Risk management and internal audit synergies
There’s more of us than you think in Malta. I am of course talking about internal auditors and risk managers. On the afternoon of Wednesday 13 July, internal auditors and risk professionals navigated the sweltering heat to reach a packed hall for an event
What is a Risk Manager anyway?
Since settling in Malta five years ago, I have worked in the areas of risk and internal audit and also served on the Board of the Malta Association of Risk Management. During that time, one thing that struck me is that, what Risk Management does and how it is perceived varies widely from business sector to sector and even between similar businesses.
Some risk management departments are in place primarily to meet regulatory requirements, whilst others are set up because of specific risks, such as fraud. Some are set up to achieve better management of all types of risk across the whole organisation, whereas others exist in practice, but are hidden behind different labels such as ‘Compliance’ or ‘Finance’.
When considering your own risk arrangements, more important than the titles placed on individuals is whether risk management objectives are being achieved effectively. A recent paper co- authored by the European Confederation of Institutes of Internal Auditors (ECIIA) and the Federation of European Risk Management Associations (FERMA) stated that risk management aims at “creating a disciplined, structured and controlled environment within which risks to the organisation can be anticipated and maintained within predetermined acceptable limits”. When you look at risk management from this perspective, you realise that many of us do fulfil a risk management role at our workplaces without an official designation.
Building the basics
Once upon a time, I was called into a meeting with a reputable local firm and introduced to the newly appointed internal auditor, who said “We have a problem. Policies and procedures are absent or undocumented.” With nothing to audit against, they were looking to us to help them fix their documentation shortcomings.
The disciplined, structured and controlled environment referred to above should absolutely include policies and procedures, and preferably process diagrams and maps. These documents would help an internal auditor to quickly understand how the organisation intends to operate, where the risks are and what controls are relied upon to mitigate them. A simple, but basic synergy that those charged with risk management can help deliver.
Hiring an internal auditor without having these basics in place is like buying a thoroughbred racing horse without thinking about stabling.
One step at a time
Another basic risk management element is to have a risk register in place and operating. In this area there is a danger of attempting to run before you can walk. To work as an effective risk management tool, the most effective risk registers are ones that are introduced gradually and engage all staff at all levels.
During the event mentioned earlier, Ian-Edward Stafrace (Chief Risk Officer at Atlas Insurance) explained that the first steps towards developing their group’s risk register involved risk identification workshops which took place across the organisation. This helped spread the message that everyone is responsible for risk management and can have a role in helping the organisation in this area.
The evolution audit of internal
A traditional image of an internal auditor is one of an inspector roaming the organisation ready to pounce on any non-compliance. As explained at the same event, the priorities of a modern internal audit are focused on business improvement. This involves determining internal audit focus based on the most important risks and opportunities facing the organisation in order to seize opportunities, minimise operational surprises and enhance risk response decisions. In the polling session at the end of the event, there was unanimity that an internal audit department that takes a risk-based approach to its work is the one most likely to add value to the organisation.
Leading practices
Internationally, the direction of travel is towards organisations being required to assess their risk management and internal control environment on a regular basis. This inevitably leads to questions over how best to coordinate risk and internal audit activities.
Leading practice recommends that organisations should adopt a common approach to risk management and internal control across the business. This would include, at the very least, a shared understanding of how risks are identified, assessed and reported. Clearly defined accountabilities around risk setting, risk management and support to the business lines are also critical, with the ‘Three Lines of Defence’ model considered to be an optimal framework around which to organise roles and responsibilities.
Summing up
Of course, these debates can be overly academic. If getting the most out of risk management and internal audit interests you, why not engage with the following local bodies which are focused on these areas. Malta Association of Risk Management – http://marm.org.mt and Malta Forum of Internal Auditors - http://www.fiamalta.org. They’ll help you build your network so you can learn from fellow professionals who have faced these challenges in practice. Dominic Fisher is a senior manager with Deloitte Malta’s Enterprise Risk Services and is contactable at dofisher@deloitte.com.mt . For more information, please visit www.deloitte.com/mt/ers