Risk is Everywhere: Prioritizing Audit Focus on Enterprise Objectives
This article challenges the notion that internal audit should address every conceivable risk, arguing instead for a strategic focus on risks that directly impact enterprise objectives. For audit and assurance professionals, this emphasizes the critical need for risk-based auditing, where resources are allocated to assess controls over the most significant threats to organizational success, rather than attempting to audit every minor operational issue.
The Ubiquity of Risk and the Challenge of Prioritization
The article begins by acknowledging a common sentiment among risk and internal audit professionals: "risk is everywhere." While this is undeniably true, the author, Norman Marks, argues against the impracticality of attempting to manage or audit every single potential risk. He highlights that even seemingly minor operational issues, such as fraud, health and safety incidents, or regulatory non-compliance, can indeed have significant reputational or financial consequences. However, the core challenge lies in discerning which of these myriad risks warrant top management attention and, crucially, internal audit's limited resources.
Shifting Focus from Exhaustive Lists to Enterprise Objectives
Marks contends that creating exhaustive risk registers that attempt to capture every conceivable risk is not only unfeasible but also counterproductive, rendering such lists unusable. Instead, he advocates for a more strategic approach centered on enterprise objectives. The key is to identify what needs to happen, and what must not happen, for these objectives to be achieved. This perspective moves beyond a rigid categorization of "strategic" versus "operational" risks, recognizing that any risk, regardless of its label, can significantly impact an organization's ability to meet its goals. The emphasis should be on understanding the likelihood of achieving objectives, given all relevant risks, and taking action when that likelihood becomes unacceptable.
Risk-Based Auditing: Maximizing Value and Impact
For internal audit, this philosophy translates directly into a robust risk-based auditing approach. Marks stresses that internal audit simply does not have the resources to audit every low, medium, or even all high risks. The most valuable contribution internal audit can make is by focusing its efforts on assessing the controls over those sources of risk that are most critical to the achievement of enterprise objectives. This strategic allocation of resources ensures that audit efforts are aligned with the organization's most significant priorities, delivering maximum value to the board and management. Any inability to address all high risks due to resource constraints should be transparently communicated to the audit committee.
Rethinking Risk Appetite and Decision-Making
The article also touches upon the concept of risk appetite, disagreeing with the notion that it is the sole foundation of risk management. Marks argues that the appropriate level of risk to take is dynamic, influenced by various factors including potential rewards, and is constantly changing. Instead, he posits that effective risk management is rooted in setting clear objectives and then engaging in informed, intelligent decision-making. This involves ensuring that processes for critical decisions effectively consider all related and significant sources of risk and opportunity. Ultimately, effective risk management is about integrating risk and opportunity into decision-making and periodically reviewing those that merit special attention.
Read more