A Variety of Risk Responses
There are four common risk response types: avoid, share or transfer, mitigate, and accept.
Avoid In some circumstances, the risk is so significant that management will decide to avoid the risk entirely. A good example of avoidance would be to completely disengage from a market due to geopolitical instability in a region of the world.
Share/Transfer Sometimes organizations choose to share or transfer risk with/to another party. This may be done by purchasing insurance policies or by forming business arrangements, such as joint ventures or other partnerships. A share or transfer risk response can be a good option when the other party has specific risk management competencies, such as familiarity in a particular geographical market (e.g., a U.S. based company that wishes to expand in a Latin American market).
Mitigate When risk management practices break down, new risks emerge, or risk profiles shift, mitigation often is an appropriate risk management strategy. Mitigation involves creating controls — or improving existing controls — to close a control design or execution gap. Mitigation tends to be the risk response internal auditors most frequently recommend as a course of action related to an audit observation. At times mitigation may be overused when other risk response types are better.
Accept Risk acceptance is used when other risk response options are unavailable or not optimal. Simply put, risk acceptance is a status quo risk response. Risk owners acknowledge the risk exists but "accept" the risk with minimal response. If the cost of other risk responses exceeds the value that would be gained, a risk acceptance strategy may be appropriate. While it may seem like a passive risk management strategy on the surface, to optimize risk outcomes — especially when risk is assessed as moderate or high — risk acceptance decisions may require active management.
A Real-life Risk Acceptance Story
A real-world example demonstrates how internal audit can actively guide management's effective use of risk acceptance to help organizations achieve the best risk management outcomes.
When I was working as an internal audit manager, I served alongside a couple of other managers, including our IT audit manager. I recall commiserating with the audit manager on occasion about troubles he had with his audit clients and getting them to provide timely action plans for audit recommendations. He complained that deliberations about audit observations and their associated recommendations sometimes dragged on for months after audit fieldwork was complete. Often, the delay was a result of hastily crafted action plans that did not address the risk at hand.
At some point, the IT department became aware of the "risk acceptance" approach to action plans and latched onto it with great enthusiasm. IT staff reasoned that if they just accepted the risk, the IT audit manager would have to defer to their judgment and risk response preference. Once word about the risk acceptance option got around within IT, this approach became almost the default standard and was used more frequently than the audit manager was comfortable with.
Fortunately, the manager is an auditor's auditor. Sensing an abuse of the system, he met with our CAE, and together they crafted a process to deal with risk acceptance responses that resulted in much more rational outcomes.
The process they created hinged on management ensuring that when risk acceptance was the risk response of choice, key stakeholders were informed of and agreed with the decision. The risk acceptance process involved a formal document that was circulated among stakeholders outlining the issue, internal audit's risk assessment, management's decision for risk acceptance, and whether internal audit was in agreement with management's decision. In addition, if internal audit disagreed with management's risk acceptance response, auditors would articulate their reasoning.
For moderate assessed risks, the document would be circulated to the business unit leader for approval and signature. For high assessed risks, the document was circulated to the CEO for approval and signature. The risk acceptance document was attached with the final formal audit report and was shared with the audit committee.
This process changed IT management's position on the use of risk acceptance responses. As a result, the frequency of risk acceptance dropped considerably. Moreover, the process ensured that key stakeholders across the organization were aware of when risk acceptance was the chosen response and had the opportunity to dispute or concur with management's decision.
Actively Managing Risk Acceptance
Choosing the optimal response and follow up is critical to optimizing risk outcomes, which is the goal of risk management. While risk acceptance may at times appear to be a passive response, organizations should take a more active approach when risk acceptance relates to higher assessed risk. Likewise, risk acceptances should not simply end the discussion of risk response once the final audit report is issued. Instead, management should continue its risk management responsibilities by monitoring issues corresponding with risk acceptance responses when the risk assessment is high.
In its third-line position, internal audit can partner with management to ensure appropriate visibility of the issue over time in case there are changes affecting the risk. Depending on how the risk evolves and changes over time, management may need to adjust the risk acceptance response. Internal audit can help management determine when a different risk response may be warranted.
Get Comfortable with Acceptance
Some internal audit functions tend to shy away from advising audit clients and other stakeholders about the option of risk acceptance. Stereotypically, auditors tend to be risk-averse and more in favor of risk responses that reduce risk to the organization.
Yet, internal audit shouldn't be afraid to recommend risk acceptance when it's the right thing to do. A thoughtful and active approach to risk acceptance should be part of auditors' risk response guidance. Insisting on mitigation, when risk acceptance is the only practical response available, can damage the audit function's reputation and diminish its value proposition.