If we learned anything from the global financial crises of 2008, it was this: When boards of directors fail in their oversight responsibility of risk management, the results can be disastrous.
Managing risks for an organization is a complex and often dynamic undertaking that requires strong coordination among the board, management, and the internal audit function. Identifying and mitigating risks through a sound risk-based internal audit process benefits all organizations, from mom-and-pop businesses to Fortune 500 corporations.
Failure to do so invites almost guaranteed problems at some level of the organization. It also can present a profound dilemma for the organization’s internal auditors who serve both management and the board.
COSO’s Enterprise Risk Management–Integrated Framework explicitly states that organizations must embrace risk in pursing their goals. The key is to understand how much risk they are willing to accept. Creating a clear articulation of an organization’s risk appetite — the amount of risk an organization is willing to accept in pursuit of value — is a fundamental aspect of effective ERM. It is probably one of the most important interactions between the board and management.
I liken the process to the board painting lanes on a highway. The board has essentially said to management, “Here are the lanes to follow. Stay within these lanes.”
But what happens when management intentionally veers from the established risk appetite and, worse, misleads the board about the real risks associated with a particular behavior or business strategy? What happens when management goes rogue?
It should be acknowledged that, at times, an organization can inadvertently swerve outside the risk appetite lanes. For example, a big challenge is managing risk across several business units. Let’s assume, for example, that an organization has delineated and clearly communicated its risk appetite to its staff, but business-unit owners take the maximum risk within that appetite. In aggregate, they may exceed the overall level of acceptable risk for the enterprise.
Clearly, internal audit must be vigilant in helping to provide assurance to management and the board on the overall effectiveness of risk management, and an eye should be kept on whether risks that are being taken are outside the acknowledged or agreed-upon risk appetite.
But that is not what I’m referring to when I describe management going rogue.
I’m talking about management deliberately taking on risks that are clearly beyond the established risk appetite, perhaps motivated by an incentive tied to short-term performance.
When management goes rogue, it is intentionally taking on risks that are not agreed upon by the board, or of which the board is not aware. Perhaps it is not telling the board, or it is misrepresenting how extensive the risks are. In those instances, internal audit is in a difficult position because it has an administrative reporting relationship to management and a functional reporting relationship to the board. Ultimately, however, internal audit has an obligation to the board to highlight any improper risks.
An internal auditor in this position faces a tough question. Do I blow the whistle, fully understanding that I’m likely to annoy the CEO and others — and that it could cost me my job?
The International Standards for the Professional Practice of Internal Auditing (Standards), is very clear on this point: Standard 2600: Communicating the Acceptance of Risks states:
“When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.”
While the primary purpose of Standard 2600 is to address resolution of disagreements between internal audit and management over internal audit results, I believe that it also provides internal auditors with the mandate to ensure the board is aware of management actions involving “unacceptable” levels of risks.
I have always felt that conformance with this standard requires a degree of courage on the part of a CAE. After all, you might well be taking a point of disagreement with your administrative boss (the CEO or chief financial officer) to your functional boss (the board) for resolution. What I consistently convey to those who aspire to reach the top of their field is simple: If you don’t have courage — that is, if you are not willing to do what absolutely needs to be done under any circumstances — then don’t become a CAE. Don’t take on this role.
Clearly, any conclusion that management is operating outside established boundaries should be reached only after thorough examination. But once you’ve made such a conclusion, don’t let management dissuade you from making your case.
Also understand that every instance of rogue behavior may not be overt. It isn’t always black and white. They pay us for our judgment, as well. If all they need is for someone to tell them that something is black and white, you don’t need an internal auditor. A good software program or inspector can do that.
An internal auditor is capable of distinguishing additional shades.
What are your thoughts on this subject? I encourage you to share them here.