Anyone who has really managed risk will know there is a difference between doing what is convenient and doing what is necessary. It is very unlikely that all risks will fall into neat categories so there is always somebody in the business with the right job description, objectives, experience, training, skills, resources and tools to deal with each risk. Most ambitious employees are fully aware of the extent to which managing a risk can be a distraction from meeting the targets that will actually determine if they receive the pay rise or promotion they covet. Much is said about ‘tone at the top’ but it is easy for senior managers to be hypocritical about risk: they may say they want risks to be mitigated, but will then reward behaviors that exacerbate risks or are negligent towards them. This leaves employees in the uncomfortable position of deciding whether to do what is best for themselves (in other words, pleasing their boss) or what is best for their business and its customers (in other words, taking risks seriously).
The divergence between what managers say about risk and the way they behave in practice explains why so many corporate risk registers become flaccid lists that are routinely ignored. It also explains the growing rift at the top of the internal audit profession, where passionate and articulate champions of risk management are increasingly challenging the leaders of the Institute of Internal Auditors (IIA). Critics of internal audit conventions surrounding risk have long been ignored but now some of the most prominent thought leaders on risk management and internal audit are barely able to hide their anger and frustration at the protracted failures of their peers. Foremost amongst them is Norman Marks (pictured) who recently eviscerated the IIA’s latest report on risk management.
Now we have a new report from the IIA that cements their feet in the concrete of failure. Yes, failure. Risk management practices are not seen by executives as contributing to how they make decisions and run the business. As a result, they don’t participate with enthusiasm or provide the resources risk practitioners need.
The marketing blurb says that the report will “will change the way organizations view and understand risk”. Wrong!
Marks cannot be as easily dismissed as some of the other outspoken critics of conventional wisdom relating to risk management. He was the Chief Audit Executive of a series of global corporations, the author of nine books including the IIA’s guide to Sarbanes-Oxley Section 404, is a Fellow of the Open Compliance and Ethics Group, an Honorary Fellow of the Institute of Risk Management and was inducted into the IIA’s American Hall of Distinguished Practitioners in 2018. When Marks says people are failing to manage risk properly, then other people are guaranteed to listen. And he has a lot to say about the way the internal audit profession is failing to understand its role in managing risk. Here is a brief summary of the flaws he has identified with OnRisk 2022, the new risk management advice issued by the IIA.
- It focuses too much on C-level execs and Chief Internal Auditors to the detriment of full-time risk managers and other operating managers who make risk-related decisions on a daily basis.
- Managers should anticipate risks whilst the role of internal auditors is to highlight if management lacks the capability to anticipate risk.
- Most of the ‘innovations’ in risk management offered by the IIA are little more than a re-wording of established practices that have failed in the past.
Internal auditors working in the communications sector are unlikely to be at the cutting edge of their profession, even though they work for businesses that are so intangible in nature, whilst also possessing such huge amounts of data, that they demand a different style of audit to that found in other companies. You cannot audit a telco by asking management for opinions or examining the company’s stocks. There is no limit to the ways that telcos can make mistakes or leave themselves vulnerable to threats without those risks needing to be apparent to anyone. This is the reason that telcos have specialized second-line risk management functions like revenue assurance for which there is no equivalent in most other sectors. However, it is easy for generalists like internal auditors to underestimate the value added by risk specialists with abilities and insights they do not share.
In some ways the risk management of telcos is especially advanced, and this can jar with auditors who are too conservative. The work done by second-line risk management teams in telcos will not be fully appreciated until auditors abandon some of their backward practices and recognize the value of the progress that has been made by giving specialized risk managers the freedom to identify new risks and threats whilst automating the risk monitoring and mitigation that needs to occur on a daily basis or even in real time. We must not be afraid to challenge conventional wisdom, as handed down by bodies like the IIA, and we need to understand and support other leaders like Norman Marks who are seeking to revolutionize the understanding of risk management. Otherwise the good work we do will always be treated as an inconvenience that receives minimal resources and will be disposed of as soon as executive management can find an excuse to make cuts.