaders pride themselves on their reactive skills, saying things like: “We manage best when our backs are against the wall”. These organisations’ business continuity skills are not well developed, as that would need strategic leadership.

As with all audits, you have to be sure about your brief – but particularly so in this case. They are likely to want a systems-based audit for operational risk management as opposed to a full-blown enterprise risk management audit. If you start to delve into areas beyond operational risk management, you need to ensure your sponsor is aware of and comfortable with that.

Look out for clues that might help you widen the brief to do a more value-added audit. The client might say: “We are looking for ways of using risk management to reduce surprises” or “We want to know if risk management can help us respond better to crises.”

When an organisation is using risk management on a compliance basis, you can open up the conversation to wider enterprise risk management areas – the new UK Corporate Governance Code requires risk management to be embedded in the business. Compliance (risk-aware) organisations are slightly more developed than defensive ones – but only just. They are looking for risk management that will keep the regulatory monkey off their backs and no more. They have not yet understood that there is a reason why the regulators insist on risk management being in place and that it can add a huge amount of value to what they are doing. As you circle this organisation, you should listen out for requests such as: “We want to move risk management beyond just box-ticking” and “We need risk management to be embedded but we don’t know what this means or how to do it.”

Risk-managed organisations that balance opportunity and threat are much more developed in their understanding and use of risk management. They understand that risk can be good and bad. They are also likely to have a more rounded approach to risk management, including it in performance management, planning and budgeting at the strategic level, and in project and departmental management at the operational level. Your audit approach can be much more robust with these types of organisations and you can anticipate mature conversations on how well risk management is adding value and where controls can be relaxed to allow more innovation.

The fi nal type of organisation embraces and seeks out risk – the risk hunter. They expect to get caught out every now and then, but view that as the price of business. Your audit approach with this type should be based on ensuring they have the right strategies in place and that they are committed to contingency planning and business continuity management for those low-probability, high-impact events that threaten their wellbeing. That means a thorough understanding of the business and regulatory environment, as well as the sanctions available to the regulators and claimants.

Skill 2: moving in on the target

Having established the brief and type of organisation you are dealing with, it’s time to develop your second skill: how to plan the audit to work out the triggers for diving down for an in-depth analysis. In order to do so, you need to examine the organisation from all the angles. There are a number of key questions that can help to guide this planning process.

1. Risk leadership – is the right kind of leadership in place for risk management at all levels? Is it appropriate to the culture of the organisation? Is it appropriate to the regulatory environment and market of the organisation?

2. Risk strategies and policies – is there a strong link between performance management and risk management? Are all actions in managing performance that has an impact on risk cross-referenced to the risk in the risk register?

Does the strategy deal with the difference between managing threat and opportunity? Is there appropriate recognition of the gaps when demand is forecast to outstrip supply? Are they explicit about the roles and responsibilities for managing risk throughout the organisation?

3. Internal resources, people, and communication – has there been suffi cient training? Has the training been at the right level with the appropriate learning outcomes? Are people able to manage risks with skill and confi dence? Is there suffi cient internal expertise to plan, guide and facilitate risk management at all levels? Is the risk management culture appropriate to the expectations of the organisation?

4. External resources and partnerships – are the risk of and risks to external resources and partnerships appropriately managed? Is there enough of a riskmanaged culture to allow innovation in the use and deployment of external resources and partners?

5. Risk processes – how good are these? Is there a proper analysis of the causes and the outcomes of risk? Are the control actions suffi cient to respond to these causes and outcomes on a prioritised basis? Are risk registers being used properly? Are they live and active on a day-to-day basis? Is risk management linked fi rmly to the goals and objectives? Is there ownership of risk and of risk controls? Is there a good business continuity management system in place and adding value?

6. Risk handling and assurances – is there evidence that risk management is being effective? Are there ongoing measures to ensure that effectiveness can be tracked?

7. Outcomes and delivery – is there evidence that risk management is helping to deliver successful outcomes?

Skill 3: ground control

Just as a bird of prey dissects its prey expertly, so should an auditor conduct its dissection, but very much directed towards the organisation in question.

So, if you are looking for evidence that risk management contributes towards determining the strategic and operational business plans, this would be for the more risk-mature organisation.

Again, looking for a strategic gap analysis that looks at the mismatch between demand and supply to determine where the pinch points are, is a pretty mature attribute of a riskmanaged, risk-taking organisation.

But all organisations should be able to show a hard soldered link between risk and goal.

Further, there should be a root cause analysis methodology applied to each risk over time to determine that the actions are the right ones, and used frequently to ensure that a reverse engineered approach to managing risk through scenario planning determines the risk control strategy.

All risks should be ‘owned’ by a risk owner, with reference to stakeholder owners (those who need to be informed on progress) and control action owners (one for each action). Often when we are auditing risk management and we fi nd a high scoring risk on which nothing has been done for a long time, it will be because risk action owners have not been identifi ed and the risk owner is very senior. We call these the ‘hot potato risks’ because ownership changes frequently but nothing gets done about them.

In the best risk-managed organisations, risk control actions are prioritised to ensure best value – they look for simple, elegant solutions fi rst. Moreover, risk control should be appropriate for the risk presented – neither undercontrolled nor overengineered.

As auditors, we love and hate risk registers. They give us a great audit trail for what’s happening to manage risks, but they so often end up killing off risk management. Continuous overview and update of the risk registers must be evidenced and ideally linked to performance management. If the risk register is just woken up every quarter and dragged through a risk review process, the risk management programme needs reviving.

In the most mature organisations, budgeting and resource allocation are driven by the prioritised risk actions; timing of risk is determined for critical risks so you can see when the risks will peak and readjust the business plan accordingly, and risk appetite is well developed and articulated. There is also a culture of accepting mistakes as learning opportunities – the opposite to a blame culture.

Some people see birds of prey as dangerous, fearsome creatures; others see a beautiful emblem of freedom and grace. However you view them, an audit should be regarded as a positive, value-added process that frees up the organisation to move gracefully to the next stage of embedding risk management. And that means valuing what they have done so far and getting the client to take ownership going forward. ¦

Liz Taylor is managing partner at Liz Taylor Risk Consulting