Where did that risk come from?
Business units often do not have clear visibility into activities occurring across the entire organization. Internal audit can help connect the dots on emerging risk areas.
With visibility across the enterprise, internal audit can improve its value to the organization by providing management with much-needed insights on emerging risks.
Internal audit can help the organization anticipate the risks lurking around the corner and turn risks into results.
1. What’s the issue?
In 2012, EY commissioned Forbes Insights to conduct a global survey about internal audit. In our survey, 31% of respondents cited the ability to monitor for emerging risks as one of the top five adjustments they would like to make to their internal audit function — second only to enhancing the risk assessment process (40%).
Often, business unit leaders and management executives below the C-suite do not have clear visibility into activities occurring across the entire organization. This lack of visibility can have a swift and negative impact on the organization’s ability to respond to the organization’s changing risk profile.
With the ability to gain an enterprise-wide view of the organization, internal audit is uniquely positioned to provide key insights that will enable management to anticipate and respond to both identified and emerging risks.
2. Why now?
With a continued focus on globalization and the ever-accelerating pace of technological innovation, organizations need to rethink operating models to remain competitive. There are a number of areas creating opportunities to increase efficiency and speed to market:
- Operating and selling in emerging markets
- Technology that enables niche businesses to turn the competitive landscape on its head
- Greater use of third-party suppliers
However, these opportunities also create risks that the business never had to focus on and think about.
Economic volatility and increased regulatory scrutiny are also adding new dimensions to the risk landscape.
Internal audit needs to become the forward-looking “eyes” of management and the Board, offering visibility not only into the risks they know and monitor today, but also into where new risks may emerge as the business continues to change.
3. How does this affect you?
Not anticipating emerging risks can have negative consequences on an organization’s operations, reputation and bottom line.
To position internal audit to help management identify the risks that matter, both existing and emerging, the function will need to have the right competencies. This includes:
- Analytical skills
- Business acumen
- Regulatory knowledge
- Communication skills
- Ability to effectively evaluate risk indicators and leverage information from within and outside the organization
4. What’s the fix?
There are six activities internal audit can undertake to add value and provide the insights management needs to address emerging risks:
- Develop an internal audit-specific strategic plan and an operating framework.
An effectively crafted internal audit operating framework will enable the function to stay current on changes occurring internally, within the industry and within markets in which the organization competes.
- Employ data analytics and leverage continuous monitoring, when available.
When embedding data analytics into the framework, internal audit should pay particular attention to data gathering and analysis as a means to proactively identify changes in the risk profile.
- Develop communication protocols that foster open discussions with management and key stakeholders within the organization.
This should include scheduling regular meetings with key members of business management, including the C-suite.
- Conduct regularly scheduled internal audit analyses and discussions of collected data with a view to “connect the dots.”
Because of its enterprise-wide view of the organization’s activities, internal audit is uniquely positioned to combine the results of its audit work and collected information to evaluate the cross-functional impact of changes in the risk profile.
- Sponsor the creation of or increase the involvement of a management risk committee.
The management risk committee can help to assess whether management has identified and is addressing key current and emerging risks.
- Establish a template for consistent reporting to senior management and the audit committee.
Coordinated risk reporting will give the audit committee a broader perspective into the health of the organization.
5. What’s the bottom line?
In our survey, 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance. Our client experience and research validate this belief.
Similarly, 75% of survey respondents believe that their internal audit function has a positive impact on their overall risk management efforts. And yet, 80% acknowledge that their internal audit function has room for improvement.