“Today’s business environment is characterized by mounting pressures for stronger, more effective risk management. There is a sharp focus on risk oversight, considered by many observers to be the top governance issue facing corporate boards in a post-meltdown world. Audit committees are pushing for holistic risk management, stepped-up risk mitigation, and enterprisewide risk assessments. As one chief audit executive (CAE) puts it, “The audit committee has been getting piecemeal looks at risk, and now they want the full picture.”
For the most part, internal auditors appear to be well aware of these pressures. In a recent IIA Global Audit Information Network (GAIN) survey, Internal Auditing’s Role in Risk Management, nearly three-fourths of respondents said they see a growing need to provide their audit committee with a greater understanding of organizational risk management processes. In addition, 44 percent reported being asked by their audit committee for recommendations on how to enhance the organization’s risk management process. When asked about current risk practices at their organization, more than 72 percent of respondents from Fortune 500 companies said the entity had either a formal or informal risk management program in place, and nearly two-thirds characterized their firm’s practices as “informal but evolving.” Collectively, these findings show indications of organizational progress along the risk management maturity continuum.
In light of this apparent progress, internal auditors need to examine whether they have achieved similar types of gains in promoting risk management goals or providing assurance over risk management activities. This issue was raised by PricewaterhouseCoopers (PwC) in a 2007 publication titled Internal Audit 2012. At the time, PwC analysts pointed to potential value gaps for internal audit functions failing to keep pace with maturing risk practices. The current evidence of evolving organizational risk management maturity heightens this concern.
The question for internal auditors, simply put, is this: Have you kept up, or are you falling behind? Is there a value gap in the risk management arena that you need to address? Moreover, what are internal audit leaders doing in the area of risk management that might work well in your organization? To explore these and other related issues, The IIA recently hosted a roundtable discussion in San Diego focusing on current risk management challenges. Attendees included CAEs from Fortune 250 organizations as well as representatives from professional service firms, The Committee of Sponsoring Organizations of the Treadway Commission, and the National Association of Corporate Directors. Several key themes emerged from the discussion, forming the basis for a series of leading internal audit practices.
These “10 risk management imperatives” can help CAEs better serve their organization and ensure they’re keeping pace with evolving approaches to organizational risk.