Internal Audit and Risk Management simplified
This is the second in a series of articles in which our resident specialist, Louw van der Merwe, explains and clarifies on a very practical level exactly what value can be added by Internal Audit and Risk Management in your organisation.
The first article, published in last month’s newsletter, included information on controls, the role of internal audit, as well as typical internal audit reviews.
Internal audit planning
Internal Audit has to review every process within the organisation at least once in a three-year cycle. For areas that represent a very high risk to the organisation, more regular assurance on the continued effectiveness of key controls might be needed, however. The question therefore arises: Which areas or processes should be reviewed every year, which areas every two years, and which only once in the three-year audit cycle?
The answer lies in the results from the Risk Management process. Risks that have been identified and prioritised are linked to business processes, allowing us to prioritise the actual business processes on a relative basis. Areas that are classified as “high” risk (according to the prioritised risks linked to those processes) will be assessed annually, while those considered “medium” will be reviewed every two years, and areas of perceived “low” risk once every three years. This plan is obviously not cast in stone and will be influenced by various factors, e.g. external impacts such as legislation changes or the results of actual reviews as they are conducted.
It is important to acknowledge that risk management is neither a new nor a complicated process. Not only is the successful application of basic risk management principles the cornerstone of most accomplished organisations, it is the very reason for their success. This holds true for small and big organisations. In fact, smaller organisations have a much greater sustainability risk and are much more in need of the benefits of an entity-wide risk management process than bigger organisations.
Consider the diagram below:
To illustrate using an example, consider the single owner of a small manufacturing concern that produces and sells African rugs. The owner employs 20 people, who weave interesting carpets from materials procured by him.
Shortly after opening the factory, the owner contemplates the risk of his factory being destroyed by fire. Since he considers this a risk with a low likelihood but a very high impact, he will make a contingency plan but will avoid managing this risk through a number of small, daily actions. His plan might include installing fire extinguishers in strategic locations and utilising a friend’s unused warehouse space in case of an event incapacitating his factory.
Conversely, the likelihood of one of his 20 workers being sick on a day-to-day basis is relatively high. Bearing in mind that they are all effectively performing the same function, the impact on the organisation should be relatively low. Once again, the owner does not want to spend a substantial portion of every day on managing this risk and will therefore constitute a monitoring action only to ensure the impact does not increase. His monitoring action might be to appoint a foreman who reports on a daily, weekly or monthly basis about the employees being absent for those periods.
The challenge in most organisations is not in the implementation but rather in formalising an existing thought process and in ensuring that thought process is embedded and consistently understood throughout the organisation. It takes time and is best achieved through simplicity.
The advantages are myriad. Imagine an organisation in which:
- everyone shares the same appreciation for, and understanding of, risks facing that particular organisation;
- every action of every employee, no matter how junior, is focused on addressing a particular risk; and
- the degree of focus and application is commensurate with the likelihood of that risk arising, as well as the particular impact that risk may have on the organisation.
In such an organisation aspects like budgeting and applying resources (both time and money) will be simplified. Top management, directors and non-executive committees (such as the audit committee) will identify and understand key business risks, thereby focusing their energy on those risks that could affect the very existence of the organisation.
Many risk management processes fail because of two main reasons: firstly, organisations try to do too much too quickly. It’s like trying to move from crawling to playing football in the World Cup in a period of three months. Secondly, the initial risk identification is haphazard. Hundreds of risks are identified, some in more detail than others. The result is a convoluted, administrative-intense process which is difficult to manage and has virtually no long-term benefits for the organisation.
The key to managing risks effectively is to take small steps. Don’t get bogged down in detail and make sure you have a knowledgeable and very experienced person on board to assist you, especially in those crucial first 12 months. To get the process right may take up to three years.
For further information contact Louw van der Merwe on tel. (021) 882 8140 or e-mail email@example.com.