48 49

Boards and CEOs around the world are being told repeatedly from multiple sources that they need to do a better job managing and overseeing risk and, most recently, ‘risk culture’.1 Unfortunately, current methods of providing stakeholders with assurance that risk management processes are effective are fundamentally the same methods that have been used for decades.

The 2008 global crisis is a graphic illustration of their inability to cope with an increasingly fast moving and complex world. This article is a call to boards, CEOs, law makers, regulators, investor groups and others for a major paradigm shift in risk management and assurance thinking to create and better preserve shareholder value.

Paradigm paralysis in the enterprise risk management (ERM) and internal audit communities blocks their ability to see new methods available to better meet the needs of stakeholders. This article will outline status

Paradigm paralysisin ERM & internal audit

The internal audit profession needs to reinvent itself to better respond to the emerging expectations facing senior management and boards

quo ERM and internal audit paradigms; describe why the current paradigms are blocking progress; and propose some simple, but radically different ideas to assist boards, CEOs and ERM and internal audit specialists make the paradigm shift necessary to drive positive change.

Paradigm paralysis: ERM methodsAlthough there is wide variation in how companies have implemented ERM, the most common feature is the creation and maintenance of ‘risk registers’ as a foundation. The extent risks identified are linked to the company’s business objectives and strategies varies greatly. Supplementing the risk registers

are ‘risk heat maps’ that depict individual risks in terms of likelihood and consequence. Risk heat maps may, or may not, depict residual risk, the risk remaining after considering risk responses/risk treatments on a single risk.2 These risk registers are typically maintained by ERM specialists or internal audit groups and results are reported upwards to the board.

ERM paradigm flawsThe primary drawback of this risk-centric ERM paradigm is that it looks at risks in isolation from the company’s top value creation and value preservation objectives (see the sidebar for the authors’ definition). This approach does not allow decision makers to see the current state of residual risk linked to the achievement of the company’s most important objectives.

All of the risks relevant to individual objectives are not looked at in totality in terms of their collective effect on the achievement of specific objectives. The process does not produce information to evaluate the acceptability of the current residual risk status (i.e. is it within risk appetite/tolerance?). It also creates confusion and uncertainty around who is really responsible for the risks identified, as assigned ‘risk

owners’ may not align with those responsible for achieving the linked objective(s). This risk-centric approach has also tended to focus more on value preservation objectives (e.g. ‘three lines of defence’) rather than a balance, which puts at least equal emphasis on value creation/strategic objectives.

Value Creation objeCtiVeObjectives key to the long-term success of the enterprise that will create enhancedshareholder value (e.g. increase marketshare by 20 per cent)

Value PreserVation objeCtiVeObjectives that, if not achieved, havesignificant potential to erode stakeholdervalue (e.g. ensure reliable financialstatements disclosures)

Another flaw is that the process is typically completed as a static annual or semi-annual exercise with a heavy compliance connotation. The risk assessment methodology used to populate the risk register and risk heat maps is often not the same assessment approach used by internal audit to complete internal audits, or the assessment approach used by other specialists groups, such as safety, compliance, insurance, quality, etc. It is also important to note that the dominant ERM method to identify risks is ‘brainstorming’, based heavily on the knowledge and experience of participants. The full range of methods available to identify significant risks is rarely used. Key risks linked to top strategic objectives are often missed. The approach often does not consider the full range of risk responses/risk treatments available as it tends to focus heavily on ‘controls’ linked to individual risks, not the full range of risk responses/treatments.

Another critical flaw of the current ERM paradigm is that when work units are candid and disclose very serious and material retained risk positions, the result in some companies is that the area is then scheduled for a traditional internal audit – in essence, participants are punished for being upfront and disclosing information key to better decision making and a healthy risk culture. Another significant concern is that the areas that are generally low risk from a culture perspective often do the best job identifying and disclosing risks and residual risk status. Groups and executives that represent major risk to the organisation culturally are least likely to candidly disclose significant risks and the true retained risk position.

The way forward: a board -driven ERM paradigm shiftBoards and CEOs need to take the time to understand the substantial differences between risk-centric and objective-centric assessment risk management frameworks. More information on the business case for objective-centric risk management vs traditional risk-centric approaches that use risk registers as a foundation can be found online.

Enterprise Risk Management | Board GovernanceBoard Governance | Enterprise Risk Management

Ethical Boardroom | Summer 2016 Summer 2016 | Ethical Boardroom

tim leech & lauren HanlonTim is the Managing Director; Lauren is a Director at Risk Oversight Solutions Inc ■ Influential ERM guidance sources, including COSO and ISO 31000, while defining risk in

terms of its ability to effect achievement of objectives, implicitly endorse risk-centric approaches to risk management that use risk registers, not objectives registers, as a foundation. COSO and the authors of ISO 31000 do not advocate that the process should start by identifying and prioritising objectives, then make conscious decisions on which objectives warrant the cost of formal risk assessments. The COSO ERM exposure draft issued in June 2016, while increasing the focus on value creation objectives, stops short of calling on companies to create and use objectives registers as a foundation for ERM.

■ It may be a very uncomfortable and unfamiliar exercise for the board and management to agree on the top value creation and value preservation objectives. This reluctance prevents efficient entity level resource allocation and decision making. An objective-centric approach focusses first on defining the top objectives key to sustained long-term success – it seeks a balance between value creation and value preservation. A risk-centric/risk register ERM approach is often quite vague on its linkages to top value creation/preservation objectives and rarely makes a link to performance.

■ Management has to take on substantially greater ownership and act as primary risk assessor/reporter for the company’s top objectives, including providing a report and opinion on the overall residual risk status for each objective to the board. This is a fundamental shift that requires changes to how management and traditional ERM and internal audit teams interact and discharge their responsibilities. It may also include a fundamental risk culture shift, where candidly described significant negative residual risk positions is rewarded, not punished by internal audit and senior management.

■ A global shortage of staff with the knowledge and skills to implement an objective-centric risk self-assessment framework. Business schools are still in their infancy in producing enterprise risk management curriculum beyond traditional internal audit and accounting courses that teach control-centric models heavily linked to effectiveness of internal controls over financial reporting and IT security. Those schools that do cover risk management holistically generally teach ERM methods that use risk registers as a foundation.

■ The use of the three lines of defence (3LoD) endorsed by the Institute of Internal Auditors (IIA) and some regulators as a risk governance framework. 3 The IIA 3LoD model sees the board and CEO as stakeholders who receive information, not active and key participants in the risk management process. It perpetuates the notion that risk management is fundamentally about hazard avoidance and defence – not a key support tool to take risks intelligently and drive increased stakeholder value.

■ The IIA has not actively supported a shift from traditional risk-centric ERM methods and control and process-centric direct report internal audit methods to a management-driven, objective-centric risk self-assessment approach. IIA guidance on how to assess the effectiveness of ERM frameworks does not call for an evaluation of whether the approach being evaluated is assessing risks linked to a company’s top value creation and value preservation objectives.

barriers to CHange

Require a robust management-driven, objective-centric risk self-assessment framework that uses an objective register as the foundation. Risk management efforts should be aligned with the top value creation and preservation objectives to ensure optimal capital allocation. The objectives register should include the company’s top value creation and value preservation objectives. These should be defined by management and reviewed by the board. ‘Owner/sponsors’ should be assigned to each objective.

Owner/sponsors are responsible for assessing and reporting on the state of residual risk related to each of the objectives to the CEO and the board using an ISO 31000 compliant assessment methodology (for an example of an objective-centric/ISO 31000 compliant approach see the RiskStatusline™

assessment approach shown on page 50). Conscious decisions should be made on the target level of risk assessment rigour and independent assurance. The board should receive regular reports on the residual risk status of the objectives in the register, including the current Composite Residual Risk Status (CRRR). A sample set of definitions for CRRRs is also on page 50.

Require that the CEO or his/her designate regularly (bi-annually or quarterly) provide the board with a consolidated report on residual risk status linked to the company’s top value creation and value preservation objectives. This simple step has great potential to drive the necessary changes to the way management and all of the specialist assurance groups do their work.

Ethical Boardroom | Summer 2016

Board Governance | Enterprise Risk Management

Summer 2016 | Ethical Boardroom50 51

Enterprise Risk Management | Board Governance

Assign responsibility to ERM specialist staff to implement and maintain a robust objective-centric risk self-assessment framework. This repositions the role of risk specialists to one where their primary role is providing training, facilitating objective-centric management-driven risk self-assessments and helping the CEO produce reliable consolidated reports for the board on the residual/retained risk status of top value creation and preservation objectives.

Require annual opinions from internal audit on the effectiveness of the company’s risk management framework and reliability of the consolidated report from the CEO to the board on company’s residual/retained risk status linked to top value creation/value preservation objectives.

Paradigm paralysis: internal auditThe internal audit profession is based on a core paradigm, largely unchanged since the

profession began, that calls for internal auditors to audit a unit, topic, process, or other ‘audit universe’ element and form an opinion as to whether the auditor believes the ‘internal controls’ in the audit universe subject matter are ‘effective’ or ‘adequate’. From a technical perspective, this approach is called a ‘direct report audit engagement’.

Internal auditors must, of necessity, use a direct report audit approach in cases where management has not self-assessed and made a formal representation on the state of risk. When this does happen, internal audit can use an ‘attestation’ approach that reports on management’s self-assessment. Unfortunately, the percentage of companies where management complete self-assessments and report on the state of residual risk linked to key value creation and preservation objectives is still a very small percentage of the total.

Ironically, most internal audit departments claim their audit methodology is ‘risk based’.

What this means is often unclear as their audit plans often do not cover the company s top value creation/strategic objectives. Internal audit coverage expressed as a percentage of the entire risk universe of a company is rarely more than 10 per cent in any given year. Results of individual internal audits are reported to management and summary reports provided to the audit committee of the board of directors.

Internal audit paradigm flawsThe key flaw in the current internal audit paradigm is that it does not position responsibility for assessing risks and reporting upwards on the state of residual risk linked to the company’s most critical value creation and value preservation objectives squarely with the people that should have primary responsibility – management. It discourages management from learning how to formally assess and report on residual risk status linked to key

■ A large percentage of companies and their boards have not embraced the need for management to self-assess and report on the state of residual risk linked to their most important value creation and value preservation objectives and report consolidated results upwards to the company’s board of directors. As long as management in a company is unwilling to perform this role, internal audit must continue to do direct report audit engagements on a small percentage of the risk universe (i.e. there are no management representations on risk status on key objectives to audit, hence attestation internal audit engagements are not possible).

■ Because the majority of companies in the world today have not implemented robust objective -centric risk self-assessment frameworks, a large percentage of the IIA curriculum, training, and certification standards are built on the direct report audit paradigm with a heavy focus on internal auditors opining on the sufficiency of ‘internal controls’. A massive and concerted effort would be required to equip internal auditors with the skills necessary to form opinions on the reliability of objective-centric risk self-assessments as many internal auditors lack the skills to complete them. Many internal auditors are not currently trained to complete ISO 31000/COSO ERM compliant risk assessments and, by extension, not equipped to report whether objective-centric risk assessments done by management are reliable.

■ Many boards and senior executives don’t believe internal audit can add significant value to their company’s top value creation objectives and are content to have internal audit focus on a relatively narrow range of objectives with a heavy focus on financial controls, IT security, business continuity, fraud prevention and other value preservation/defence areas.

barriers to CHange (Continued)

0 Fully acceptable Composite residual risk status is acceptable. No changes to risk treatment strategy required at this time. (NOTE: this could mean that one or more significant risks are being accepted. Information on accepted concerns is found in the residual risk status information)

1 low Inaction could result in very minor negative impacts. Ad hoc attention may be required to adjust composite residual risk status to an acceptable level

2 Minor Inaction or unacceptable terms could result in minor negative impacts. Routine management attention may be required to adjust composite residual risk status to an acceptable level

3 Moderate Inaction could result in or allow continuation of mid-level negative impacts. Moderate senior management effort required to adjust composite residual risk status to an acceptable level

4 advanced Inaction could allow continuation of/or exposure to serious negative impacts. Senior management attention required to adjust composite residual risk status

5 significant Inaction could result in or allow continuation of very serious entity level negative impacts. Senior management attention urgently required to adjust composite residual risk status to an acceptable level

6 Major Inaction could result in or allow continuation of very major entity level negative consequences. Analysis and corrective action to adjust composite residual risk status required immediately

7 Critical Inaction virtually certain to result in or allow continuation of very major entity level negative consequences. Analysis and corrective action to adjust composite residual risk status required immediately

8 severe Inaction virtually certain to result in or allow continuation of very severe negative impacts. Senior management/board-level attention urgently required to adjust composite residual risk status

9 Catastrophic Inaction could result in or allow the continuation of catastrophic proportion impacts. Senior management/board level attention urgently required to adjust composite residual risk status and avert a catastrophic negative impact on the organisation

10 terminal The current composite residual risk status is already extremely material and negative and having disastrous impact on the organisation. Immediate top priority action from the board and senior management required to prevent the demise of the entity.

CoMPosite residual risK rating deFinitions

End result objectives(implicit or explicit)

Internal/external context

Residual risk status

Threats to achievement/risks?

Risk treatment strategyRisk mitigators/controls

Risk transfer, share, finance

(selected consciouslyor unconsciously)

Acceptable?

Risk treatmentoptimised?

YES

RiskStatuslineTM

NO

NORe-examine risk treatment strategy and/or objective and develop action plan

YES – Move on

2015

Ris

k Ove

rsig

ht S

olut

ions

Inc.

saMPle suMMary rePort For senior exeCutiVes and tHe boardIndependentassurancelevel (IAL)

Low

Medium

Current riskassessmentrigor (RAR)Medium (M)

Very Low (VL)

Potential to erode entity

valueLow

High

Potential toincrease

entity valueMedium

High

CRRRupdatedate

6/12/2014

6/10/2014

Compositeresidual risk

rating (CRRR)6 — Major

4 — Advanced

End resultobjective owner/

sponsor(s)Tim Leech

Tim Leech

Corporate

l

l

Description

Ensure that financial statements are reliable and in compliance with GAAPSafeguard and enhance

ABCs reputation

A call to action — boards and CEOs need to drive paradigm shift effortsGlobally, the ERM and internal audit professions have a serious case of paradigm paralysis that is impeding their ability to help boards and CEOs meet new risk governance expectations. Boards and CEOs need to play a key role driving a quantum paradigm shift in risk management and assurance thinking to make improvements in risk culture. When paradigm paralysis occurs it is always worth remembering the words of Albert Einstein, “Insanity: doing the same thing over and over again and expecting different results”.5

Expecting the same internal audit and ERM methods used over the last 20 to 30 years to produce dramatically different and better results for stakeholders is poor judgement at best. The authors hope that the paradigm shift ideas in this paper will help drive further thought leadership and the developments necessary to produce the quantum paradigm shift in ERM and internal audit methods necessary to help boards and CEOs better meet new risk governance expectations.

1Example: See Financial Stability Board Principles for an Effective Risk Appetite Framework sent to regulators around the world http://www.fsb.org/wp-content/uploads/r_131118.pdf 2Note: COSO uses the term ‘risk responses’. ISO 31000, the global risk management standard uses the term ‘risk treatments’. In both cases the term refers to the full range of ways to finance, share, transfer, mitigate, avoid and accept risk. 3See Office of Superintendent Financial Institutions June 2016 E21 Operational Risk Guidelines for an example of a regulator endorsing ‘Three Lines of Defense’ 4See Financial Stability Board Principles for an Effective Risk Appetite Framework http://www.fsb.org/wp-content/uploads/r_131118.pdf and IIA Research Foundation Auditing Risk Assessment and Risk Management Processes 5Source: Albert Einstein. (n.d.). BrainyQuote.com. Retrieved 29 June, 2016 , from BrainyQuote.com Web site: http://www.brainyquote.com/quotes/quotes/a/alberteins133991.htm)

Boards and CEOs need to play a key role driving a quantum paradigm shift in risk management and assurance thinking to make improvements in risk culture

value creation/preservation objectives (i.e. it’s not their job to assess and report, so why do they need the skills to do it?). Internal audit coverage is usually a small percentage each year of the total risk universe and often has a heavy bias towards value preservation and financial accounting controls.

The audit plan often does not cover the company’s most important value creation/strategic objectives and is often not well integrated with the work of other assurance groups, including ERM, safety, IT security, environment, compliance, insurance and others. The traditional internal audit paradigm often puts serious political pressure on business units to put in place additional ‘internal controls’ linked to the topic audited, even when residual risk status in other areas linked to key value creation/strategic objectives not covered by internal audit warrant more of the scarce risk treatment resources.

Our work globally suggests that only a small percentage of internal auditors today use objective-centric risk assessment methods on their audits that conform to risk assessment methods defined by the global risk management standard, ISO 31000, or COSO ERM 2004/ED 2016. A large percentage of internal auditors report opinions on sufficiency of internal controls, not the full range of risk responses/risk treatments in place. This can result in seriously flawed results and opinions. An opinion from internal audit on whether internal controls are effective, or not, is fundamentally an opinion from the internal auditors on whether they think residual risk status is acceptable to the company and the board – information the internal auditors often don’t have and decisions internal auditors aren’t authorised or trained to make.

It is important to note that the Financial Stability Board (FSB) and the Institute of Internal Auditors (IIA) are increasingly calling on internal audit groups to assess and report on all of their company’s risk management processes.4 When internal audit is the group with primary responsibility for completing documented risk and control assessments this requires internal audit report on itself – a violation of audit independence standards.

The way forward: a board/CEO-driven internal audit paradigm shiftBoards and CEOs need to call for implementation of robust objective-centric risk self-assessment frameworks that use an objective register as the foundation. See details above. When an objective register is used as a foundation for ERM it defines the role of owner/sponsors, ERM specialists, and independent assurance staff

and, by definition, focusses resources on objectives key to long-term value creation and preservation.

Require internal audit use the company’s objectives register not an audit universe as their work foundation. Once management with the assistance of ERM specialists has completed the assigned risk assessments at the defined level of risk assessment rigour, internal audit completes quality assurance reviews where internal audit has been defined as the independent assurance providers to achieve the target independent assurance level defined in the objectives register. For some objectives in the objectives register the board and/or C-Suite may assign other independent assurance providers. The primary goal of internal audit is to provide the board with opinions on the effectiveness of company’s enterprise risk management processes and the reliability of the consolidated report from the CEO to the board on residual risk status. Internal audit should also flag any areas where they

think management is accepting levels of residual risk that they believe may be outside of the CEO and/or the board’s risk appetite/tolerance.

Ensure the internal audit team is staffed appropriately to contribute on top value creation and value preservation objectives. This can include management rotation programmes and hiring of staff from non-traditional internal audit backgrounds (i.e. outside of accounting,

IT security, external audit).