Groundbreaking IIA Report Could Reshape Views on Risk Management
Blogs Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA Oct 15, 2019
Against a backdrop of numerous high-profile corporate scandals, boards of directors around the world are facing increasing pressure to perform. Activist investors, changes in technology, and increasingly aggressive regulations are bearing down on corporate leaders like never before, and the dynamics of macroeconomics and geopolitics only add to their complex challenges.
The seemingly overwhelming task of operating a modern corporation can be greatly eased, however, by competent and creative executive management, strategic risk management, and independent assurance from internal audit. Yet, this tried-and-true formula for successful corporate governance often fails when the key players aren't aligned or, worse yet, have conflicting agendas.
Therefore, it is vital for organizations of all sizes and in all industries to have boards, executive management, and internal audit leaders who are aligned and harmonious in their approach to leveraging and managing risk.
In the nearly 11 years that I have authored Chambers on the Profession, I have introduced and promoted many important pieces of thought leadership from The IIA. Today, I'm excited to announce a new flagship report I believe could have a monumentally positive impact on the quest for good governance.
OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk is an innovative and insightful research report that promises to change the way organizations view and understand risk. It brings together, for the first time in one report, perspectives from the three key players in risk management — the board, executive management, and internal audit.
Through qualitative and quantitative surveys of these key groups, OnRisk 2020 offers an important glimpse into how they align on 11 key risks facing organizations in 2020. The findings paint a picture of risk management that is at times hopeful and at times ominous.
One of the report's findings should be particularly troubling. Analysis of the data from the two surveys found boards are consistently overconfident about their organizations' ability to manage risk. Frankly, I was not surprised by this finding. It confirms a view I have articulated in previous blog posts about boards being too lenient on executive management.
It is logical to assume that executive management will put its best foot forward when reporting to the board about risk management efforts. If boards do not exercise a healthy dose of professional skepticism about what they're hearing, a skewed picture of the organization's risk management capabilities can easily develop in the minds of board members. The findings in OnRisk 2020 appear to bear this out.
Last year, one of my blog posts asked the question, Is There Too Much Civility in the Boardroom?
From the post:
My examination of high-profile governance failures in recent years has convinced me that, far too often, ineffective board oversight is at the root of corporate scandals. Too many boards are reluctant to question management. Too often, boards are content to say, "We hired a great CEO. We're going to step back and let him or her do their job."
I often wonder if there may simply be too much civility in the boardroom. I am not suggesting the boardroom equivalent of a "food fight," but board members have an obligation to bring professional skepticism to their roles. They must be willing to ask probing questions, challenge management assumptions, rock the boat, if necessary, and, frankly, risk their future on the board.
This finding in OnRisk should raise a red flag about how boards build their views on capability, and how this affects decisions that drive risk strategy.
A second finding from the report was also particularly troubling for me. A significant majority of respondents downplayed the dangers of misaligned views on risk management capabilities. Indeed, some viewed a level of misalignment as healthy. I think this dangerous attitude is born from the idea that the board does not need to "know everything." This seemingly benign attitude, I believe, is at the heart of many governance failures.
From an internal audit perspective, these findings and others in OnRisk 2020 should be viewed as a call to action. Heads of internal audit are obligated to speak out when risk management efforts are inefficient or ineffective, and misalignment among key players clearly impacts efficiency and effectiveness.
I could go on sharing additional information from OnRisk 2020, which offers considerable insights and valuable recommended actions. Instead, I encourage you to download and share the report with your boards and executive management.
I'll close with one of the report's most important calls to action: Organizations should review the analysis and recommendations related to each of the 11 key risks in OnRisk 2020, then conduct similar reviews of the knowledge and capability perspectives among their own boards, executive management, and chief audit executives. This exercise will identify areas of misalignment and help organizations make important corrections on their journey to good governance.