Blogs Mike Jacka, CIA, CPA, CPCU, CLU Feb 22, 2019
I thoroughly enjoy doing just that, turning the tables on internal audit departments. In fact, it is a part of the sessions I lead on process improvement — applying process mapping and customer mapping techniques to internal audit processes.
Well, it seems there is another opportunity for all you internal audit shops out there.
In April, I’ll be facilitating The IIA’s “Fundamentals of Risk-based Auditing” seminar in New York, and I’ve started going over the materials. Within those materials is an exercise related to how organizations develop risk appetite statements.
Now, I believe internal auditors struggle with the concepts of risk appetite and tolerance. (Actually, I think most organizations, while giving lip service to it, don’t really know how to effectively articulate it. Actually, I’m not sure many give lip-service to it. But I promised myself that, since this is a Friday post, I’d make this short, so I’ll stop this sidetrack in its tracks.)
Anything internal auditors can do to enhance their understanding on this subject is a good thing. So, here’s a fun little task for you — an exercise that, through a set of relatively simple questions, allows each of us to not only enhance our understanding of risk appetite, but actually experience real-world application of the concepts and techniques.
First, do you even understand what the risks are to the internal audit department achieving its objectives? (I find very few departments have actually thought in terms of risks to achieving internal audit’s objectives. That’s assuming they have either articulated or can even state their objectives.)
Second, does the department understand how it will take on or avoid risks to achieve the desired objectives? (Again, few internal audit departments think in terms of the way their department responds to risks and what the actual controls within the department are.)
Next, is that acceptance of risk measurable? Does the department know when it is taking on additional risk — let alone whether it can handle it — and how much it is willing to accept?
Finally, can the department articulate its appetite for risk to the point where everyone in the department understands and can state it? And from that, do they understand how to react as situations change and the type and impact of risks change?
If you have actually gone through this exercise, or decide to do so now, I would be very interested in the results. Feel free to share them.
But for everyone else, take the time. As with so many other areas, how can we begin to expect people to accept what we have to say about a subject when we haven’t even subjected ourselves to that scrutiny. The best way to understand what we are preaching and then forcing down everyone’s throat is to do some force-feeding to ourselves.