Non-execs ‘fall short’ on risk management

ALMOST ONE-THIRD of company boards fail to adequately manage risk, according to a new report by the Chartered Institute of Internal Auditors.

Internal audit chiefs said when it comes to non-executive directors (NEDs), 28% lack a formal process to determine how much risk is acceptable, and compliance issues are given scant attention.

Some NEDs lack the autonomy to effectively challenge company executives in 17% of cases, while in 63% of companies, NEDs outside the audit committee had no contact with internal auditors.

CIIA chief executive Dr Ian Peters said: “Although our survey shows that the importance and quality of non-executive directors has improved over the last five years, it is clear that [they] still need to become much more questioning and hands-on in their approach to risk management if they are to meet the needs of the company and the expectations of investors.”

More than 140 private sector heads of internal audit were questioned. They outlined two major barriers to a strong understanding of company risks; limited information on key company issues, in turn leading to a poor grasp of operational risk.

Two-thirds of internal audit heads said their NEDs were “wholly or very” dependent on managers for company information. And while understanding of strategic risks was “good or very good”, knowledge of operational risks was “average or poor” for 28% of NEDs.

The report comes at the same time as a paper from the Institute of Risk Management, produced to give boards guidance on determining the nature and extent of significant risks.

A CIIA spokesman said the findings beget “some interesting further questions for both internal auditors and boards in terms of how concerns raised about the independence of NEDs and their level of knowledge of operational risks will now be addressed”.

It called on boards to be “highly supportive and effective” with a strong understanding of how it can harness internal audit.


Related reading