Internal audit insiders reveal their wish list for improving risk management and the role of non-execs
BRUSSELS IS WORRIED the public takes a dim view of auditors. By comparison, internal audit might be seen as audit’s less-sexy cousin – but the in-house watchdogs have feelings too.
A recent survey by the Chartered Institute of Internal Auditors highlighted a number of shortcomings on the part of non-executive directors, the board members charged with assisting internal auditors on all things risk related.
Risk management might not be sexy, but it is important. So what is on internal auditors’ wish list, and what would they like to see from their non-execs?
Top of the list is non-execs with relevant experience, which one internal audit insider said is essential if board members are to “ask the right questions”.
Another expert said financially trained professionals are best when it comes to risk management and helping internal auditors do their job, saying “lots of education and communication” can help non-execs step up to the mark.
However, relevant experience could blind non-execs to potential problems, and a fresh pair of eyes might be just as useful in the boardroom.
Amanda Ridings, executive coach and author of leadership conversations-focused Pause for Breath, said: “There is a risk in judging what the ‘right’ experience is; there are some important questions experts might not think of. Experience can be overrated.”
Instead, she said independence and “the right personality” can be much more valuable.
Our internal audit insiders also value the right personality. One admitted some non-execs “don’t want problems”. “It’s about they way they approach the role; they don’t want to challenge executives. Fortunately, this is a shrinking minority.”
Another said a rigorous induction process can help instil strong risk-management skills among non-execs, saying there has been a “significant and continuing improvement” in the quality of board members in recent years.
However, after-the-event training might do little good if non-execs’ personalities lead them to steer clear of challenge and here, the size of the talent pool becomes an issue.
Non-execs very frequently hold several positions concurrently. There are rules in place to limit the number of executive directorships individuals can hold, but when it comes to non-execs, it is more habit and best practice that guides appointments.
This means a relatively small pool of non-execs serving the largest listed companies, with attendant risks if some of them lack independence or perform poorly.
Often, non-execs are appointed on the basis of professional connections, making it more likely acquaintances will sit on the same boards, further reducing the diversity in each sector.
Ridings said this lack of diversity is one of the major problems in risk management, claiming overly homogenous pools of non-execs lower the likelihood of individuals spotting problems and raising them in the boardroom.
“We tend to be drawn to people who are similar to us, with whom there will not be too much discomfort and conflict.”
In a worst-case scenario, non-execs lacking independence and reluctant to challenge friends could weaken risk management in multiple companies and give internal auditors a headache.
Adaptive risk management
In an ideal world, our internal auditors have a diverse, independently minded and well-trained bunch of non-execs in situ – what now?
The experts said a flexible risk-management strategy that adapts to evolving commercial challenges is paramount.
“We need to make the risk management plan more of a living exercise, more sophisticated and always up to date,” said one insider.
The controls are in place, but boards need to evaluate them honestly to see how well they fit with company risks and how they could be improved, he suggested.
This might involve bring risk onto the agenda more regularly, strengthening dialogue with executives and changing mentalities so risk management is viewed as a commercial boon rather than a chore.
Ridings went one step further. “The term ‘risk management’ implies all risks can be managed and ticked off the list, whereas what we really need are ongoing responses that are appropriate for the risks of complex adaptive systems”.
She said some boardroom basics – such as a heavily-agenda’d meeting – can hinder the debate, and discussion must assume a form which mirrors that of the risk.
Internal audit has undoubtedly taken a more central role recent years, with financial services especially keen to embrace in-house risk management and bolster internal controls.
This has potentially given internal auditors more clout than ever, and changes to corporate governance guidance might have contributed to strengthening the effectiveness of non-execs and the internal audit function.
However, there is always a wish list of improvements -such as selection of non-execs and the form of risk-management debate – that might help internal auditors realise their full potential. Lucky it’s almost Christmas.