Internal auditors like to consider themselves risk experts. And discussions about risk, uncertainty, and the relationship between the two should be our bread and butter.
However, we may fail at this more often than we suspect. For example, at the most basic level, many of us do not even know what we are talking about. The words we use flow without us really understanding what we are saying. Allow me to pose a relatively simple question regarding a very basic risk concept.
An organization has established the objective “We will make a profit.” Yes, I know it isn’t the most perfectly worded objective, but it will do for our purposes. Next, let’s say that the organization, in its extensive and exhaustive research regarding risks to that objective, starts with a basic statement: “The primary risk is that the organization will not make a profit.” (Again, not perfectly worded, but you get the point.)
Show of hands; how many think it is a risk? Show of hands, how many think it is not a risk? Show of hands; how many of you didn’t raise your hands because you didn’t think I could see you? (Many of you seem to have forgotten to place the tape across your computer’s camera lens. Just saying.)
Based on the results I get when I drum this conundrum during presentations, 50% of you are wrong.
“We do not make a profit” is not a risk. Quite simply, a risk cannot be the opposite of an objective. (Go ahead, look it up.) But half of the individuals in our profession — young or old, new or experienced, junior auditor or chief audit executive — get this wrong. We call ourselves experts, yet we have trouble with the most basic concepts. We can’t even define risk correctly.
But, let’s move beyond the fact that we may not even know what we are talking about. Let’s dig deeper and look at the assumptions and misunderstandings we apply in real audit work.
(And, at this point, a quick caveat. I am probably out of my depth here. I have a basic understanding of risk and related stuff, but that doesn’t mean the interpretations contained herein are right. Feel free to correct me on any of this.)
Given: Risk is the possibility of an event happening that will impact objectives. Therefore, we cannot know if a risk is worth worrying about until we have some understanding of the possibility the risk will occur. Anything that cannot be understood (ideally, quantified) is uncertainty. Uncertainty leads to unknowable probabilities. And, when there is too much uncertainty, our grasp of the actual risk is tenuous at best and we cannot determine the impact on objectives.
We probably all know this, but do we lose sight of it as we work our way through our work and audit our way through our audits? To find out, let’s look at the most basic but problematic process within internal audit, report writing.
You are pulling together your report and are about to broach the writing of one of the issues to be contained therein. (Let’s skip the fundamental error that much of this should have been accomplished well before the report writing stage. I’m on a roll and don’t want to be stopped.) Because it is a requirement within your department (not to mention that it is part of the Standards), you will include the impact/consequence related to the issue.
Easy peasy. The impact is obvious — loss of money, inefficiencies, brand degradation, any of the full set of impact arrows we have in our report-writing quiver. You write it up and blithely wend your way to the report’s finalization.
But let’s back up and take a closer look. How much thought has been given to how those impacts relate to the risk assessment that got the whole audit started? Does anyone take the time to make sure that the story we tell at the end of the audit matches the one we promised to tell in the beginning? And what would happen if we did look back?
I have no conclusive evidence — just gut feel and what I’ve seen from a number of years being an internal auditor — but I think if we were to look at our impact statements in light of the risks identified at the beginning of the audit, we would not be able to see how we really got where we wound up.
Let’s watch it happen.
A risk assessment is completed using all available information. Some of that information may not be as complete as we would like, but we work with it anyway. Yes, there is some uncertainty. But we make up for it by getting even more information, using our past experiences, and relying on good, old-fashioned, gut feeling.
(Note that this isn’t as far-fetched as it sounds. I have yet to see a risk assessment that did not include a weight, measure, or other criteria that was simply gut feel. It may have had some other name, but, ultimately, it was the gut feel of the person responsible for the final document. Look at yours and see if you don’t agree.)
So, we work with that risk assessment and we determine where to spend our time. The uncertainty already built into the risk assessment begins to grow as uncertainty builds on uncertainty. “We have to test this area,” “There’s always a problem here,” or “Let’s not waste our time there” — every decision made with nothing more than a whim and the hubris of absolute belief in our experience.
Based on all of that, we talk and test and document and come up with something. And we write the issue. And then we have to have an impact. And the uncertainty reaches a new crescendo, all because we have ignored how much uncertainty has crept into the process.
Do you have enough information to say what the impact really is? And, if you come up with an impact, does it have any bearing on the original risks? If not, how did this even get tested? And, with the risk in mind, how likely is it that, given the condition, that impact will really occur? Or, are you so adamant that the issue needs to be fixed that you are reaching for a worst-case scenario? Are you looking for reality or a headline? And how much of all of this is based on probability and how much on uncertainties?
I may be jumping to conclusions here. Such may not be the case for many of you. Or it may even be I’ve underestimated the entire profession. But, as I look back at work I did, managed, and consulted on, I have not seen anyone literally go back to those original risks. And the most cynical part of me wonders if this is because we know a match does not exist.
I beg and plead for you to show me I’m wrong. (I’ll even take your word for it.) But if you haven’t taken that look back — if you haven’t made the comparisons — take a closer look to make sure that uncertainties are not driving your final product.
And, one other thing, make sure you even understand the words that are coming out of your mouth.
And, that was going to be all I had to say and type about that. But then something else about uncertainty and risk raised its ugly little head. So, within the next couple of blog posts, expect a little more on the subject as we explore how all this applies to the real world.