TL
Uploaded byTim Leech
PDF, PPTX243 views

Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2

The document discusses the need for a paradigm shift in enterprise risk management (ERM) and internal audit approaches from a risk-centric model to an objective-centric model. It argues the current risk-centric models that rely on risk registers are flawed because they look at risks in isolation rather than linking them to organizational objectives. It proposes boards require management to regularly report on residual risk status linked to key value creation and preservation objectives. This would position management as primarily responsible for risk assessment rather than traditional ERM and internal audit groups. It acknowledges there are significant barriers to change, including guidance materials, skills gaps, and reluctance to change entrenched practices.

Embed presentation

Download as PDF, PPTX
48 49 Boards and CEOs around the world are being told repeatedly from multiple sources that they need to do a better job managing and overseeing risk and, most recently, ‘risk culture’.1 Unfortunately, current methods of providing stakeholders with assurance that risk management processes are effective are fundamentally the same methods that have been used for decades. The 2008 global crisis is a graphic illustration of their inability to cope with an increasingly fast moving and complex world. This article is a call to boards, CEOs, law makers, regulators, investor groups and others for a major paradigm shift in risk management and assurance thinking to create and better preserve shareholder value. Paradigm paralysis in the enterprise risk management (ERM) and internal audit communities blocks their ability to see new methods available to better meet the needs of stakeholders. This article will outline status Paradigm paralysis in ERM & internal auditTheinternalaudit professionneedsto reinventitselftobetter respondtotheemerging expectationsfacingsenior managementandboards quo ERM and internal audit paradigms; describe why the current paradigms are blocking progress; and propose some simple, but radically different ideas to assist boards, CEOs and ERM and internal audit specialists make the paradigm shift necessary to drive positive change. Paradigm paralysis: ERM methods Although there is wide variation in how companies have implemented ERM, the most common feature is the creation and maintenance of ‘risk registers’ as a foundation. The extent risks identified are linked to the company’s business objectives and strategies varies greatly. Supplementing the risk registers are ‘risk heat maps’ that depict individual risks in terms of likelihood and consequence. Risk heat maps may, or may not, depict residual risk, the risk remaining after considering risk responses/risk treatments on a single risk.2 These risk registers are typically maintained by ERM specialists or internal audit groups and results are reported upwards to the board. ERM paradigm flaws The primary drawback of this risk-centric ERM paradigm is that it looks at risks in isolation from the company’s top value creation and value preservation objectives (see the sidebar for the authors’ definition). This approach does not allow decision makers to see the current state of residual risk linked to the achievement of the company’s most important objectives. All of the risks relevant to individual objectives are not looked at in totality in terms of their collective effect on the achievement of specific objectives. The process does not produce information to evaluate the acceptability of the current residual risk status (i.e. is it within risk appetite/ tolerance?). It also creates confusion and uncertainty around who is really responsible for the risks identified, as assigned ‘risk owners’ may not align with those responsible for achieving the linked objective(s). This risk-centric approach has also tended to focus more on value preservation objectives (e.g. ‘three lines of defence’) rather than a balance, which puts at least equal emphasis on value creation/strategic objectives. Value Creation Objective Objectiveskeytothelong-termsuccess oftheenterprisethatwillcreateenhanced shareholdervalue(e.g.increasemarket shareby20percent) Value Preservation Objective Objectivesthat,ifnotachieved,have significantpotentialtoerodestakeholder value(e.g.ensurereliablefinancial statementsdisclosures) Another flaw is that the process is typically completed as a static annual or semi-annual exercise with a heavy compliance connotation. The risk assessment methodology used to populate the risk register and risk heat maps is often not the same assessment approach used by internal audit to complete internal audits, or the assessment approach used by other specialists groups, such as safety, compliance, insurance, quality, etc. It is also important to note that the dominant ERM method to identify risks is ‘brainstorming’, based heavily on the knowledge and experience of participants. The full range of methods available to identify significant risks is rarely used. Key risks linked to top strategic objectives are often missed. The approach often does not consider the full range of risk responses/risk treatments available as it tends to focus heavily on ‘controls’ linked to individual risks, not the full range of risk responses/treatments. Another critical flaw of the current ERM paradigm is that when work units are candid and disclose very serious and material retained risk positions, the result in some companies is that the area is then scheduled for a traditional internal audit – in essence, participants are punished for being upfront and disclosing information key to better decision making and a healthy risk culture. Another significant concern is that the areas that are generally low risk from a culture perspective often do the best job identifying and disclosing risks and residual risk status. Groups and executives that represent major risk to the organisation culturally are least likely to candidly disclose significant risks and the true retained risk position. The way forward: a board -driven ERM paradigm shift Boards and CEOs need to take the time to understand the substantial differences between risk-centric and objective-centric assessment risk management frameworks. More information on the business case for objective-centric risk management vs traditional risk-centric approaches that use risk registers as a foundation can be found online. Enterprise Risk Management | Board GovernanceBoard Governance | Enterprise Risk Management Ethical Boardroom | Summer 2016 Summer 2016 | Ethical Boardroom Tim Leech & Lauren Hanlon Tim is the Managing Director; Lauren is a Director at Risk Oversight Solutions Inc ■ Influential ERM guidance sources, including COSO and ISO 31000, while defining risk in terms of its ability to effect achievement of objectives, implicitly endorse risk-centric approaches to risk management that use risk registers, not objectives registers, as a foundation. COSO and the authors of ISO 31000 do not advocate that the process should start by identifying and prioritising objectives, then make conscious decisions on which objectives warrant the cost of formal risk assessments. The COSO ERM exposure draft issued in June 2016, while increasing the focus on value creation objectives, stops short of calling on companies to create and use objectives registers as a foundation for ERM. ■ Itmaybeaveryuncomfortableandunfamiliarexercisefortheboardandmanagementto agreeonthetopvaluecreationandvaluepreservationobjectives.Thisreluctanceprevents efficiententitylevelresourceallocationanddecisionmaking.Anobjective-centric approachfocussesfirstondefiningthetopobjectiveskeytosustainedlong-termsuccess –itseeksabalancebetweenvaluecreationandvaluepreservation.Arisk-centric/risk registerERMapproachisoftenquitevagueonitslinkagestotopvaluecreation/ preservationobjectivesandrarelymakesalinktoperformance. ■ Management has to take on substantially greater ownership and act as primary risk assessor/reporter for the company’s top objectives, including providing a report and opinion on the overall residual risk status for each objective to the board. This is a fundamental shift that requires changes to how management and traditional ERM and internal audit teams interact and discharge their responsibilities. It may also include a fundamental risk culture shift, where candidly described significant negative residual risk positions is rewarded, not punished by internal audit and senior management. ■ Aglobalshortageofstaffwiththeknowledgeandskillstoimplementanobjective-centric riskself-assessmentframework.Businessschoolsarestillintheirinfancyinproducing enterpriseriskmanagementcurriculumbeyondtraditionalinternalauditandaccounting coursesthatteachcontrol-centricmodelsheavilylinkedtoeffectivenessofinternalcontrols overfinancialreportingandITsecurity.Thoseschoolsthatdocoverriskmanagement holisticallygenerallyteachERMmethodsthatuseriskregistersasafoundation. ■ The use of the three lines of defence (3LoD) endorsed by the Institute of Internal Auditors (IIA) and some regulators as a risk governance framework.3 The IIA 3LoD model sees the board and CEO as stakeholders who receive information, not active and key participants in the risk management process. It perpetuates the notion that risk management is fundamentally about hazard avoidance and defence – not a key support tool to take risks intelligently and drive increased stakeholder value. ■ TheIIAhasnotactivelysupportedashiftfromtraditionalrisk-centricERMmethods andcontrolandprocess-centricdirectreportinternalauditmethodstoa management-driven,objective-centricriskself-assessmentapproach.IIAguidance onhowtoassesstheeffectivenessofERMframeworksdoesnotcallforanevaluation ofwhethertheapproachbeingevaluatedisassessingriskslinkedtoacompany’s topvaluecreationandvaluepreservationobjectives. barriers to change Require a robust management-driven, objective-centric risk self-assessment framework that uses an objective register as the foundation. Risk management efforts should be aligned with the top value creation and preservation objectives to ensure optimal capital allocation. The objectives register should include the company’s top value creation and value preservation objectives. These should be defined by management and reviewed by the board. ‘Owner/sponsors’ should be assigned to each objective. Owner/sponsors are responsible for assessing and reporting on the state of residual risk related to each of the objectives to the CEO and the board using an ISO 31000 compliant assessment methodology (for an example of an objective-centric/ISO 31000 compliant approach see the RiskStatusline™ assessment approach shown on page 50). Conscious decisions should be made on the target level of risk assessment rigour and independent assurance. The board should receive regular reports on the residual risk status of the objectives in the register, including the current Composite Residual Risk Status (CRRR). A sample set of definitions for CRRRs is also on page 50. Require that the CEO or his/her designate regularly (bi-annually or quarterly) provide the board with a consolidated report on residual risk status linked to the company’s top value creation and value preservation objectives. This simple step has great potential to drive the necessary changes to the way management and all of the specialist assurance groups do their work.
Ethical Boardroom | Summer 2016 Board Governance | Enterprise Risk Management Summer 2016 | Ethical Boardroom50 51 Enterprise Risk Management | Board Governance Assign responsibility to ERM specialist staff to implement and maintain a robust objective-centric risk self-assessment framework. This repositions the role of risk specialists to one where their primary role is providing training, facilitating objective-centric management-driven risk self-assessments and helping the CEO produce reliable consolidated reports for the board on the residual/retained risk status of top value creation and preservation objectives. Require annual opinions from internal audit on the effectiveness of the company’s risk management framework and reliability of the consolidated report from the CEO to the board on company’s residual/retained risk status linked to top value creation/ value preservation objectives. Paradigm paralysis: internal audit The internal audit profession is based on a core paradigm, largely unchanged since the profession began, that calls for internal auditors to audit a unit, topic, process, or other ‘audit universe’ element and form an opinion as to whether the auditor believes the ‘internal controls’ in the audit universe subject matter are ‘effective’ or ‘adequate’. From a technical perspective, this approach is called a ‘direct report audit engagement’. Internal auditors must, of necessity, use a direct report audit approach in cases where management has not self-assessed and made a formal representation on the state of risk. When this does happen, internal audit can use an ‘attestation’ approach that reports on management’s self-assessment. Unfortunately, the percentage of companies where management complete self-assessments and report on the state of residual risk linked to key value creation and preservation objectives is still a very small percentage of the total. Ironically, most internal audit departments claim their audit methodology is ‘risk based’. What this means is often unclear as their audit plans often do not cover the company`s top value creation/strategic objectives. Internal audit coverage expressed as a percentage of the entire risk universe of a company is rarely more than 10 per cent in any given year. Results of individual internal audits are reported to management and summary reports provided to the audit committee of the board of directors. Internal audit paradigm flaws The key flaw in the current internal audit paradigm is that it does not position responsibility for assessing risks and reporting upwards on the state of residual risk linked to the company’s most critical value creation and value preservation objectives squarely with the people that should have primary responsibility – management. It discourages management from learning how to formally assess and report on residual risk status linked to key ■ A large percentage of companies and their boards have not embraced the need for management to self-assess and report on the state of residual risk linked to their most important value creation and value preservation objectives and report consolidated results upwards to the company’s board of directors. As long as management in a company is unwilling to perform this role, internal audit must continue to do direct report audit engagements on a small percentage of the risk universe (i.e. there are no management representations on risk status on key objectives to audit, hence attestation internal audit engagements are not possible). ■ Becausethemajorityofcompaniesintheworldtodayhavenotimplementedrobustobjective -centricriskself-assessmentframeworks,alargepercentageoftheIIAcurriculum,training, andcertificationstandardsarebuiltonthedirectreportauditparadigmwithaheavyfocus oninternalauditorsopiningonthesufficiencyof‘internalcontrols’. Amassiveandconcerted effortwouldberequiredtoequipinternalauditorswiththeskillsnecessarytoformopinions onthereliabilityofobjective-centricriskself-assessmentsasmanyinternalauditorslackthe skillstocompletethem. ManyinternalauditorsarenotcurrentlytrainedtocompleteISO 31000/COSOERMcompliantriskassessmentsand,byextension,notequippedtoreport whetherobjective-centricriskassessmentsdonebymanagementarereliable. ■ Many boards and senior executives don’t believe internal audit can add significant value to their company’s top value creation objectives and are content to have internal audit focus on a relatively narrow range of objectives with a heavy focus on financial controls, IT security, business continuity, fraud prevention and other value preservation/defence areas. barriers to change (Continued) 0 Fully acceptable Composite residual risk status is acceptable. No changes to risk treatment strategy required at this time. (NOTE: this could mean that one or more significant risks are being accepted. Information on accepted concerns is found in the residual risk status information) 1 Low Inaction could result in very minor negative impacts. Ad hoc attention may be required to adjust composite residual risk status to an acceptable level 2 Minor Inaction or unacceptable terms could result in minor negative impacts. Routine management attention may be required to adjust composite residual risk status to an acceptable level 3 Moderate Inaction could result in or allow continuation of mid-level negative impacts. Moderate senior management effort required to adjust composite residual risk status to an acceptable level 4 Advanced Inaction could allow continuation of/or exposure to serious negative impacts. Senior management attention required to adjust composite residual risk status 5 Significant Inaction could result in or allow continuation of very serious entity level negative impacts. Senior management attention urgently required to adjust composite residual risk status to an acceptable level 6 Major Inaction could result in or allow continuation of very major entity level negative consequences. Analysis and corrective action to adjust composite residual risk status required immediately 7 Critical Inaction virtually certain to result in or allow continuation of very major entity level negative consequences. Analysis and corrective action to adjust composite residual risk status required immediately 8 Severe Inaction virtually certain to result in or allow continuation of very severe negative impacts. Senior management/board-level attention urgently required to adjust composite residual risk status 9 Catastrophic Inaction could result in or allow the continuation of catastrophic proportion impacts. Senior management/board level attention urgently required to adjust composite residual risk status and avert a catastrophic negative impact on the organisation 10 Terminal The current composite residual risk status is already extremely material and negative and having disastrous impact on the organisation. Immediate top priority action from the board and senior management required to prevent the demise of the entity. COMPOSITE RESIDUAL RISK RATING DEFINITIONS Endresultobjectives (implicitorexplicit) Internal/externalcontext Residualriskstatus Threatsto achievement/risks? Risktreatmentstrategy Riskmitigators/controls Risktransfer, share,finance (selectedconsciously orunconsciously) Acceptable? Risktreatment optimised? YES RiskStatuslineTM NO NO Re-examinerisktreatment strategyand/orobjective anddevelopactionplan YES –Moveon 2015RiskOversightSolutionsInc. SAMPLE summary report for senior executives and the board Independent assurance level (IAL) Low Medium Current risk assessment rigor (RAR) Medium (M) VeryLow(VL) Potential to erode entity value Low High Potential to increase entity value Medium High CRRR update date 6/12/2014 6/10/2014 Composite residual risk rating (CRRR) 6 — Major 4 — Advanced End result objective owner/ sponsor(s) Tim Leech Tim Leech Corporate l l Description Ensurethatfinancial statementsarereliableand incompliancewithGAAP Safeguardandenhance ABCsreputation A call to action — boards and CEOs need to drive paradigm shift efforts Globally, the ERM and internal audit professions have a serious case of paradigm paralysis that is impeding their ability to help boards and CEOs meet new risk governance expectations. Boards and CEOs need to play a key role driving a quantum paradigm shift in risk management and assurance thinking to make improvements in risk culture. When paradigm paralysis occurs it is always worth remembering the words of Albert Einstein, “Insanity: doing the same thing over and over again and expecting different results”.5 Expecting the same internal audit and ERM methods used over the last 20 to 30 years to produce dramatically different and better results for stakeholders is poor judgement at best. The authors hope that the paradigm shift ideas in this paper will help drive further thought leadership and the developments necessary to produce the quantum paradigm shift in ERM and internal audit methods necessary to help boards and CEOs better meet new risk governance expectations. 1 Example:SeeFinancialStabilityBoardPrinciplesforanEffective RiskAppetiteFrameworksenttoregulatorsaroundtheworld http://www.fsb.org/wp-content/uploads/r_131118.pdf 2 Note: COSOusestheterm‘riskresponses’.ISO31000,theglobal riskmanagementstandardusestheterm‘risktreatments’.In bothcasesthetermreferstothefullrangeofwaystofinance, share,transfer,mitigate,avoidandacceptrisk. 3 SeeOfficeof SuperintendentFinancialInstitutionsJune2016E21Operational RiskGuidelinesforanexampleofaregulatorendorsing‘Three LinesofDefense’ 4 SeeFinancialStabilityBoardPrinciples foranEffectiveRiskAppetiteFrameworkhttp://www.fsb.org/ wp-content/uploads/r_131118.pdfandIIAResearchFoundation AuditingRiskAssessmentandRiskManagementProcesses 5 Source:AlbertEinstein.(n.d.).BrainyQuote.com.Retrieved 29June,2016,fromBrainyQuote.comWebsite:http://www. brainyquote.com/quotes/quotes/a/alberteins133991.htm) Boards and CEOs need to play a key role driving a quantum paradigm shift in riskmanagement and assurance thinking to make improvements in risk culture value creation/preservation objectives (i.e. it’s not their job to assess and report, so why do they need the skills to do it?). Internal audit coverage is usually a small percentage each year of the total risk universe and often has a heavy bias towards value preservation and financial accounting controls. The audit plan often does not cover the company’s most important value creation/ strategic objectives and is often not well integrated with the work of other assurance groups, including ERM, safety, IT security, environment, compliance, insurance and others. The traditional internal audit paradigm often puts serious political pressure on business units to put in place additional ‘internal controls’ linked to the topic audited, even when residual risk status in other areas linked to key value creation/strategic objectives not covered by internal audit warrant more of the scarce risk treatment resources. Our work globally suggests that only a small percentage of internal auditors today use objective-centric risk assessment methods on their audits that conform to risk assessment methods defined by the global risk management standard, ISO 31000, or COSO ERM 2004/ED 2016. A large percentage of internal auditors report opinions on sufficiency of internal controls, not the full range of risk responses/risk treatments in place. This can result in seriously flawed results and opinions. An opinion from internal audit on whether internal controls are effective, or not, is fundamentally an opinion from the internal auditors on whether they think residual risk status is acceptable to the company and the board – information the internal auditors often don’t have and decisions internal auditors aren’t authorised or trained to make. It is important to note that the Financial Stability Board (FSB) and the Institute of Internal Auditors (IIA) are increasingly calling on internal audit groups to assess and report on all of their company’s risk management processes.4 When internal audit is the group with primary responsibility for completing documented risk and control assessments this requires internal audit report on itself – a violation of audit independence standards. The way forward: a board/CEO-driven internal audit paradigm shift Boards and CEOs need to call for implementation of robust objective-centric risk self-assessment frameworks that use an objective register as the foundation. See details above. When an objective register is used as a foundation for ERM it defines the role of owner/ sponsors, ERM specialists, and independent assurance staff and, by definition, focusses resources on objectives key to long-term value creation and preservation. Require internal audit use the company’s objectives register not an audit universe as their work foundation. Once management with the assistance of ERM specialists has completed the assigned risk assessments at the defined level of risk assessment rigour, internal audit completes quality assurance reviews where internal audit has been defined as the independent assurance providers to achieve the target independent assurance level defined in the objectives register. For some objectives in the objectives register the board and/or C-Suite may assign other independent assurance providers. The primary goal of internal audit is to provide the board with opinions on the effectiveness of company’s enterprise risk management processes and the reliability of the consolidated report from the CEO to the board on residual risk status. Internal audit should also flag any areas where they think management is accepting levels of residual risk that they believe may be outside of the CEO and/or the board’s risk appetite/tolerance. Ensure the internal audit team is staffed appropriately to contribute on top value creation and value preservation objectives. This can include management rotation programmes and hiring of staff from non-traditional internal audit backgrounds (i.e. outside of accounting, IT security, external audit).

More Related Content

PPTX
Five Lines of Assurance A New ERM and IA Paradigm
byTim Leech
 
PPTX
Risk Management ERM Presentation
byalygale
 
PDF
Five lines of assurance a new paradigm in internal audit & erm
byDr. Zar RDJ
 
PDF
Enterprise Risk Management
byAnu Damodaran
 
PDF
Enterprise Risk Management as a Core Management Process
byregio12
 
PPTX
Enterprise Risk Management and Sustainability
byJeff B
 
PDF
Risk management
bykartikganga
 
PPT
Enterprise Risk Management ~ Inovastra
byNik Hasyudeen
 
Five Lines of Assurance A New ERM and IA Paradigm
byTim Leech
 
Risk Management ERM Presentation
byalygale
 
Five lines of assurance a new paradigm in internal audit & erm
byDr. Zar RDJ
 
Enterprise Risk Management
byAnu Damodaran
 
Enterprise Risk Management as a Core Management Process
byregio12
 
Enterprise Risk Management and Sustainability
byJeff B
 
Risk management
bykartikganga
 
Enterprise Risk Management ~ Inovastra
byNik Hasyudeen
 

What's hot

PDF
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
byWolfPAC - Integrated Risk Management
 
PPT
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
byprosenzw69
 
PDF
How to Build an Enterprise Risk Management Framework
byColleen Beck-Domanico
 
PPT
Coso Erm(2)
bydeeptica
 
PPTX
Advanced Risk Management - Elsam Management Consultants
byEMAC Consulting Group
 
PDF
Risk Management Frameworks
byDaniel Kapellmann Zafra
 
PDF
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
byRama Warrier
 
DOCX
Enterprise risk management
byAnu Damodaran
 
PDF
Operational risk: the new frontier
byMichel Rochette
 
DOCX
Enterprise Risk Management White Paper
byShadowlit Ndou Sidija
 
PDF
51_operational_risk
byHafeez Farooq
 
PDF
Building an invisible framework for risk management
byhallowedblasphe76
 
PPTX
How to assess risk for a company
byOECDglobal
 
PDF
Testing value creation through erm maturity
byMbuthiac Mbuthiac
 
PDF
From Risk to ERM
byMichel Rochette
 
PDF
Risk Management Essentials for Bankers
byDavid Vu
 
PDF
A structured approach to Enterprise Risk Management (ERM) and the requirement...
byHassan Zaitoun
 
PPT
Enterprise risk-management1973
byNATHAN Consulting
 
PPTX
CFO Risk Intelligence - Harvey Christophers
byAzure Group
 
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
byWolfPAC - Integrated Risk Management
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
byprosenzw69
 
How to Build an Enterprise Risk Management Framework
byColleen Beck-Domanico
 
Coso Erm(2)
bydeeptica
 
Advanced Risk Management - Elsam Management Consultants
byEMAC Consulting Group
 
Risk Management Frameworks
byDaniel Kapellmann Zafra
 
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
byRama Warrier
 
Enterprise risk management
byAnu Damodaran
 
Operational risk: the new frontier
byMichel Rochette
 
Enterprise Risk Management White Paper
byShadowlit Ndou Sidija
 
51_operational_risk
byHafeez Farooq
 
Building an invisible framework for risk management
byhallowedblasphe76
 
How to assess risk for a company
byOECDglobal
 
Testing value creation through erm maturity
byMbuthiac Mbuthiac
 
From Risk to ERM
byMichel Rochette
 
Risk Management Essentials for Bankers
byDavid Vu
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
byHassan Zaitoun
 
Enterprise risk-management1973
byNATHAN Consulting
 
CFO Risk Intelligence - Harvey Christophers
byAzure Group
 

Viewers also liked

PDF
4Q 2015 INVESTMENT OPPORTUNITIES
byBillion Estate
 
PPT
Sa regina
byRegina da Silva
 
PPT
Presentation1
bynubmelshare
 
PDF
Testigos de la alegría
byArzobispado Arequipa
 
PDF
Ofertas Hisve Octubre
byhisve
 
PPT
Consultas multitabla con inner join y subconsultas
byLuis Alberto Camarillo
 
DOCX
Doc1
byPastilha Alb
 
PDF
Метеор-Сити посетил десятитысячный читатель
byMeteor City
 
PPTX
Anti-bullying presentation #2
byitunaschool
 
PDF
Jace Turner - CV
byJace Turner
 
PPTX
Razorfish India (Neev) Corporate Profile
byNeev Technologies
 
PDF
Smart Sale Restaurant software presentation
byStepan Aslanyan
 
PPTX
10 Things for a Likeable 2017
byCMRS Group
 
PPTX
Redis introduction
byFederico Daniel Colombo Gennarelli
 
PPTX
Obras de teatro para niños
byEditorial MD
 
PDF
29529 bc0d74- bookgdz.ru
byrobinbad123100
 
PDF
34912 6ce6af310588360673d33613e8cd7e97
byrobinbad123100
 
4Q 2015 INVESTMENT OPPORTUNITIES
byBillion Estate
 
Sa regina
byRegina da Silva
 
Presentation1
bynubmelshare
 
Testigos de la alegría
byArzobispado Arequipa
 
Ofertas Hisve Octubre
byhisve
 
Consultas multitabla con inner join y subconsultas
byLuis Alberto Camarillo
 
Doc1
byPastilha Alb
 
Метеор-Сити посетил десятитысячный читатель
byMeteor City
 
Anti-bullying presentation #2
byitunaschool
 
Jace Turner - CV
byJace Turner
 
Razorfish India (Neev) Corporate Profile
byNeev Technologies
 
Smart Sale Restaurant software presentation
byStepan Aslanyan
 
10 Things for a Likeable 2017
byCMRS Group
 
Redis introduction
byFederico Daniel Colombo Gennarelli
 
Obras de teatro para niños
byEditorial MD
 
29529 bc0d74- bookgdz.ru
byrobinbad123100
 
34912 6ce6af310588360673d33613e8cd7e97
byrobinbad123100
 

Similar to Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2

PDF
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
byDion K Hamilton
 
PDF
Risck intelligence in the energy and resources industry
byFranco Ferrario
 
PDF
Enterprise tools and_techniques
bycoparah
 
PPTX
ERM.pptx Erm ERM Erm Erm Erm Erm Erm Erm
byalishaiqbal51
 
PPT
The role of ia in erm process
bySALIH AHMED ISLAM
 
PDF
2 making risk_management_a_valueadding_function_in_the_boardroom
byRAJAGOPAL RAMACHANDRAN
 
PPT
The role of auditing in the erm process
bySalih Islam
 
PDF
ROS TL Response To COSO Sept 7 2016
byTim Leech
 
PDF
ERM overview
byHisham Haridy MBA, PMP®, RMP®, SP®
 
PDF
Executive Summary on Leadership in Risk Management Webinar
byFERMA
 
DOCX
Adopting Enterprise Risk Management inToday’s Wo.docx
bydaniahendric
 
DOCX
Adopting Enterprise Risk Management inToday’s Wo.docx
bykatherncarlyle
 
DOCX
Adopting Enterprise Risk Management inToday’s Wo.docx
bySALU18
 
PDF
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
byThinkGRC
 
PPTX
DiSerafino - ORSA_insurance_conference
byLou DiSerafino
 
PDF
ppt erm.pdf
byRJ231
 
PPT
files_maf_gorvett.ppt-managementt_risiko
byfrymelda
 
PPT
Enterprise Risk Management : Hollow Tree Giant Redwood.ppt
byrotimiadedayo1
 
PPTX
Taking Enterprise Risk from Theoretical to Practical
byProformative, Inc.
 
PDF
Erm tm 10
byMulyadi Yusuf
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
byDion K Hamilton
 
Risck intelligence in the energy and resources industry
byFranco Ferrario
 
Enterprise tools and_techniques
bycoparah
 
ERM.pptx Erm ERM Erm Erm Erm Erm Erm Erm
byalishaiqbal51
 
The role of ia in erm process
bySALIH AHMED ISLAM
 
2 making risk_management_a_valueadding_function_in_the_boardroom
byRAJAGOPAL RAMACHANDRAN
 
The role of auditing in the erm process
bySalih Islam
 
ROS TL Response To COSO Sept 7 2016
byTim Leech
 
ERM overview
byHisham Haridy MBA, PMP®, RMP®, SP®
 
Executive Summary on Leadership in Risk Management Webinar
byFERMA
 
Adopting Enterprise Risk Management inToday’s Wo.docx
bydaniahendric
 
Adopting Enterprise Risk Management inToday’s Wo.docx
bykatherncarlyle
 
Adopting Enterprise Risk Management inToday’s Wo.docx
bySALU18
 
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
byThinkGRC
 
DiSerafino - ORSA_insurance_conference
byLou DiSerafino
 
ppt erm.pdf
byRJ231
 
files_maf_gorvett.ppt-managementt_risiko
byfrymelda
 
Enterprise Risk Management : Hollow Tree Giant Redwood.ppt
byrotimiadedayo1
 
Taking Enterprise Risk from Theoretical to Practical
byProformative, Inc.
 
Erm tm 10
byMulyadi Yusuf
 

More from Tim Leech

PDF
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
byTim Leech
 
PDF
3LoDvs5LoA Elevating the Role of the Board and CEO Final Revise
byTim Leech
 
PDF
TCB-DN-Risk-Culture Final
byTim Leech
 
PDF
TCB-DN-Risk-Culture Final
byTim Leech
 
PDF
Reinventing Internal Audit Final April 2015
byTim Leech
 
PDF
Reinventing Internal Audit Final April 2015
byTim Leech
 
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
byTim Leech
 
3LoDvs5LoA Elevating the Role of the Board and CEO Final Revise
byTim Leech
 
TCB-DN-Risk-Culture Final
byTim Leech
 
TCB-DN-Risk-Culture Final
byTim Leech
 
Reinventing Internal Audit Final April 2015
byTim Leech
 
Reinventing Internal Audit Final April 2015
byTim Leech
 

Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2

  • 1.
    48 49 Boards andCEOs around the world are being told repeatedly from multiple sources that they need to do a better job managing and overseeing risk and, most recently, ‘risk culture’.1 Unfortunately, current methods of providing stakeholders with assurance that risk management processes are effective are fundamentally the same methods that have been used for decades. The 2008 global crisis is a graphic illustration of their inability to cope with an increasingly fast moving and complex world. This article is a call to boards, CEOs, law makers, regulators, investor groups and others for a major paradigm shift in risk management and assurance thinking to create and better preserve shareholder value. Paradigm paralysis in the enterprise risk management (ERM) and internal audit communities blocks their ability to see new methods available to better meet the needs of stakeholders. This article will outline status Paradigm paralysis in ERM & internal auditTheinternalaudit professionneedsto reinventitselftobetter respondtotheemerging expectationsfacingsenior managementandboards quo ERM and internal audit paradigms; describe why the current paradigms are blocking progress; and propose some simple, but radically different ideas to assist boards, CEOs and ERM and internal audit specialists make the paradigm shift necessary to drive positive change. Paradigm paralysis: ERM methods Although there is wide variation in how companies have implemented ERM, the most common feature is the creation and maintenance of ‘risk registers’ as a foundation. The extent risks identified are linked to the company’s business objectives and strategies varies greatly. Supplementing the risk registers are ‘risk heat maps’ that depict individual risks in terms of likelihood and consequence. Risk heat maps may, or may not, depict residual risk, the risk remaining after considering risk responses/risk treatments on a single risk.2 These risk registers are typically maintained by ERM specialists or internal audit groups and results are reported upwards to the board. ERM paradigm flaws The primary drawback of this risk-centric ERM paradigm is that it looks at risks in isolation from the company’s top value creation and value preservation objectives (see the sidebar for the authors’ definition). This approach does not allow decision makers to see the current state of residual risk linked to the achievement of the company’s most important objectives. All of the risks relevant to individual objectives are not looked at in totality in terms of their collective effect on the achievement of specific objectives. The process does not produce information to evaluate the acceptability of the current residual risk status (i.e. is it within risk appetite/ tolerance?). It also creates confusion and uncertainty around who is really responsible for the risks identified, as assigned ‘risk owners’ may not align with those responsible for achieving the linked objective(s). This risk-centric approach has also tended to focus more on value preservation objectives (e.g. ‘three lines of defence’) rather than a balance, which puts at least equal emphasis on value creation/strategic objectives. Value Creation Objective Objectiveskeytothelong-termsuccess oftheenterprisethatwillcreateenhanced shareholdervalue(e.g.increasemarket shareby20percent) Value Preservation Objective Objectivesthat,ifnotachieved,have significantpotentialtoerodestakeholder value(e.g.ensurereliablefinancial statementsdisclosures) Another flaw is that the process is typically completed as a static annual or semi-annual exercise with a heavy compliance connotation. The risk assessment methodology used to populate the risk register and risk heat maps is often not the same assessment approach used by internal audit to complete internal audits, or the assessment approach used by other specialists groups, such as safety, compliance, insurance, quality, etc. It is also important to note that the dominant ERM method to identify risks is ‘brainstorming’, based heavily on the knowledge and experience of participants. The full range of methods available to identify significant risks is rarely used. Key risks linked to top strategic objectives are often missed. The approach often does not consider the full range of risk responses/risk treatments available as it tends to focus heavily on ‘controls’ linked to individual risks, not the full range of risk responses/treatments. Another critical flaw of the current ERM paradigm is that when work units are candid and disclose very serious and material retained risk positions, the result in some companies is that the area is then scheduled for a traditional internal audit – in essence, participants are punished for being upfront and disclosing information key to better decision making and a healthy risk culture. Another significant concern is that the areas that are generally low risk from a culture perspective often do the best job identifying and disclosing risks and residual risk status. Groups and executives that represent major risk to the organisation culturally are least likely to candidly disclose significant risks and the true retained risk position. The way forward: a board -driven ERM paradigm shift Boards and CEOs need to take the time to understand the substantial differences between risk-centric and objective-centric assessment risk management frameworks. More information on the business case for objective-centric risk management vs traditional risk-centric approaches that use risk registers as a foundation can be found online. Enterprise Risk Management | Board GovernanceBoard Governance | Enterprise Risk Management Ethical Boardroom | Summer 2016 Summer 2016 | Ethical Boardroom Tim Leech & Lauren Hanlon Tim is the Managing Director; Lauren is a Director at Risk Oversight Solutions Inc ■ Influential ERM guidance sources, including COSO and ISO 31000, while defining risk in terms of its ability to effect achievement of objectives, implicitly endorse risk-centric approaches to risk management that use risk registers, not objectives registers, as a foundation. COSO and the authors of ISO 31000 do not advocate that the process should start by identifying and prioritising objectives, then make conscious decisions on which objectives warrant the cost of formal risk assessments. The COSO ERM exposure draft issued in June 2016, while increasing the focus on value creation objectives, stops short of calling on companies to create and use objectives registers as a foundation for ERM. ■ Itmaybeaveryuncomfortableandunfamiliarexercisefortheboardandmanagementto agreeonthetopvaluecreationandvaluepreservationobjectives.Thisreluctanceprevents efficiententitylevelresourceallocationanddecisionmaking.Anobjective-centric approachfocussesfirstondefiningthetopobjectiveskeytosustainedlong-termsuccess –itseeksabalancebetweenvaluecreationandvaluepreservation.Arisk-centric/risk registerERMapproachisoftenquitevagueonitslinkagestotopvaluecreation/ preservationobjectivesandrarelymakesalinktoperformance. ■ Management has to take on substantially greater ownership and act as primary risk assessor/reporter for the company’s top objectives, including providing a report and opinion on the overall residual risk status for each objective to the board. This is a fundamental shift that requires changes to how management and traditional ERM and internal audit teams interact and discharge their responsibilities. It may also include a fundamental risk culture shift, where candidly described significant negative residual risk positions is rewarded, not punished by internal audit and senior management. ■ Aglobalshortageofstaffwiththeknowledgeandskillstoimplementanobjective-centric riskself-assessmentframework.Businessschoolsarestillintheirinfancyinproducing enterpriseriskmanagementcurriculumbeyondtraditionalinternalauditandaccounting coursesthatteachcontrol-centricmodelsheavilylinkedtoeffectivenessofinternalcontrols overfinancialreportingandITsecurity.Thoseschoolsthatdocoverriskmanagement holisticallygenerallyteachERMmethodsthatuseriskregistersasafoundation. ■ The use of the three lines of defence (3LoD) endorsed by the Institute of Internal Auditors (IIA) and some regulators as a risk governance framework.3 The IIA 3LoD model sees the board and CEO as stakeholders who receive information, not active and key participants in the risk management process. It perpetuates the notion that risk management is fundamentally about hazard avoidance and defence – not a key support tool to take risks intelligently and drive increased stakeholder value. ■ TheIIAhasnotactivelysupportedashiftfromtraditionalrisk-centricERMmethods andcontrolandprocess-centricdirectreportinternalauditmethodstoa management-driven,objective-centricriskself-assessmentapproach.IIAguidance onhowtoassesstheeffectivenessofERMframeworksdoesnotcallforanevaluation ofwhethertheapproachbeingevaluatedisassessingriskslinkedtoacompany’s topvaluecreationandvaluepreservationobjectives. barriers to change Require a robust management-driven, objective-centric risk self-assessment framework that uses an objective register as the foundation. Risk management efforts should be aligned with the top value creation and preservation objectives to ensure optimal capital allocation. The objectives register should include the company’s top value creation and value preservation objectives. These should be defined by management and reviewed by the board. ‘Owner/sponsors’ should be assigned to each objective. Owner/sponsors are responsible for assessing and reporting on the state of residual risk related to each of the objectives to the CEO and the board using an ISO 31000 compliant assessment methodology (for an example of an objective-centric/ISO 31000 compliant approach see the RiskStatusline™ assessment approach shown on page 50). Conscious decisions should be made on the target level of risk assessment rigour and independent assurance. The board should receive regular reports on the residual risk status of the objectives in the register, including the current Composite Residual Risk Status (CRRR). A sample set of definitions for CRRRs is also on page 50. Require that the CEO or his/her designate regularly (bi-annually or quarterly) provide the board with a consolidated report on residual risk status linked to the company’s top value creation and value preservation objectives. This simple step has great potential to drive the necessary changes to the way management and all of the specialist assurance groups do their work.
  • 2.
    Ethical Boardroom |Summer 2016 Board Governance | Enterprise Risk Management Summer 2016 | Ethical Boardroom50 51 Enterprise Risk Management | Board Governance Assign responsibility to ERM specialist staff to implement and maintain a robust objective-centric risk self-assessment framework. This repositions the role of risk specialists to one where their primary role is providing training, facilitating objective-centric management-driven risk self-assessments and helping the CEO produce reliable consolidated reports for the board on the residual/retained risk status of top value creation and preservation objectives. Require annual opinions from internal audit on the effectiveness of the company’s risk management framework and reliability of the consolidated report from the CEO to the board on company’s residual/retained risk status linked to top value creation/ value preservation objectives. Paradigm paralysis: internal audit The internal audit profession is based on a core paradigm, largely unchanged since the profession began, that calls for internal auditors to audit a unit, topic, process, or other ‘audit universe’ element and form an opinion as to whether the auditor believes the ‘internal controls’ in the audit universe subject matter are ‘effective’ or ‘adequate’. From a technical perspective, this approach is called a ‘direct report audit engagement’. Internal auditors must, of necessity, use a direct report audit approach in cases where management has not self-assessed and made a formal representation on the state of risk. When this does happen, internal audit can use an ‘attestation’ approach that reports on management’s self-assessment. Unfortunately, the percentage of companies where management complete self-assessments and report on the state of residual risk linked to key value creation and preservation objectives is still a very small percentage of the total. Ironically, most internal audit departments claim their audit methodology is ‘risk based’. What this means is often unclear as their audit plans often do not cover the company`s top value creation/strategic objectives. Internal audit coverage expressed as a percentage of the entire risk universe of a company is rarely more than 10 per cent in any given year. Results of individual internal audits are reported to management and summary reports provided to the audit committee of the board of directors. Internal audit paradigm flaws The key flaw in the current internal audit paradigm is that it does not position responsibility for assessing risks and reporting upwards on the state of residual risk linked to the company’s most critical value creation and value preservation objectives squarely with the people that should have primary responsibility – management. It discourages management from learning how to formally assess and report on residual risk status linked to key ■ A large percentage of companies and their boards have not embraced the need for management to self-assess and report on the state of residual risk linked to their most important value creation and value preservation objectives and report consolidated results upwards to the company’s board of directors. As long as management in a company is unwilling to perform this role, internal audit must continue to do direct report audit engagements on a small percentage of the risk universe (i.e. there are no management representations on risk status on key objectives to audit, hence attestation internal audit engagements are not possible). ■ Becausethemajorityofcompaniesintheworldtodayhavenotimplementedrobustobjective -centricriskself-assessmentframeworks,alargepercentageoftheIIAcurriculum,training, andcertificationstandardsarebuiltonthedirectreportauditparadigmwithaheavyfocus oninternalauditorsopiningonthesufficiencyof‘internalcontrols’. Amassiveandconcerted effortwouldberequiredtoequipinternalauditorswiththeskillsnecessarytoformopinions onthereliabilityofobjective-centricriskself-assessmentsasmanyinternalauditorslackthe skillstocompletethem. ManyinternalauditorsarenotcurrentlytrainedtocompleteISO 31000/COSOERMcompliantriskassessmentsand,byextension,notequippedtoreport whetherobjective-centricriskassessmentsdonebymanagementarereliable. ■ Many boards and senior executives don’t believe internal audit can add significant value to their company’s top value creation objectives and are content to have internal audit focus on a relatively narrow range of objectives with a heavy focus on financial controls, IT security, business continuity, fraud prevention and other value preservation/defence areas. barriers to change (Continued) 0 Fully acceptable Composite residual risk status is acceptable. No changes to risk treatment strategy required at this time. (NOTE: this could mean that one or more significant risks are being accepted. Information on accepted concerns is found in the residual risk status information) 1 Low Inaction could result in very minor negative impacts. Ad hoc attention may be required to adjust composite residual risk status to an acceptable level 2 Minor Inaction or unacceptable terms could result in minor negative impacts. Routine management attention may be required to adjust composite residual risk status to an acceptable level 3 Moderate Inaction could result in or allow continuation of mid-level negative impacts. Moderate senior management effort required to adjust composite residual risk status to an acceptable level 4 Advanced Inaction could allow continuation of/or exposure to serious negative impacts. Senior management attention required to adjust composite residual risk status 5 Significant Inaction could result in or allow continuation of very serious entity level negative impacts. Senior management attention urgently required to adjust composite residual risk status to an acceptable level 6 Major Inaction could result in or allow continuation of very major entity level negative consequences. Analysis and corrective action to adjust composite residual risk status required immediately 7 Critical Inaction virtually certain to result in or allow continuation of very major entity level negative consequences. Analysis and corrective action to adjust composite residual risk status required immediately 8 Severe Inaction virtually certain to result in or allow continuation of very severe negative impacts. Senior management/board-level attention urgently required to adjust composite residual risk status 9 Catastrophic Inaction could result in or allow the continuation of catastrophic proportion impacts. Senior management/board level attention urgently required to adjust composite residual risk status and avert a catastrophic negative impact on the organisation 10 Terminal The current composite residual risk status is already extremely material and negative and having disastrous impact on the organisation. Immediate top priority action from the board and senior management required to prevent the demise of the entity. COMPOSITE RESIDUAL RISK RATING DEFINITIONS Endresultobjectives (implicitorexplicit) Internal/externalcontext Residualriskstatus Threatsto achievement/risks? Risktreatmentstrategy Riskmitigators/controls Risktransfer, share,finance (selectedconsciously orunconsciously) Acceptable? Risktreatment optimised? YES RiskStatuslineTM NO NO Re-examinerisktreatment strategyand/orobjective anddevelopactionplan YES –Moveon 2015RiskOversightSolutionsInc. SAMPLE summary report for senior executives and the board Independent assurance level (IAL) Low Medium Current risk assessment rigor (RAR) Medium (M) VeryLow(VL) Potential to erode entity value Low High Potential to increase entity value Medium High CRRR update date 6/12/2014 6/10/2014 Composite residual risk rating (CRRR) 6 — Major 4 — Advanced End result objective owner/ sponsor(s) Tim Leech Tim Leech Corporate l l Description Ensurethatfinancial statementsarereliableand incompliancewithGAAP Safeguardandenhance ABCsreputation A call to action — boards and CEOs need to drive paradigm shift efforts Globally, the ERM and internal audit professions have a serious case of paradigm paralysis that is impeding their ability to help boards and CEOs meet new risk governance expectations. Boards and CEOs need to play a key role driving a quantum paradigm shift in risk management and assurance thinking to make improvements in risk culture. When paradigm paralysis occurs it is always worth remembering the words of Albert Einstein, “Insanity: doing the same thing over and over again and expecting different results”.5 Expecting the same internal audit and ERM methods used over the last 20 to 30 years to produce dramatically different and better results for stakeholders is poor judgement at best. The authors hope that the paradigm shift ideas in this paper will help drive further thought leadership and the developments necessary to produce the quantum paradigm shift in ERM and internal audit methods necessary to help boards and CEOs better meet new risk governance expectations. 1 Example:SeeFinancialStabilityBoardPrinciplesforanEffective RiskAppetiteFrameworksenttoregulatorsaroundtheworld http://www.fsb.org/wp-content/uploads/r_131118.pdf 2 Note: COSOusestheterm‘riskresponses’.ISO31000,theglobal riskmanagementstandardusestheterm‘risktreatments’.In bothcasesthetermreferstothefullrangeofwaystofinance, share,transfer,mitigate,avoidandacceptrisk. 3 SeeOfficeof SuperintendentFinancialInstitutionsJune2016E21Operational RiskGuidelinesforanexampleofaregulatorendorsing‘Three LinesofDefense’ 4 SeeFinancialStabilityBoardPrinciples foranEffectiveRiskAppetiteFrameworkhttp://www.fsb.org/ wp-content/uploads/r_131118.pdfandIIAResearchFoundation AuditingRiskAssessmentandRiskManagementProcesses 5 Source:AlbertEinstein.(n.d.).BrainyQuote.com.Retrieved 29June,2016,fromBrainyQuote.comWebsite:http://www. brainyquote.com/quotes/quotes/a/alberteins133991.htm) Boards and CEOs need to play a key role driving a quantum paradigm shift in riskmanagement and assurance thinking to make improvements in risk culture value creation/preservation objectives (i.e. it’s not their job to assess and report, so why do they need the skills to do it?). Internal audit coverage is usually a small percentage each year of the total risk universe and often has a heavy bias towards value preservation and financial accounting controls. The audit plan often does not cover the company’s most important value creation/ strategic objectives and is often not well integrated with the work of other assurance groups, including ERM, safety, IT security, environment, compliance, insurance and others. The traditional internal audit paradigm often puts serious political pressure on business units to put in place additional ‘internal controls’ linked to the topic audited, even when residual risk status in other areas linked to key value creation/strategic objectives not covered by internal audit warrant more of the scarce risk treatment resources. Our work globally suggests that only a small percentage of internal auditors today use objective-centric risk assessment methods on their audits that conform to risk assessment methods defined by the global risk management standard, ISO 31000, or COSO ERM 2004/ED 2016. A large percentage of internal auditors report opinions on sufficiency of internal controls, not the full range of risk responses/risk treatments in place. This can result in seriously flawed results and opinions. An opinion from internal audit on whether internal controls are effective, or not, is fundamentally an opinion from the internal auditors on whether they think residual risk status is acceptable to the company and the board – information the internal auditors often don’t have and decisions internal auditors aren’t authorised or trained to make. It is important to note that the Financial Stability Board (FSB) and the Institute of Internal Auditors (IIA) are increasingly calling on internal audit groups to assess and report on all of their company’s risk management processes.4 When internal audit is the group with primary responsibility for completing documented risk and control assessments this requires internal audit report on itself – a violation of audit independence standards. The way forward: a board/CEO-driven internal audit paradigm shift Boards and CEOs need to call for implementation of robust objective-centric risk self-assessment frameworks that use an objective register as the foundation. See details above. When an objective register is used as a foundation for ERM it defines the role of owner/ sponsors, ERM specialists, and independent assurance staff and, by definition, focusses resources on objectives key to long-term value creation and preservation. Require internal audit use the company’s objectives register not an audit universe as their work foundation. Once management with the assistance of ERM specialists has completed the assigned risk assessments at the defined level of risk assessment rigour, internal audit completes quality assurance reviews where internal audit has been defined as the independent assurance providers to achieve the target independent assurance level defined in the objectives register. For some objectives in the objectives register the board and/or C-Suite may assign other independent assurance providers. The primary goal of internal audit is to provide the board with opinions on the effectiveness of company’s enterprise risk management processes and the reliability of the consolidated report from the CEO to the board on residual risk status. Internal audit should also flag any areas where they think management is accepting levels of residual risk that they believe may be outside of the CEO and/or the board’s risk appetite/tolerance. Ensure the internal audit team is staffed appropriately to contribute on top value creation and value preservation objectives. This can include management rotation programmes and hiring of staff from non-traditional internal audit backgrounds (i.e. outside of accounting, IT security, external audit).