A risk management audit may spur new ideas and prompt improvement in how risks are managed
By Joe Underwood
27 February 2017
If a separate risk management department does not exist, the role of internal audit in risk management is even more important as fewer resources are dedicated to the process of identifying and evaluating risks and ensuring appropriate risk responses are intact. With this in mind, here are five ways organizations can benefit from having internal audit evaluate the risk management function.
1. Future internal audit plan ideas
When developing top-down, risk-based internal audit plans, there is usually no better place to start than with looking what your risk management function has identified as key risks, especially if your company has an enterprise risk management (ERM) program. Such programs usually involve periodic risk assessments that identify and assess emerging or critical risk issues. The board or senior leadership establishes risk appetite and tolerance, and risk owners are engaged in discussion about how risks are managed and monitored.
The dialog from these ERM processes can surface many areas where controls are weak or non-existent. Ideally, internal audit should participate in the risk assessment process during interviews with risk owners, or at a minimum, review key deliverables. These can be instructive in developing more detailed audit projects when warranted.
2. Ensure black swan events are adequately managed
Most risk management functions deal with events that could seriously threaten the organization if not handled properly. Insurable risks include natural catastrophes, supply chain disruptions, industrial accidents, occupational illness or injury, acts of maliciousness or violence, data breaches, multi-party casualty events, product liability and recall expenses, employment practices liability, management liability (including unethical practices), protection of key persons from travel risks, and many others.
Many of these events are high-impact and low-likelihood. In other words, while the stakes are high, the probability is low that most will ever occur. This is a good thing, but it creates a greater need for objective assurance. There are no test runs. Risks can be neglected for long periods of time and no one will know. If protection against a catastrophic risk is not in place the first time around, there may be no next time.
3. Applying the highest level of objective assurance to address key risks
Due to time constraints and short-term financial pressures, mid-level executives often discount the need to manage certain risks because they have never experienced one. However, a single career is a small statistical sample. It is important to look more broadly at the risk issue.
For example, a property in a 100-year flood zone is determined to have a 1 percent chance of loss in any given year. Yet multiple lifetimes could pass without that property experiencing a flood. Or, multiple floods could occur within a short period. Risk is uncertainty, and if the consequences of an event are not tolerable, one must stay protected at all times.
Chief audit executives understand the dilemma of working with limited data, and are versed in how to obtain objective input from outside resources. Modern boards count on internal audit to provide objective assurance, not only on financial risk issues, but also on the soundness of the overall risk management process.
4. A fresh look to keep pace with organizational change
Organizations often grow, expand their geographic reach, introduce new product lines or services, add new sourcing or distribution channels, or introduce new technologies. It is important for those managing risk and insurance programs to occasionally take a step back and examine why things are the way they are, and whether they are still optimal. Sometimes the best way to encourage that level of critical thinking is to prompt it through an internal audit.
Seasoned risk management professionals understand the importance of obtaining independent perspectives on their work. They recognize that they can become entrenched in the day-to-day and that everyone is subject to human error. An audit can promote fresh thinking and can bring about significant improvement or address previous blind spots. An audit may also highlight that the function is under-resourced and add support to a risk manager's request for additional resources.
5. Verification that insurance policies actually provide the coverage expected
In most business negotiations, terms of the agreement are fully documented when the deal is made. Not so in the insurance industry. With few exceptions, many months pass before the buyer sees the final insurance policy purchased. Renewal proposals are frequently delivered just days before the renewal effective date, leaving little time for meaningful review. Unless requested, specimen policy language is often not provided. And seemingly innocuous policy exclusions could be listed on the proposal, with the actual policy language encompassing a broader array of matters than the endorsement titles suggest.
It is common for insurance buyers to assume that they can transfer responsibility to a broker to secure appropriate insurance to protect their businesses and verify that policies are issued in accordance with negotiations. However, unless special circumstances are created, the broker usually has little obligation other than to place the coverages directly requested. Some broker agreements even require that clients review their policies and inform the broker of any errors within a set time frame.
Put risk management on the audit plan
If you have not already audited your organization's risk management function, add it to your internal audit plan in 2017. You may find a new project idea, prompt meaningful improvement in how key risks are managed, and find opportunities to improve insurance coverages. Organizations can only stand to benefit when their internal audit team proposes solutions focusing on key risks.
Joe Underwood is a Principal with Albert Risk Management Consultants where he provides risk management and insurance advice without selling insurance. He is also the Founder of Visualize Risk, which offers a Sharepoint-based risk register and heat mapping tool.