coves ov ananys.ceirmnean RISK WATCH™ In ‘Touch With the ‘Top Adding value to the risk management process hinges on effective communication with organizational leaders. OMMUNICATING WITH senior management ahout risk is one of the :nost important activities performed by inter- nal auditors. Internal auciting represents the organization's primary risk-assur- ance service and can lend great insight and support to the process of identify- ing and managing expesures. Because senior management holds the vltimate responsibility for managing risk, itis essential for auditors to be able to share their knowledge and eflevtively convey ‘their concerns. Organizations develop a stance on risk ‘that reflects the accepted tolerance level for isk: taking, The stance can range from aggressive to conservative and can vary across different areas ofthe business. The ‘organization's position influences how senior management thinks about risk and its approach to managing risk. Trad ‘onally internal auditors hive held & con~ servative stance om risk, believing that ‘more control often provides beter con- trol. However, if internal auciting’s stance is different from that of the orga- nization, chen the auditor is out of step ‘with senior management’ thinking and decision-making. Due to the coraplex nature of risk and varying perspectives regarding how to address exposures, itis important for femal auditors to be in sync with orga~ nizational leaders on the tight approach to take. Developing this understanding hinges on effective communication between the two parties, ‘The following seven strategies can help internal audi tors ensure that their communications with senior management yisld rwatual understanding as well as approaches to sok management that best serve the needs and goals of the organization, Copyright © 2001 All Rights Reserved Enlist the support of senior manage- ‘ment fr internat auditing’sisk-based approach and objectives. successfully fulfil its responsibilty as the organiza tion's risk management sponsor, it is essential for internal auditing to receive the support of senior management. By fostering x cooperative relationship and partnering with the senior management team, internal auditors can help open the doors for effective communication. To ensure adequate support from organiza tional feaders, internal auditors should begin by describing to them the risk man- ‘agement program/audit process best suited to the organization. ‘Auditors should emphasize their unique expertise with regard to risk issues and explain how senior management can sup- port their efforts. During these diseus- sions, auditors need to respect the sisk-taking responsibilities of senor man~ agement and try to think of risk from management’ perspective rather than jst focusing on audit-related concerns. By developing a better apprecition of their chief customer's point of view, auditors ‘ean increase the value they conte the organization. Adopt relevant language to develop understanding about risk. A common language is essential for discussing risk scenatios in a consistent manner. When all parties use the same terminology, they ‘can improve their description, analysis, and understanding of risk {tis only when a risk is understood that it can be con. olied, When risks are not understood, ‘control is almost certain to be inadequate and ineffective. Internal auditors can help to establish «a consistent language for tisk discussions by developing or adapting a glossary of oRISK WATCH risk management terms to share senior management. For example, many people do not recognize that risk includ both threats and opportunities. Provid- ing senior management with definitions that distinguish these two sides of risk and clearly explain the differences may help to prevent potential misunder w LKEL dition, the following sense oft include in a risk glossary: = CONTROL RISK SOURCES The strategic or omg nizational contexts from which risk ‘exposures originate, characterized by factors such as uncertainty, complex ity, and hazards. # RISK CAUSE The circumstances or fae- tors that initiate a risk at the source 1@ RISK The chance of an impact on objectives or other values at csk. VALUES AT RISK Elements of the organization, such as objectives, intellectual capital, culture, capabili ties, opportunities, and other finan cial and nonfinancial values, that are and ta exposed to the chance of in According to The Wall Street Journal Health Costs Are Expected To Double By 2007 's your TPA administering your health plan property? HDN's TPA audit isthe soktion to measure performanoe and reduce cost. ‘Are you being overcharged by health providers? HOM investigates medical claims for errors and recovers overcharges. Find out why HOM is the Ideal solution to help your ‘company reduce health benefits expenses, HON has a nationwide network of auditors and specializes in seltinsured health plans. HDA [Healthcare Data Management, Inc. ‘60 Chestnut Avenue» Suite 103» Devon, PA 19339 ara ae eres eet ea SA = CONSEQUENCE The outcome of an expressed qualitatively or quan: oly, being a loss, injury, disad- ‘There may be a eange event. (Australian Risk Manage ment Standard ASINZS 4360, 1959.) 1000 A qualitative description of probability or freq an Risk Management Standard ASINTS 4360, 1995.) nization—including its resources, systems, processes, culture, structure, ks—that, taken together, sup- port people in the achievement of the organization's objectives. (‘Guidance on Control,” Canadian Institute of Chartered Accountants, jossary and apply th language consistently tions about risk. Establishing simple, understandable definitions wil help being corer to what ean otherwise seem ike an pact. unstructured mats of circumstances. 3 Faciltateariskassessment workshop to identify significant exposures, A Faciliated worksho aieation forum fe al couam~ ing the onga~ nization’ risk profile. All ofthe relevant dividuals can be engaged in the work shop at one time, which gives everyone the opportunity © and to supplement and correct the infor ar all contsibutions ry. (Aus- top-down approach to risk identification and assessment begins with understanding what senior management considers to be the significant exposures to risk, and a risk assessment workshop can be a usefal starting point for this process. Senior management has a strate gicand whole-ot-indastry perspective on the issues and trends cat can yield impor tant insight into fature exposures. The top-down approach ensures consistency among risk asturance programs through~ out the organization, so that the various serves, such as safety, quality, environ ment, and security, are all functioning with on framework. Tntemal auditors can take a number of steps to ensure buy-in forthe risk-assess- 88 of an orga: communica Contemporary Business Concepts In-house and Professional Association ‘Seminars and Training Programs Providing Comprehensive Seminars For Risk and Control Managers and CSA Professionals | *Programs For CSA Professionals" + CCSA An Exam Review Course | ‘Wil help you prepare for the CCSA Certification | Examination * Conauiting A Value Added Service Will help you become @ more effective Inter- nal Conguitant, * Bisk And Conirol Management For The Executive ‘Wil help executives improve thel isk and ontol management. understand the impications of tie Federai Sentencing Guideline, and strengthen the tone atthe top. Contact Us To Schedule These Seminars ‘Contemporary Business Concepts 1-800-956-6780 US, and Canada or (208) 312-0159 from anywhere E-mail a: OBCcourses @atl.net Contemporary Business Concepts ‘36 Tamarack Avenue PMB 212 Danbury Connecticut 06811 Copyright © 2001 All Rights Reservedment workshop, Hep measures include describing the expected outcomes and benefits of the workshop, engaging an -xpert ficlitator to plan and prepare for she event, and delivering the expected our- ‘somes anc benefits gern pests udit plan. Senior management's need for effective risk managernent sys tems infitences the internal audit plan and the allocation of resources. The orga nization’s application of internal audit ing might follow a specific theme with regard to risk management, such as investment or fraud, that influences the snnual plan. When the organization faces rapid and severe dynarnic change, senior ent might even deteemine that ex cycle for audit planning, such every three months rather than annt- ly, is more appropriate. For these reasons, it is important for intemal auditors to communicate regu- Jarly with senior management about the focus for the interna! audic plan, One way that auditors can ensure the success of such engagements is to be fexible and cnsuse that they are capable of respond ing to any type of risk that senior man- agement deems important, For example, auditors should be prepared to hice a spe- cialty consultant or educator for areas in ‘which their department lacks experience ‘or expertise. Creative approaches to capa- bility sou-eing options allow internal euditing to provide a greater variety of ‘optians to senior management, thus facil- cating effective negotiations regarding the audit plan and providing the orga- jaation with the best possible service. BH consioute othe state planning process. Senior management's strate- gic planning process is one of the most important forums in which significant risks facec by the organization are di cussed. These meetings involve discus sions of what impact risks might have inthe feture and how the organizatior sight plan and resource its future actions. 1Fintemnal auditing i left out ofthis con- versetion, chen the finction is marginal ized and confined to the detailed risks of day-to-day operations. Taternal auditors can provide a profes- sional, specialized contribution that helps to ensure « better outcome for strategic planning, x learning experience for the anagem audit function, and a usetal reference for uiting’sfuruze work in the orgsnization. Auditors should identity their potential for adding value to the planning process and determine what unigue capabilities they can offer that senior management ight not possess on its own. Auditors should seize the opporrunity to make 2 distinctive contribution and to guide the soup to anticipate the impacts of threats and the benefits of opporturities. Aadi- tors must not be passive listeners at state- gic planning meetings, but a contributors and—when the moment is tight—-determined leaders. Periodically inform senior manage- ment ebout emerging priorities. Envi ronmental scans and other rsk monitoring processes survey the organization's dynamic conteats for information about significant changes that might impact the ‘organization. This “outsce-in” perspec tive recognizes what s happening in global business, the economy, pelitcs, technol ogy, and society and markets, and exam- ines how these external circumstances ate relevant to the organization. ‘To ensure that senior rnanagement is kept abreast of any relevant cisk factors, auditors might find it helpfel to estab- lish a “sisk watch” service to monitor for cemergingfissues that might impact the organization. This type of service may involve reading business and industry newspapers of other deta sources to track issues, assessing how those issues might he relevant to the organization, and then relating the information to senior management so shat appropriate action can be taken, Tn addition, auditors should try to take part in any orgenizational forams held by senior management where the impact cof risks might be relevant to the discus sion. This inchides meetings with the exe utive committee, project implementation groups, and process improvernent teams, as well as monthly financial review/plen= ning meetings and producr development, marketing, and advertising impact meet” ings. These ae the settings where senior ‘managers discuss some of the organiza~ tion's most critical issues, and they present an idea! epportunity for auditors to share their expertise in risk maragement, col lect information about the organizztion, communicate with senior managesnent about selevant applications of risk man- Copyright © 2001 All Rights Reserved RISK WATCH agement, and recognize any opportunities for value-adding risk-based audit projects. Regularly inform senior management out high-risk areas when reporting ‘the results of audit projets. Each audit can include an assessment of how the significant risks facing the overall organi- zation impact the audited segment. This allows senior management to better under- stand the organizational dynamics of var- fous tisk factors and respond to them in ‘amore meaningful and effective way. A simple “red, tamber,”or “green” score on report, for extmple, can serve as an effec~ tive communication device to indicate high, moderate, or low impacts for those risks that are relevant to the audit. Internal auditors can also explain to senior management how significant risks can be measured by key risk indicators (Kx), Some key performance indicators already measure risk, such as the percent- age of accounts receivable more than 90 days overdue asa measure of potential! loss, ‘Audit reports can include a table of KRIs assessed before and after the audit, sup plemented with an explanation of risk sources and possible treatments to improve risk management and control systems and, 5a result, orgenizational performance. PLANNING FOR CONTINGENCIES Risk often stems from change. The process of risk management involves negotiating change on a constant basis. By contrast, control systems are usually stable. Any ‘modifications to these systems need to be designed, approved, documented, and actioned. Because of the time and effort required for this process, emerging risks that develop in the organization's dynamic contexts can stress and possibly outpace the existing control systems. Regular and effective communication with senior man- agement ear help to ensure that risks are “understood and that controls ar designed to adequately address existing exposures, withthe flexibility vo anticipate Farure sks.