Thursday, 12 March 2009

Managing risk in a defensive way

Internal audit is the last internal line of defence, so it is imperative it is effective and operates at the correct level

1 comment:

Guanyu said...

Managing risk in a defensive way

Internal audit is the last internal line of defence, so it is imperative it is effective and operates at the correct level

By DUNCAN EDWARDS
12 March 2009

Risk is double-edged; no one makes money without taking risks. Yet, the current global financial turmoil is testimony to how risk, when badly taken or not fully understood, spirals out of hand.

This unprecedented global economic mayhem has put the spotlight squarely on assurance providers. While some major global financial services organisations have landed in dire circumstances, others have been able to understand and manage their risks exposures to their commercial advantage. How did they achieve that?

Three lines of defence

A common response to risk management is to implement the ‘three lines of defence’. This approach, though simple, helps to clearly define roles and responsibilities in managing risk.

The first line of defence is front-line management and staff - people at the heart of the business who bear the risks of the business. They have to understand their risk exposures and the organisation’s attitude to risk, and put in place appropriate risk mitigants.

The second line of defence encompasses people undertaking risk and control functions such as operational risk, finance and compliance. They interpret the risk appetite of the board into practical policies, procedures and limits. They support the first line of defence, monitor the performance of the business and should provide early warning signs of adverse risk trends and practices.

The third line of defence is internal audit, which should provide assurance to the board, management and stakeholders on the whole system of internal controls. Internal audit is your last internal line of defence, so it is imperative it is effective and operates at the correct level.

The current global crisis has clearly provided a ‘wake-up’ call across the three lines of defence. If controls and risk management processes were working, how did the financial services industry end up in the current circumstances? What are the lessons learnt?

Transforming the assurance you receive

One of the best ways to respond is to transform the assurance internal audit provides. In the second quarter of 2008, Ernst & Young undertook a global internal audit survey of close to 350 major organisations. While the global slowdown had begun, internal audit departments had typically not customised their plans to respond to the crisis, as potential consequences were not fully understood. But all that is changing. Executives are beginning to rally around four initiatives as they look to increase the value that internal audit provides:

# Tightening processes and controls

Some call this going back to basics, making sure fundamental processes and controls are sound and operating effectively. It also includes reassessing the role of risk, strengthening risk teams and committees, and evaluating risk portfolios more carefully. This is clearly a role for internal audit. We have learnt that the ‘once-in-a-lifetime’ risk scenario does happen and businesses need to be ready for it, however infrequently it occurs.

# Building a risk-aware culture

Risk is everyone’s business. A risk management culture is only as strong as its weakest link. Although some staff are specifically tasked with risk management, it is everyone’s responsibility to know and manage business risk. Internal audit should be raising this awareness.

# Repositioning people

Businesses continue to look to build up the skills of the risk team, internal audit and front-lines of defence, including providing greater clarity on the roles and responsibilities of the three lines of defence. Front-line management and staff have to be coached on risk management and understand the organisation’s risk appetite.

# Escalating communications

Risks can quickly unfold into a crisis. Communications, both upwards and downwards, need to be earlier, faster and more substantive, clearly explaining the potential impact and implications to those who are less risk-aware. And most importantly, we have to listen to the messenger, no matter how unpalatable the message is.

Evolving role of internal audit

The current crisis has resulted in some businesses fundamentally re-assessing, or at least re-validating, the role and purpose of internal audit. In fact, this is a great opportunity for internal audit functions to take on a heightened role and responsibility in risk and control assurance.

The core responsibility for internal audit remains constant - provide assurance regarding governance, risk management and internal controls. There is much debate regarding the role of internal auditors in business or process improvements. However, within financial services, this does not yet seem to be happening. The key is to provide robust assurance over processes that matter.

Internal audit functions are also looking to strengthen their quality assurance departments and procedures, to ensure they deliver reliable results. This includes increased use of independent quality assurance reviews of their capabilities and performance.

Internal audit within financial services appears to realise the importance of addressing the broader risk agenda, rather than just financial risks. This includes, for example, specifically addressing strategic, operational, market conduct, product and liquidity risks. Some intend to probe further and in greater detail into areas that are perceived to be of higher risk. Others are placing reduced reliance on the ‘second line of defence’, at least until its maturity and robustness is better demonstrated.

Also, as products get increasingly complex, internal auditors need to truly understand the business, its risks and objectively challenge the approach taken to mitigate risks. However, there remains a dearth of internal auditors with deep specialist skills and experience. Failure to pool together the right talent can result in providing ‘false assurance’ to the business. Where required specialist skills and experience are not available in-house, many are now seeking external assistance to bridge that gap.

At times of significant change, high pressure and uncertainty, the risk of control failures increases significantly. Internal audit should be providing you with assurance that this is not the case for your business. Is yours?

Duncan Edwards is an executive director for financial services, Ernst & Young LLP in Singapore. The views expressed herein are the writer’s own