Recent economic events have rocked everyone from Wall Street to Main Street. This topic reached incredible importance when it became casual conversation in supermarket lines.
Everyone wants an answer to a few key questions: How afraid should I be? How will I be impacted? When will things return to business as usual? While everyone seems to have an opinion about the situation, we are all going to have to wait and see how the stimulus package, healthcare reform and other actions unfold.
Think the Unthinkable
In the meantime, people in the risk management profession need to focus on helping organizations manage emerging and existing risks. To do this, people will need to apply what they learn from the financial crisis and think the unthinkable concerning risk events and control design.
So just how does one go about thinking the unthinkable? One needs to be creative, a critical thinker, and not afraid to raise ideas that are unpopular and unpalatable. Since curiosity is the foundation of all critical thinking, it comes to some people more easily because they inherently have more curiosity than others. Effective critical thinkers also demonstrate the ability to question underlying assumptions in ways that reveal new connections and sometimes lead to unexpected lines of inquiry. They are not pacified by statements like, “We have always done it this way” or “No one has ever asked about that before.” Essentially, if you are the type of person who will question the status quo and epitomize professional skepticism instead of simply accepting the assertions of others, you are a critical thinker.
As a result of the current economic environment, audit, compliance and risk management departments will be challenged like never before to do more with less – at the same time that management has increased its reliance on these functions to provide assurance and comfort concerning all aspects of the business. We can meet management’s expectations by making sure that our organizations have not sustained the following vulnerabilities and are prepared to address them.
Vulnerability: Hackneyed Risk Assessments and Audit Scopes
During a recent advanced operational auditing class, we were talking about various risk assessment methods that could be used during an audit. As I explained that one benefit of a risk-based approach to audit planning is that audit resources can the focus on only high risk areas, a staff auditor commented with mild amazement, “You know, I have been auditing for over three years and I have never had a low risk in any of the audits I worked on. I am not sure if this is because the whole area under review is a high risk or whether this is a result of how my managers have scoped the audits. In fact, we tend to approach repeat audits the same way we have in the past.”
This auditor’s experience is not uncommon. The first time an area is audited, the risk assessment is exhaustive and almost unending. Once that audit is complete, the work papers are used as templates for successive audits of the same process, an approach that increases detection risk.
We need to make sure that auditors think creatively and productively when planning every audit, particularly the ones that perennially warrant attention because of their inherent risk. And, just as importantly, we need to make sure that the auditors really understand the process under review and its drivers and risks before satiating their quest to test. We also need to encourage auditors to think the unthinkable and shift the scopes and test plans accordingly.
Vulnerability: Overlooking Negative Synergy
Risk models and assessment approaches used in internal audit departments, and as part of control self-assessments, currently identify and rank individual risks but often do not consider the effect of negative synergy, which means that the overall assessments are understated.
We need to identify and respond to these negative events (i.e., those individual events that create more harm when they occur at the same time, than when they occur individually). Let us consider a simple example. Unplanned employee turnover is one common operational risk (i.e., too many staff members spend too little time in a position thereby decreasing the institutional memory, increasing the performance learning curve, the potential for errors and the cost of doing business). An external risk is that the labor market will not reflect the talent needed in an organization (i.e., potential candidates are unavailable or undesirable). When these two risks occur at the same time – as they did for a number of firms who were trying to comply with Sarbanes-Oxley just a few years ago – the simultaneous impact of both risks is worse than each one individually. And, if knowledge worker positions are vacant or filled with under-skilled workers, the quality control procedures dependent on judgment and experience (e.g., claims quality reviews) will be impacted.
Vulnerability: Inadequate Enterprise Risk Management
At the October 2008 National Association of Corporate Directors (NACD) Governance Conference, enterprise risk management (ERM) was one of the top three concerns attendees cited as a priority. (The other two top concerns were governance and transparent and open communication.)
All too often, siloed risk assessment and management efforts occur without the compilation of an integrated, actionable message that can be communicated to the board. Just as importantly, the board needs to be able to communicate its concerns and reactions to the ERM results.
Perhaps one of the most important, yet overlooked, aspects of ERM is the process of establishing and articulating the company’s risk appetite. What risks is the organization prepared for? What types of adverse events does it want to avoid (e.g., threats to reputation and fiduciary duty)? How much money is it prepared to lose in the aggregate and over what period?
An integrated, auditable ERM process, one that promotes top-down and bottom-up communication about the business risk appetite, emerging and existing risks and mitigation methods, is needed to address this vulnerability. Unfortunately, there is no one-size-fits-all, prototypical methodology for implementing ERM, making it somewhat like the Holy Grail – sought after but never actually attained. Nevertheless, the results of an organization’s myriad risk management efforts, such as disaster recovery, capital modeling, financial stress testing, information security and control self-assessments, should be corralled so that the findings in each area can be shared, compared and analyzed. Organizations of all sizes need to unify their disparate risk management methods to create an integrated, auditable, updatable process that provides the board and executives with useful information concerning emerging and existing risks and their mitigants.
While internal audit is typically urged to spearhead ERM because of its expertise, the reality is that the process should be owned by management because the company’s risk appetite and risk management practices should be congruent with the business strategy and corporate culture.
While the ERM efforts are being corralled, the results of audit, compliance and risk management should be tracked and communicated in an integrated and useful way. Setting issues of ownership aside, every organization should have a single repository for management corrective actions so that the board and executive management can be apprised of trends in control gaps and progress made to close them.
Vulnerability: Inadequate Fraud Risk Assessment
It is axiomatic that as the economy worsens, fraud risk increases. Admittedly, the subject of fraud is often a touchy one with management. No one likes to think that a coworker could be involved in suspicious activity. For example, one CAE at a small financial services company is not planning to complete a fraud assessment because he feels that the organization’s fraud risk is external – that is, perpetrated by customers. In his opinion, internal audit departments historically are not effective at detecting fraud.
According to the most recent “American Workplace Insights” survey from Adecco Group North America, America’s workforce seems in greater danger of having mental problems. One in five employed people report the recession has had a negative impact on their mental health. Some 28 percent would do something dishonest to keep their jobs (examples included blaming co-workers for mistakes and blackmail). Leading by far in this area is the Generation Y demographic of which 41 percent would do something dishonest. Leading all groups, 44 percent of men between the ages of 18 and 35 would do something dishonest in this scenario.
Consequently, more attention should be focused on identifying ways potential frauds can occur. In today’s environment, past performance should not be interpreted as an indicator of future results. Arguably, performing a comprehensive, top-down fraud risk assessment might be an activity your team cannot internally support at this time. However, at a minimum this should be a standard, documented step in each audit.
Vulnerability: Filling the Leadership Void
A number of factors are responsible for a growing deficit in internal audit leadership ranks. First, the sheer size of the baby boomer generation that is retiring at the very moment seasoned, highly skilled internal audit leadership expertise is needed more than ever before. Consider also that Generation X and Millennial Age cohorts are smaller in number and often have very different attitudes about the value of actively pursuing management career tracks.
Another factor is simply the nature of internal audit, compliance and risk management work and the types of people drawn to it. Traditionally, many people entering these professions have done so with the expectation of independently pursuing analytical project work. A recent USA Today survey confirmed that many of today‘s highly skilled technical employees simply do not want to manage others, viewing the role as thankless, time-consuming and beyond the scope of responsibilities for which they were trained.
Finally, as companies become more global in scope, many no longer are providing the same hands-on, intensive leadership skills training. While e-learning may be a cost-effective training option for many technical skills, it is not necessarily the right vehicle for training managers in skills such as leadership, negotiation and talent development.
To fill this void, we need to actively identify auditors and risk managers with leadership potential and encourage them to step up to the challenge of managing the work efforts of others and developing talent.
Then, we must provide them with the interpersonal, business administration and people management skills needed to build and retain effective teams.
Vulnerability: Inadequate Bench Strength
There are many reasons why building bench strength is vital to an effective internal audit, compliance and risk management department. Foremost is the fact that a dearth of bench strength creates a void in the promotable talent pool and erodes succession planning efforts. Secondly, these functions provide a professional service that depends heavily on sound judgment. This type of judgment is not inherent. It is the product of knowledge and experience, and it must be cultivated over time.
For example, cultivating sound audit judgment means coaching less experienced auditors to think consistently in a manner congruent with auditing principles and the organizational culture. An audit is a very task-oriented, time-intensive process. New auditors are indoctrinated and coached to get the audit done within the time allocated in the annual audit plan. Audit supervisors and lead auditors quickly realize that exceeding the hours allocated for an audit create negative repercussions. With such a heavy emphasis on tasks and time, any focus on people development often gets shortchanged. This means that professional development such as training and coaching is handled on an ad hoc basis, if at all.
The reality is that technical skills, while important, are not enough to yield a consistently successful department or to develop bench strength that will enhance audit effectiveness and lay the foundation for succession planning. Organizations of all sizes need to have a plan to onboard, orient, train and develop team members at all levels. They need to make sure that there is an adequate amount of redundancy in critical competencies (e.g., analytical and critical thinking) so that as vacancies occur, they may be filled with relative ease from within the organization. This boosts morale and preserves institutional memory. Admittedly, this is a greater challenge for smaller departments with limited resources; however, it is just as important. We need to make sure that we retain and develop talented professionals who exercise good judgment and sound decision-making.
Vulnerability: Diluted Communications that Create Comas of Complacency
As Main Street becomes increasingly disenchanted with the way the bailout money has been used, notably to fund bonuses while the company bleeds red ink, the spotlight will eventually land on boards of directors – groups that have managed to keep a low profile as their chief executives are skewered in the media.
In our litigious world, it is inevitable that board members – and audit committee members in particular – will have to answer tough questions about what they knew, and when they knew it, concerning pay-for-performance, investments, operational results and their oversight.
To the extent that your department provides the audit committee with opinions and conclusions concerning risk management efforts, your communications can either promote or shatter a board’s coma of complacency.
One of the perennial questions facing CAEs and other department heads is how much information to provide the audit committee and other executives. The answer to this question varies based on the complexity of the organization, the organizational culture, and the experience and background of the audit committee members. Generally, more information is provided to less sophisticated audiences because these folks need background and detailed explanations.
Typically, one of the first pieces of advice given to those presenting to executives or boards of directors is to keep the message simple and brief. In fact, some executives promote this behavior by refusing to read any internal communiqué longer than one page. Since behavior rewarded is behavior repeated, people who work in this environment quickly learn that less truly is more. They produce terse, simple messages to describe complex and difficult situations (consider the complexities in valuing auction rate securities, collateralized debt obligations, etc. and the effects of fair value). These can mistakenly give readers an impression that the situation is simple, low risk and under control – especially when delivered in a confident tone.
The second piece of advice is to choose one’s words carefully so as to present facts in a balanced and neutral way without alarming others, that is, show no fear. While this sounds like good advice, sometimes people should be alarmed or at least very concerned. These communication “rules” actually create risks that insufficient information is often conveyed and that the information that is conveyed is not completely understood by those who heard it.
While it might seem logical to simply query audit committee members, this is tantamount to asking auditees to describe the concerns they would like you to address during a review. Typically, the answer is the same: Everything is fine; no changes are needed, and thank you very much for asking.
In addition to managing the written word, we can often over-manage meetings with executives and audit committee members by rehearsing our presentations until every scripted word and the answer to every possible inquiry is committed to memory. Of course, it is easy to over-manage the meetings when the agendas are planned with the precision of a military platoon. When each topic is allocated a specific amount of time, and the meeting leader periodically reminds the attendees of time’s passage, participants get the non-verbal message that the world will end if the discussion is protracted and time limits are exceeded. While time management is a hallmark of well-run meetings, let us remember the meetings’ purpose: to discuss the risk management results and make appropriate, informed decisions based on this information. Clearly, strong and experienced audit committees will shed the shackles of pseudo-time restrictions and give the topics the attention and time they merit. However, when audit committee members and the CAE (and other department heads) defer too much to a charismatic CEO or are inexperienced, the organization is vulnerable.
While it is laudable to want efficient board and executives relations, when meetings are over-managed, communications are diluted and messages between the CEO and CAE are filtered, audit committee members may become complacent.
While we want to spare our executives and board members from detailed documents describing audit and compliance concerns, we need to make sure our terse summary has not unintentionally diluted the issues’ significance. We need to create or increase our ability to report on trends in audit findings across audits. This allows the board and executive management to receive a panoramic presentation that enables them to understand the pervasive issues attacking multiple areas within the organization. Additionally, we need to make sure that audit committee meetings are not so tightly scheduled, scripted and orchestrated so as to thwart discussion. The audit committee should be able to meet with internal audit or external audit without management present.
Risk managers are in a vital spot to help their organization address vulnerabilities and be prepared to handle whatever the future may bring – even the unthinkable.
Ann M. Butera, MBA, CRP is President of The Whole Person Project, Inc., an organizational development consulting and training firm, is a frequent conference speaker, and serves on the audit committee for a financial services firm. She welcomes your reactions and questions, and can be reached at annbutera@cs.com or 516-354-3551.