Risk Based Internal Auditing - The New Approach

Introduction

The Institute of Internal Auditors defines Internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (2013).

Problem Statement

If you entered the Internal Audit profession twenty or thirty years ago you would not recognize the above definition of internal auditing. The fact is that Internal Auditing has changed significantly over the last decade. Much of those changes have been driven by new regulation and regulatory demands, new technology, new professional standards, globalization  new ways of working especially the need for collaboration as well as a more proactive, dynamic and risk based approach to auditing. The fact is that many career auditors need to re-tool, re-think and re-train to carry out their new expanded responsibilities effectively.

Previous Options

In the old traditional, conventional approach to auditing. Internal auditing was a compliance based activity. The traditional internal auditor armed with his checklists, standard audit tests and annual audit plan felt capable of providing assurance to management that internal controls were working effectively and that all assets had been safe-guarded. With the role of the internal auditor being redefined in line with the introductory definition above, more is needed for the Internal auditor to be able to help his organisation accomplish its operational objectives while improving the effectiveness of of risk management, control, and governance processes, by his objective independent consulting activity.

Clement Ashley Consulting's Solution

Clement Ashley Consulting recommends a Risk Based Internal audit approach that has a business focus rather than an audit focus. The Risk based approach should have a process forcus rather than a transaction focus, it should focus on improvement of risk identification rather than compliance for compliance sake. The risk based approach to internal auditing should use open questioning techniques rather than the traditional closed questioning. The mindest of the risk based internal auditor should be one of change facilitation to improve performance rather than policy adherence.The risk based internal auditor should see himself as a consultant rather than a policeman, if he holds himself accountable for performance improvement results, he will be seen as adding value and not as a cost center  this in turn will enhance his ability to move into other management positions. The risk based internal auditor should be more interested in the future than the past and therefore be more proactive and less reactive. The risk based internal auditor should focus on solutions rather than problems and hence major on performance rather than conformance.

Benefit 1

A risk based audit approach maximizes the use of scarce internal audit resources.

Benefit 2

Using the risk based approach you will have the ability to identify new and emerging risks that can affect achievement of your organisations goals and objectives.

Benefit 3

A risk based approach will force a prior implementation of enterprise risk management, which will directly improve organisational performance.

Benefit 4

The risk based approach to internal audit has the benefit of not only highlighting risks that are not properly controlled but also those that are over-controlled and thereby consuming scare organisational resources.

Summary

As Mike Thomas CIA says 'the risk-based auditing approach encompasses the attributes of business knowledge, macro-risk assessment, strategic audit planning, and detailed risk assessment necessary to effectively and efficiently deploy audit resources. If performed correctly, this approach will allow the internal auditor to focus on the areas of risk proportionate to the potential exposure to the company. The cycle of continually assessing risk, efficiently planning audit activities, and effectively performing, delivering, and reporting audit activities can result in overall lower risk to the organization at reduced cost'.

Author

Ijeoma Rita Obu is the managing Consultant of Clement Ashley Consulting and can be reached at  robu@clementashleyconsulting.org

Managing Risks Growing Businesses Face

Introduction

Growth (top-line) and profitability (bottom-line) are two major indices that define how well organizations are doing in pursuit of their strategic objectives and short term goals.

Business organizations achieve growth through organic or inorganic channels. Growth occurs largely via the development of a new product, creation of a new business line, mergers and acquisitions, increase in market share and direct expansion into a new market. In pursuing any, a combination or all of the aforementioned growth strategies business organizations face several risks. Typically organizations are faced with Macro-economic risk, Credit risk, Market risk, Reputation risk, problems associated with access to credit, social acceptance/corporate social responsibility risk, technology risk, political risk, geopolitical risk, Economic shock, etc. Effective risk management enables business organizations to successfully exploit business opportunities and contain threats. It does this by providing insights and assurances required to take advantage of profitable ventures.

Problem Statement

The risk management framework and practices that exist in most business organizations are not adequate to enable them to navigate to safety in times of trouble. The risk management culture, the governance and organizational structure, the design of the risk management framework, processes, policies and procedures, risk management tools, sophistication of risk identification and measurement techniques and skills available are not fit for today’s purpose and tomorrows expectations. This is evidenced by the impact of the recent global financial crisis. Systemically exposed business organizations are even more exposed. Business organizations need to embrace best practices to better prepare them for the rainy day.

Previous Options

Current practice in most business organizations is that risks are managed in 'silos'. Risks are also not managed in the context of strategy and objectives. Risk Management is often times seen as totally alienated from performance management. This means that each business line, group or division in an organization manages its strategic, business and operational risks independently, if at all.. A case of ‘’to your tents O Israel’’. Risks are therefore not managed centrally or in alignment with strategic objectives and so, many of the strengths an organization can build and the benefits of a centralized risk management do not accrue to such organizations.

Our firm, Clement Ashley Consulting provides a risk management framework that takes an enterprise-wide view of risk as against silo management. This approach is called Enterprise-wide Risk Management (ERM). Enterprise Risk Management implies that risk management is done at the enterprise level instead of at the business line, business group or business division level and so is centrally coordinated. Strategic, Business and Operational risks are therefore managed not independently but holistically at the enterprise level. For financial institutions that are regulated Economic capital is a must as against a purely regulatory capital limit. Risk assessment is done from time to time so as to reflect market realities. There is also frequent review of the application and suitability of the established process in order to identify gaps for improvement.

Our approach begins with a review of existing risk management process and framework in the organization with a view to modify existing framework and practice based on regulatory requirements, market realities, business needs and best practices.

Benefit 1

Clement Ashley Consulting's Solution is in concert with what regulatory and supervisory authorities and rating agencies demand and so enables business organizations to comply with regulatory and supervisory requirements. The framework which Clement Ashley provides is also in line with best practices world over.

Benefit 2

Risk aggregation at the centre provides the required knowledge about how risks interact, about risk concentration and the actual overall risk faced by the organization giving that some risks offset others while some reinforce others such that risk responses and controls provided are better targeted and therefore more effective compared to what can be achieved under silo management.

Benefit 3

Risk management is centralized in Enterprise Risk Management and so duplication is avoided and therefore cost is minimized. Central coordination also ensures that there is consistency in the risk management approach.

Benefit 4

Any thing that can prevent an organisation from achieving its objectives and targets (be they financial targets or otherwise) is a risk that must be managed. Enterprise-wide risk management therefore assists organizations meet and exceed their performance objectives and stakeholders expectations.

Implementation

Implementation involves assessing the effectiveness of the designed risk management process and framework. It includes checking how well risk responses and controls, early warning indicators, etc are working. If responses and controls are not effective then a further risk identification is required to identify any risks left that made the responses and controls ineffective. Implementation may be iterative. It is a real time and real life activity. It does not include any form of simulation. Implementation stage provides the opportunity to adapt the designed framework to market realities and at the same time maintain the desired robustness that allows it provide adequate safeguard. Implementation is usually done in phases in line with the priorities of the client.

Summary

Till date many organizations manage risks in silos. Today’s realities and tomorrows expectations make silo management utterly inadequate. Risk aggregation at the enterprise level allows for better responses and more effective controls in the risk management process. Beyond meeting regulatory and rating agencies requirements and other stakeholders’ expectations, enterprise-wide risk management reduces to the barest minimum chances of unexpected losses. Removal of duplication and the cost reduction that go with it make enterprise risk management a more cost effective way of managing risks.  

Getting the Right Staff for your Business

Introduction

Eighty percent (80%) of business success is tied to people. Recruiting the right people, motivating the right people, training the right people, retaining the right people while releasing the wrong ones is the key to your success. Many business under-perform because they do not know to do this or they can’t do it well.

Problem Statement

Current statistics say that the unemployment rate in the educated and productive age group of the Nigerian population is now close to 45%. With this large pool of job seekers one would assume that filling vacancies would be easy for employers and prospective employers. This is however far from the case. Due to the falling standard of education many young graduates are barely employable or are out-rightly unemployable. Another factor making life difficult for employers is the erosion of values and work ethics in the present generation. The get-rich-quick mentality means that many young people are not willing to put in the effort required to grow and improve.

Previous Options

Current practice in most business organizations is that when a vacancy arises, they turn to their HR manager or their HR consultant and ask for CV's. Many employers think that having a large pool of CV's to choose from directly improves their chances of finding the right candidate. This is not usually the case.

The high rate of joblessness in the market itself has spawned an industry helping job seekers window dress their CV's, to put their best foot forward. Many times a large pool of CV's only means a lot of man hours going through the pile and interviewing the prospective candidates only to discover that no one makes the grade.

Recommended Solution

I  recommend a recruitment approach that takes account of the problems identified above. At our firm we recognize that in reality there are never that many suitable candidates to choose from Our approach begins with understanding in great detail who exactly the man or woman for the job is. We recommend that you elicit a very detailed job description for each position and then make a very detailed and thorough man specification for each job description Armed with this you are now in a position to write a compelling copy for an advert that is geared to attract only the people who are actually qualified and discourage speculative job seekers. Having attracted the right targets, you should now put them through a thorough testing process to validate their IQ, work skills, job knowledge, emotional stability and personality fit for the job.

Benefit 1

Using this approach you greatly reduce the number of unqualified Cv's that you have to sieve through.

Benefit 2

Using this approach you will not get hood winked by a window dressed CV or a bogus qualification that was awarded but not earned or deserved.

Benefit 3

Using this approach you are able to identify and disqualify the people that seem qualified and even look good on paper, but who do not have the right attitude, personality type or motivations for the job content.

Benefit 4

Using this approach you are able to attract persons who are naturally motivated by your mission and vision and who naturally have goals that are congruent with that of your organisation. These kind of staff do not need external motivation to make them put in their best and your organisation is the better for it,

Implementation

Implementation involves designing recruitment policies and procedures that standardize these best practice methodologies .It involves recognizing what personalities suit what jobs and identifying the right tests to administer.

Summary

Hiring the right staff is the best thing you can do for your organisation. Jack Welch says 'Get the right people in the right jobs – it is more important than developing a strategy' The eighty-twenty rule recognizes that eighty percent of business success is tied to people but only twenty percent of organizations get it right. You can be part of that top twenty percent.

Do post a comment or a question and it will be answered in our next posts.

Managing Your Staff's Performance

Introduction

A plan is only as good as the paper it is written on, until it is implemented. Getting the right staff is the very first step but making sure that the right staff are doing the right things and doing them effectively and efficiently is another important task. Peter Drucker said that 'Plans are only good intentions until they deteriorate into hard work'

Problem Statement

Managing staff is one of the areas where entrepreneurs and smaller businesses seem to have challenges. Many supervisors know how to supervise tasks and jobs but they do not know how to manage performance. Walk into some organizations during appraisal time and you can cut the atmosphere with a knife, it is that tense. In some cases the appraisees are on tenterhooks and in as many cases, both appraisers and appraisees are afraid to face each other. This usually stems from the fact that the organisation has a goal setting process and an appraisal process but the two are not connected via a performance management process.

In some other organizations appraisal time creates no tension for appraisers and appraisees, both parties are pleased with each other but the corporate goals and objectives are not being achieved. This again is caused by the absence of a performance management process that is tied to the corporate goals and objectives.

Previous Options

In organization’s where a performance management process does not exist and where appraisal breeds tension, the tendency is to let appraisals slip. Where they still take place, nobody takes it serious and nothing is done with the results, it becomes a dreaded annual ritual with no meaning or value. In the other organizations where no tension exists, it is already a meaningless ritual, that will eventually become a tradition that no one questions.

I recommend a performance management process and system that aligns strategic goals to individual goals and appraisals. It will not be a perfect 'line of sight', but the relationship between the strategic objectives for which the staff member is partly or wholly responsible, and his personal goals for the period will be articulated and factored in.

This can be done in the following five steps;

1. Strategic Planning – In the first step the strategic plan will be developed and documented in a facilitated retreat
2. Strategic Mapping – In this step the organisation will identify the cause and effect linkages between the goals it wants to achieve and the actions it must take.
3. Performance control systems design- Having mapped the goals to the action steps or initiatives, these initiatives should be assigned to owners (staff members). Measures of success for achievement of those goals as well as targets, triggers, milestones, deadlines and review frequency should be developed for subsequent monitoring and control.
4. Performance Monitoring – According to the review frequency for each initiative, monitoring should take place with an emphasis on taking corrective action where triggers have been pulled or where targets, milestones and deadlines are behind.
5. Evaluation and Appraisal – At the designated cut-off period a formal evaluation and appraisal should then be carried out. Having completed the four earlier steps, nothing should come as a surprise to the appraiser or appraisee.

Benefit 1

Using this approach your focus is on corporate goals and objectives, providing the best possible environment for achieving them.

Benefit 2

Using this approach you will not get side tracked by everyday routines and lend up losing focus of strategic initiatives at goal setting, at implementation or at appraisal.

Benefit 3

Using this approach you are able to manage the perception of the process as one geared towards performance improvement as opposed to 'score giving' or 'score settling'.

Benefit 4

Using this approach you are able to energize staff who are daily in tune with corporate goals, that are aligned with their own individual goals. These kind of staff do not need external motivation to make them put in their best and the 'end of period appraisal' is one they can now look forward to with enthusiasm.

Summary

Implementing a performance management system and process for staff is one that avoids corporate surprises as well as individual staff surprises. The performance results at corporate and individual staff level will be closer to the plan.

Managing Risk Managing Performance - Two sides of the same coin

Introduction

When an organisation sets its vision mission and strategic objectives, it then develops a plan to implement the fore mentioned. A forward looking enterprise will also develop a performance management and monitoring system and identify Key Performance Indicators (KPI's). These KPI's, when monitored, tell management whether they are on track to meeting their objectives.

Problem Statement

The recent global crises sprung many surprises worldwide. Large organizations considered too big to fail have failed, or had to be bailed out, taken over or otherwise rescued. In most of these organizations the KPI's said the company was on track to meet and exceed stakeholder expectations, before the unexpected happened. The risks that their objectives would not be met, and that failure instead of success would be their result was never envisaged. This is in spite of the fact that all these organizations had an active risk management function.

The problem is that many organizations treat Performance and Risk as totally unrelated entities. Performance managers and risk managers sit at different ends of the building looking at different things, when they should all be looking at the same thing from two different perspectives.

Previous Options

In many organizations the risk management function is looking at the universe of known 'traditional risks' while the market and climate is changing dynamically, throwing up new risks not thought of before. If the company was exposed to traditional risks then traditional risk management would identify and manage it. If the company was exposed to 'new' risks then the organisation would only find out, after the fact of failure. Many organizations do not know that they can predict the risks that they will run, even in situations of uncertainty.

Clement Ashley Consulting's Solution

Clement Ashley Consulting recommends an enterprise-wide risk and performance management process and system that aligns strategic goals to 'performance' as well as 'risk'. It will not be a perfect 'line of sight', but the relationship between the strategic objectives the organisation wants to achieve and the risks it runs including new risks that it may run, are identified and managed in one unified performance and risk management process. For every objective and initiative there will be both Key Performance Indicators (KPI's) and Key Risk Indicators (KRI's).

This can be done in the following five steps;

1. Strategic Management and Enterprise-wide Risk Planning In the first step the strategic plan and enterprise-wide risk management plan will be articulated,and developed and documented as a result of a facilitated retreat
2. Strategic Mapping – In this step the organisation will identify the cause and effect linkages between the goals it wants to achieve and the actions it must take. It will also identify the risks that it runs in achieving those goals as well as the cause and effect linkages between those risks and the risk drivers.
3. Performance and Risk control systems design- Having mapped the goals to the action steps or initiatives, these initiatives should be assigned to owners (staff members). Measures of success for achievement of those goals as well as targets, triggers, milestones, deadlines and review frequency should be developed for subsequent monitoring and control. In addition identified risks will be assigned to risk owners. Measures for managing those risks as well as targets, triggers, milestones, deadlines and review frequency should be developed for subsequent monitoring and control.
4. Performance and Risk Monitoring – According to the review frequency for each initiative and/or risk, monitoring should take place with an emphasis on taking corrective action where triggers have been pulled or where targets, milestones and deadlines are behind. The risk monitoring results should update the risk logs.
5. Evaluation and Appraisal – At the designated cut-off period a formal evaluation and appraisal should then be carried out. Having completed the four earlier steps, nothing should come as a surprise to the organisation, risks would have been managed within tolerance limits and performance would have minimal variances from plan.

Benefit 1

Using this approach your focus is on corporate goals and objectives, providing the best possible environment for achieving them, while managing and mitigating enterprise-wide risks.

Benefit 2

Using this approach you will have the ability to identify new and emerging risks that can affect achievement of your goals.

Benefit 3

Using this approach you are able to streamline resources and avoid duplication of effort.

Benefit 4

Using this approach you are able to take advantage of uncertainty and even exploit risk, for improved performance, to the organization's advantage.

Summary

Managing performance and risk together in a holistic fashion, drastically reduces cost, increases focus, maximizes results and gives the organisation a strategic competitive advantage over its peers, that manage risk and performance in separate silos.