Risk is not limited to internal corporate audit

Risk is not limited to internal corporate audit

Could concentrating ERM functions in internal audit, under a supervising corporate audit committee, be an obstacle to developing effective enterprise-wide risk management?

Managing risks should involve all levels of corporate management and staff, from bottom to top. Instead, conventional wisdom tends to restrict the responsibility for risk management to the highest levels of the firm. In this view, risk management is a proprietary function of top management. Its headwaters are the C-suite, from which all flows down upon the lower echelons.

One standard-setting documents on Enterprise Risk Management (ERM) was published by the Committee of Sponsoring Organizations (COSO). The “COSO ERM” (2004) provides “direction for all levels of management” and makes clear ERM should be “applied across the enterprise, at every level and unit.” Still, its overall thrust is “directed to chief executives, other senior executives, board members, and regulators.”

COSO Risk Management Objectives and Components

COSO Risk Management Objectives and Components

This high-level, top-down concept of ERM is mother’s milk to management consultancies. In PricewaterhouseCooper’s report, “A Practical Guide to Risk Assessment” (2008), “senior management and the board” are identified as “owners and sponsors of risk assessment.” Though risk assessment “can be conducted at various levels of the organization,” the contribution of lower level staff is limited to identifying “relevant business objectives” through “interviews, workshops, surveys, process flow reviews” and such. Objectives are not risks.

PwC’s Risk Assessment Process

PwC’s Risk Assessment Process

Audit Committees and Their Charters

The audit committee too often serves as the front of risk management expertise. “Traditionally, internal audit (IA) has served as the independent eyes and ears of boards and management, both in terms of risk oversight and compliance,” according to Deloitte’s CFO Insights (2014). The Deloitte study supports the traditional approach but alludes to its inherent inadequacies. Deloitte wonders if IA is “focused on the right risk areas” and urges IA “to work cross-functionally.”

Charters of corporate audit committees and risk management committees enshrine the top-down approach as policy. We have mined General Motors’ risk management problems before. It is a rich vein that offers lessons to anyone willing to learn. GM’s charters were considered best practices before the wheels came off in 2014. Other companies follow a similar path.

Under GM’s structure, the Finance and Risk Committee is charged with “oversight and review” of management’s “risk assessment and risk management” activities. It reports formally to the Audit Committee whose reassuringly “financially literate” directors exercise oversight of financial statements and compliance with legal and regulatory requirements.

By the looks of the charter, and judging from GM’s experience, risk management is not the Audit Committee’s highest priority. The committee’s reach in this area is limited to the review of “management’s assessment of legal and regulatory risks” and the discussion of “policies regarding risk assessment and risk management.”

GM’s Finance and Risk Committee has detailed responsibilities which its charter summarizes succinctly as “oversight and review.” The charter follows the Audit Committee line faithfully. “Risk assessment and risk management,” it says, “are the responsibility of the Company’s management.”

There’s Got to be a Better Way

Evidence is mounting that the traditional arrangement is not performing well. Enterprise risk management does not work by management fiat. Analyses of corporate risk management disasters generally capture major characteristics common to most top-level risk management fails:

  1. Misunderstanding the sources and nature of risk (the near collapse of AIG)
  2. The miscommunication – or complete lack of communication – of risk concerns (Target’s data breach)
  3. Poor strategic response (Toyota’s brake recall).

These characteristics seem to be natural results of the top-down approach, almost as though they are built in to the system.

An alternative approach encourages risk awareness at all levels of the corporate structure. Top management should know what risks exist on the micro level and how to respond, while staff at all levels are capable of understanding top management’s risk assessment needs and of communicating their risk concerns to those higher up.

To some extent, staff at all levels should be empowered to act, and be held accountable for risks in their area. For enterprise risk management to work most effectively, each staffer needs to participate in the identification, analysis, and management of risks immediate to them and their jobs. Facilitated workshops, employee surveys, and process flow reviews are not cutting it.

Corporations should develop their risk cultures beyond the top tiers of their org. charts and extend ownership of risk assessment throughout their structure. The corporate risk management infrastructure should reach from the bottom of the company to the top, and back again.

It is true that risk and uncertainty are fiendishly complex concepts that often require complicated technical solutions, and this sort of expertise cannot exist throughout an organization. But that is beside the point. It is not necessary for every employee to be competent in the calculation of the probabilities of expected outcomes. Not everyone needs to co-ordinate sophisticated strategic responses to a set of risk factors that has recently emerged.

Helpful heuristics

What is necessary is that every employee, from the Board, Audit Committee, through the C-suite, and on down be risk literate. This essential first step on the journey to effective enterprise risk management makes it possible for risk awareness to exist at all corporate levels.

Fortunately, risk literacy – the recognition of, basic assessment of, and appropriate response to risks encountered daily in one’s job – is a skill that can be imparted through training and education, though to be useful it must be put into practice daily. Not all risks are calculable. These are “uncertainties,” and making decisions under conditions of uncertainty is something that can be taught. Military training is a good example of this.

Much of risk literacy is based on the use of heuristics, or simple rules of thumb, for determining appropriate courses of action when faced with ill-structured problems. There is nothing new here. Herbert A. Simon described the heuristic approach over 50 years ago.

Categories: Economics, International

About Author

Steven Slezak

Steven is on the faculty at Cal Poly in San Luis Obispo, California, where he teaches finance and strategy. He taught financial management and financial mathematics at the Johns Hopkins University MBA program. He holds a degree in Foreign Service from Georgetown University and an MBA in Finance from JHU.