Tag Archives: internal audit

Who Should Manage the Risk Manager?

A while back I recorded a short video on the topic of risk management organizational structure in a non-financial company. In the video I discussed various options for risk manager’s place in the overall organizational structure. Since there is really no single right answer, the few common options include: reporting directly to the CEO, reporting to the Board or Audit Committee, reporting to the CFO or the Head of Internal audit and so on. You probably already have a personal preference. I hope this article will help you to rethink it.

It really doesn’t matter…

The first conclusion I make in the video is that it actually doesn’t matter where risk manager sits as long as two important criteria are met:

  • Direct access to decision makers – risk managers must be close enough to the decision makers to be able to support the risk management integration into business processes and decision making and be able to reinforce risk management culture. This requires some level of seniority to be able to participate in the decision making and reach executives or Board members when required.
  • Access to information – risk managers need unfiltered access to various sources of information, including internal audit findings, IT data, production data, financial and accounting information, compliance data and so on. This requires good relationships with key information owners and established communication channels that will allow risk managers to use corporate data for risk analysis on a daily basis. The second criteria is the most important in my mind.

As long as these two criteria are met the risk manager will be able to fulfill his role almost anywhere within the organizational structure.

See also: Top 10 Mistakes to Avoid as a New Risk Manager  

…but it helps to sit with Internal Audit

My personal experience was reporting to Head of Strategy, CFO, CEO, Chair of the Audit Committee and the Head of Internal Audit. And while, it’s unique to every organization and does depend to a large degree on the personal relationship with the supervisor/sponsor, I found that sitting together with Internal Audit makes perfect sense, because:

  • Internal audit doesn’t own many risks, so there is less pressure on risk managers to withhold information or exclude data from risk analysis. The opposite could be reporting to a CFO. Finance department originates and owns a lot of risks. I have come across companies where risk managers who reported to the CFO were pressured to exclude financial risks from the analysis or were prevented from integrating risk analysis into financial business processes.
  • Internal audit has direct communication channel with the Board and the Audit Committee. This helps to integrate risk management into strategic decision making.
  • Access to financial and operational company data. Internal auditors usually have full access to company data and facilities, which is invaluable when performing timely and accurate risk analysis.
  • Access to audit findings, non-compliances, control weaknesses and so on. Internal audit is a gold mine of data that can significantly improve quality of risk analysis. I was very fortunate to be able to communicate with Internal auditors on a daily basis. Their input helped me dramatically improve my risk analysis and hence improve the quality of the overall decision making in the company.
  • Risk management can also improve Internal audit planning and auditing procedures. The relationship works both ways.
  • Higher ethical expectations from Internal audit.

There are of course arguments against having risk management and internal audit in one department. I am sure you have thought of a few right now. Most of them are not real. I encourage you to write your arguments for and against in the comments below and I will try to respond to each one.

See also: Rising Risks of Medicare Audits  

Lack of independence and conflict of interest are usually quoted as the main logic for separating risk management and internal audit. I find this quite naive: first to seriously think Internal audit is truly independent is a bit of stretch and second lack of independence with risk management in particular is literally the least of Internal auditor’s problems. I summarize my thoughts on the 3 lines of defense in the following video:

Please comment, share and like.

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.