At the recent IIA International Conference I gave a talk about complexity in 21st Century Organisations. In the course of my presentation I asked two questions:
- Do you have a risk appetite framework? And
- Have you done anything to review your risk culture?
I was extremely disappointed with the response. a mere handful of people put their hands up in response to either question. Even taking into account that many people came from cultures where audience participation is anathema, and even given the natural risk aversion of the internal audit profession (ask PCL – they are the firm that assert this) I was disappointed by the lack of enthusiasm being shown by the organisations represented by the internal auditors.
I was disappointed for two reasons: firstly the Chartered Institute of Internal Auditors (the part of the profession that represents the UK and Ireland) has majored on risk culture for some time now. So OK, they had only just issued a paper on the subject, but it has been under discussions for some time. Secondly, for all of those representing UK quoted companies, there is clearly going to be a very long way to go in meeting the requirements of the new guidance on risk and control that is about to emerge from the FRC. That guidance is going to encourage boards to really focus on risk appetite, risk culture, stress testing and other aspects of risk management, that the internal auditors are clearly not in a position to advise on.
So where are boards going to get advice? As I have already asserted elsewhere, internal auditors are most likely to have very limited risk expertise on tap. I am sceptical about the desire of boards to engage a Big-4 firm who they may never shake from their hair once they descend with teams of so-called risk experts – most of whom, I would venture to suggest have little formal academic or professional training in risk.
Risk in all its complexity is not taught in the training of external or internal auditors. Enterprise Risk Management certainly is not taught by the insurance educators. Nor indeed is it a fundamental part of any other professional training, apart of course from those with a professional qualification in risk management. As the Chairman of the world’s leading professional body for risk managers, if you are sitting on a board, I can only urge you to make sure that those who are advising you on risk management really do have the credentials to do so!
Richard Anderson is the principal consultant at AndersonRisk. He can be contacted through their website: www.AndersonRisk.com/contact/ Richard consults on risk management with organisations worldwide.