Having robust Internal Audit (IA) and Risk Management functions with an organization are essential to a strategy’s successful execution. However, there are increasing signs that IA and Risk Management need to work much more closely together. A new KPMG Study found some startling issues for both the risk and IA communities.
For Risk Management, strategy execution is being threatened because :
- Only one-third of companies felt that their Risk Management programs were robust enough to keep up with the changing risk environment; Only 52% of board members were satisfied that management had identified the risks to business growth.
- This is a bit startling since a McKinsey study a few years ago found that it was the CEOs who felt that the board did not understand the company’s risks. So, neither the board nor the CEO is comfortable with one of the most important oversight responsibilities of the board.
- For Internal Audit, a strategy’s successful execution is being undermined because: Less than one-half of companies felt that IA delivered real value to the company – and most likely due to an overemphasis on compliance versus execution; About one-half do not believe that IA properly focuses on the company’s strategy.
- The real issue is that both IA and Risk Management exist to not only find problems, but also to recommend changes – “opportunities” – that could benefit the firm. However, according to Archie Thomas, a consulting IA and former Chief Audit Executive, many IAs do not understand the strategy of their company. Thomas believes that internal auditors should be attuned to the strategy since they should be evaluating how well the company has done at implementing that strategy. This, he sees, is a major gap in IA.
We’ve heard the same issue from risk managers we know. They note that many risk managers are more focused on compliance or “checking the box” than they are with strategic a risk, which has been found to account for nearly 70% of risks and which cause the greatest loss of value.
We believe that it is time that IA and risk management begin to work more closely together or we may see companies make some rash organizational changes that negatively impact both functions and further blind a company’s ability to identify and mitigate gaps in their strategy’s execution.. Already in Australia, about 65% of companies have either linked IA and Risk under a common executive or put IA under risk management. This is too new to know what the implications of such changes might be.
As we’ve noted previously, the Audit Committee should be asking both IA and risk management to provide a strategy execution audit in addition to their normal work. Also, since there seems to be discontent with what each group has been doing independently, we believe that an alignment council of IA and Risk should be formed to determine how they could better work together to meet the needs and demands of both the board and top management.