Your Risk Management Magazine
Audit, compliance and risk management – rivals or allies?

Font size : + -

email print

It is always a good idea to start at the top or the beginning when making an analysis. We need to define the basic parameters within which governance and compliance must be managed, as this sets the scope for the whole of the risk management process.

The top level of risk in an organisation is the corporate level. Nowadays, most agencies have drawn up corporate plans. These express corporate objectives, namely what the organisation is trying to achieve, or its goals or strategies. The major risk for the agency is simply that it might fail to achieve strategic or business objectives due to unexpected impediments occurring which prevent or reduce the means for attaining these objectives.

The agency’s objectives will govern its administrative structure. The agency might be divided into sub-units or branches. These branches will be likely to administer the execution of one or more comparatively diverse activities, functions, projects or processes. Further down the organisational structure, objectives and risks can also be identified at branch level, then at unit level and activity, function, project or process level. There is a risk that an objective not achieved at a lower level will prevent the attainment of an objective at a higher level. Thus a hierarchal structure of risk identification is developed which is in all respects complementary.

To be effective, management of risk should be integrated into the management philosophy of an organisation. It is necessary for the board of directors or senior executives to take ownership for establishing the agency’s risk management policy affecting the whole organisation. Risk management needs to become part of an organisation’s culture, and embedded into the organisation’s philosophy, practices and processes. Enterprise-wide risk management (ERM), or risk management across the agency, affects every aspect of the agency’s activities.

My experience has been in government agencies. ERM was first canvassed in the Commonwealth finance regulations in the late-1980s. In 1999 Comcover launched a risk management program to provide Commonwealth organisations with assistance in risk management planning and education, and in 2000, Comcover requested agencies to develop and implement risk management plans by 31 March 2001. The ACT Government was a late starter in this regard. The ACT Public Service Risk Management Framework was launched on 19 February 2004. The ACT Insurance Authority then teamed with Comcover to sponsor a series of seminars on “Getting Wired with Risk Management”, which attracted a wide participation by personnel in Commonwealth and ACT government agencies.

I want to stress the importance of ensuring the objectives of the agency, sub-units and individual activities and clear, concise and practical. I have in my experience, observed programs and projects in government agencies which I considered had no hope of success because the objectives were not adequately defined or excessively vague. We cannot of course, criticise government policy – perhaps the political masters’ intentions are very general – however the programs I have in mind offered adequate scope for the agencies to make an effort to develop clear and unambiguous objectives. Trying to match resources to a program which has vague objectives is likely to be hazardous and wasteful and risks losses or inefficiencies in its operation.

To effectively implement the risk management framework, a coordination role will be required. Some businesses have appointed a chief risk officer to coordinate risk management among all levels of the entire organisation. The chief risk officer would need to understand the organisation’s goals, objectives and resources, and possess an ability to communicate with all stakeholders, internal and external. The risk officer normally reports to the chief executive concerning implementation of the risk management program, and in addition, coordinates the work of other risk specialists. Some organisations have also introduced a risk review committee or corporate risk team including audit, actuarial, compliance, investment and insurance personnel to undertake or assist with this function and its implementation.

The risk officer will produce guidelines for the conduct of risk management across all units and programs. Total risk management will comprise the sum of the effort by all individuals and units, with a view to achieving an integrated, enterprise, holistic-based approach throughout the whole organisation.

When considering the wider role of government itself, it is apparent that governments also have clear roles in managing public risk. Where individuals or businesses impose risks on others, government’s role is mainly as regulator. Where risks cannot be attributed to any specific individual or body, governments may take on a stewardship role to provide community protection or mitigate the consequences. Governments need to make judgements in as open a way as possible about the nature of risk and how responsibilities should be allocated, recognising that there will always be some unavoidable uncertainty.

How to assimilate internal audit with risk management?

There has been considerable discussion about the relationship between internal audit and risk management. Some agencies have combined risk management with internal audit, while others have kept them separate. I have known internal audit units to prepare risk analyses or fraud risk assessments for agencies in a consulting capacity, sometimes simply as a means of the client organisation wishing to be seen to be complying with legislative or policy requirements for implementing risk management. From experience, I consider this process may lead to preparation of a good risk management plan, but one that is not understood by the staff and is conveniently rendered inoperative due to lack of appreciation of the recommendations and the likely benefits of the process.

A better approach is to involve personnel in the organisation in risk management, as this would be more likely to ensure the employees take an interest in the outcome of the process, as they have shared in its preparation and will also be involved in its implementation.

Indeed, I would contend that developing risk analyses is a function in which everyone can easily identify. Most employees are keen to do their job effectively and can readily identify risks which may prevent them achieving the objectives of their job. This process is easily understood and does not involve technical expertise, at least to start with. A postage clerk once told me that the greatest risk to his job was that the courier might not turn up in time to pick up the mail and deliver it to the mail centre promptly to catch the mail closing deadline. That was a pertinent observation. Of course, the treatment of this risk might be a technical one, for which more complex expertise might be required – how to get a more reliable courier, how to ensure the courier does not get delayed, or through conveying the mail by some other means.

A significant argument for combining internal audit and risk management centres is to ensure the internal audit work program places the greatest attention on areas of high risk. That is important, however this can be achieved while still maintaining a separation of functions.

The concept of audit imparts to many people a perception of threat or conformity, and hence linking risk management to anything associated with auditing may discourage the open consideration and an objective identification of risks and their consequences. Internal audit can maintain its necessary independence and be involved in the process in other ways – it will have the responsibility of reviewing management practices, internal controls, risk plans and associated treatments when developed, to ensure risks are adequately identified, managed and monitored, and indeed assess the sufficiency and effectiveness of the whole process from start to finish.

The Institute of Internal Auditors – Australia standards require internal audit as part of its functions to monitor and evaluate the effectiveness of an organisation’s risk management and control systems. Standard 2110 of the International Standards for the Professional Practice of Internal Audit, for example, states that the internal audit activity should help the organisation manage risk by evaluating significant risk exposures relating to the organisation’s governance, operations and information systems including the:

• reliability and integrity of financial and operational information;

• effectiveness and efficiency of operations;

• safeguarding of assets; and

• compliance with laws, regulations, and contracts.

An effective internal audit program is therefore complementary to risk management and an integral part of the whole risk management process.

Is it desirable to have a framework which combines risk-based and control-based assessment?

Internal control in an organisation is a very broad concept. The Committee of Sponsoring Organizations of the Treadway Commission considers that: “Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.”

The committee considers that key concepts of internal control are:

• Internal control is a process. It is a means to an end, not an end in itself.

• Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organisation.

• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board,

• Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The control environment includes ethical values, integrity and competence by everyone, but particularly as abovementioned, through the board of directors and management establishing an appropriate “tone at the top”. Good internal control is necessary to reduce risks and part of the risk assessment will involve an evaluation of the agency’s internal control to ensure its effectiveness as a means of reducing risk.

Some years ago, I prepared a risk assessment for a major Sydney sports ground and noted that the trust did not have in place an effective job costing system for grounds maintenance. The resulting risk was that losses could occur in undertaking grounds maintenance, a very significant activity and expense for a major sporting venue – either inadequate or excessive maintenance could occur, or the materials and labour could be misplaced or used inefficiently. The management were appreciative of this being bought to their attention.

Indeed this form of risk assessment, in addition to ensuring compliance might also identify better ways of managing corporate responsibilities and result in greater operational efficiencies.

For some years now, governments at both the federal and state levels have been increasingly focused on achieving a better performing public sector. A major imperative has been a drive for greater efficiencies and effectiveness through providing services that are less costly, more tailored, better directed, and of higher quality to their customers or citizens.

The boundaries between the public and private sectors are becoming less distinct; and policies that demand whole-of-government approaches or inter-business or industry agreements are becoming more common. Both public and private sector organisations must not only manage their own risks but also the risks that come with joined-up government and inter-agency partnerships.

Individual agencies will need to monitor internal controls on an ongoing basis with control deficiencies being promptly reported to top management and corrected in a timely fashion.

Internal audit and the audit committee will need to possess an appropriate mix of operational and financial control expertise to ensure an effective evaluation of control systems can be achieved. Internal control cannot in itself ensure success, but good controls will assist organisations get where they want to go while minimising pitfalls and unexpected disruptions.

Risk assessment therefore is important to ensure the agency’s compliance with legislative requirements, agency policy and instructions, but also to identify better ways of doing things and increasing efficiency for fulfilling individual programs and satisfying client and stakeholder requirements. Internal audit can fulfil an important independent review of internal control to assist in assessing whether risks have been identified, controls implemented, management plans are complete and continuous monitoring occurs.

Bill Fraser is a former internal audit manager, ACT Government, Canberra

This paper was presented at the LexisNexis Risk Management

conference late last year

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.