Risk Management and Internal Audits

Risk management covers building an understanding of various events (either internal or external) that may adversely impact an organizations ability to achieve its objectives. It also involve, analyzing and addressing risks through appropriate mitigation measures. Enterprise Risk Management (ERM) is an integrated and joined up approach to managing risk across an organization and its extended networks.

An ERM program, thus, focuses on the most critical risks that may adversely impact the organization. There is this flawed thinking that since the ERM plan covers the Risks, mitigation plans and controls in great detail, Internal Audit may not be able to contribute much. On the contrary, linking the Internal Audit plan to the ERM program can go a long way to strengthen Risk management practices and controls. There are multiple ways of doing these and the approach will vary depending upon the organization, the risk and its mitigation plan. Internal Auditors can review the effectiveness of the mitigation plan as part of their reviews.

As an example, the risk could be dependency upon single vendor/country for procurement of materials/services and the mitigation plan is implementing an alternative vendor development program. Internal Audit may want to understand the following:

1. Is there a structured list of materials which are being de-risked??

2. What is the extent of single vendor risk now vis-à-vis the last year?

3. Are we focusing on the materials which pose the maximum impact?

4. What is the impact of de-risking in terms of cost/profit?

The role of Internal Audit in such areas, is to validate the mitigation plan and assess if there are any execution gaps. These gaps could be in the form of:

a. Focus on easy to change materials rather than the strategic ones

b. Trying to achieve a target despite insignificant cost benefit only in order to achieve the target

c. Replacing a domestic vendor with an imported one leading to higher lead time, higher inventory holding cost and wait times

As another example, 'Training' of production workers was identified as a strategic risk mitigation measure to minimize defects and increase throughput. A detailed training manual was implemented, identified team received the training including refresher courses. The program received a lot of visibility within the organization. However, the defect rate remained elevated. An internal audit review determined that the root cause identification in this case was incorrect and 'training' was not solving the issue. A deeper study was needed to identify the true root cause of high defect rate.?

Assessing the effectiveness of the Mitigation plan is one useful way ERM and Internal Audits can be linked. There are other ways as well but that is for another day !!