Embracing risk

Internal Auditor, Feb, 1999 by Gregg R. Maynard

Holistic risk management strategies have pushed aside internal auditors' traditional myopic focus on controlling the downside of risk. A fully integrated audit operation now understands and embraces risk as the source of profit.

Management in many types of organizations is now evaluated not only by its performance record, but also by the adequacy and effectiveness of its risk management activities. That maxim is certainly true in the U.S. banking industry, where the Federal Reserve's approach to supervising banks has evolved to emphasize a more forward-looking analysis.

Recognizing that internal auditing represents a key element of corporate risk management, we at the Federal Reserve Bank of Atlanta recently studied several internal audit shops to identify and compile best practices for strengthening corporate risk management programs. Data was gathered from SunTrust Banks, Inc.; Barnett Banks, Inc.; SouthTrust Corporation; and Regions Financial Corporation, four of the largest banking institutions in the Sixth District of the Federal Reserve System.

Twelve best practices related to internal auditing's role in corporate risk management were identified. Actual implementation of these activities varies from company to company; and while some companies may employ each of these processes to some degree, no company involved in this study employs all of them exactly as described.

None of the 12 best practices represent required elements from a regulatory or quality assurance standpoint, and not all of them may be appropriate for all financial institutions. They do, however, highlight activities that are likely to be of interest to any organization, financial or otherwise, that is developing or improving a fully integrated risk management approach.

BEST PRACTICES

1 COMBINING OBJECTIVE AND SUBJECTiVE ANALYSIS OF THE AUDIT UNIVERSE TO REVEAL AUDIT PRIORITIES. A strong risk assessment process that includes both objective and subjective factors is key to executing a risk-based approach to internal audit activities. In such a process, the traditional audit cycle is de-emphasized. The standard frequency of audit activities has historically been the primary, if not the only, determinant of the audit schedule; but freedom from it allows the auditor to focus more precisely on areas of material risk, thereby improving the efficiency of resources.

In a sound risk assessment process, all auditable activities are first identified, an activity commonly referred to as "defining the audit universe." Audit management then assigns values to each auditable activity based on objective factors, such as the net dollars at risk, the number of transactions processed, the volume of assets or liabilities under control, and previous audit or regulatory ratings. Through spreadsheet analysis, these objective factors are weighted numerically according to importance; and a quantitative rating is assigned to each auditable activity.

Once this quantitative ranking is established, subjective factors are applied to adjust the ratings for nonquantifiable information. The span of subjective factors could include professional judgment, the legal complexity of the activity, the strategic importance of the activity to the company, and key changes in management or the business environment. As a result of this combined objective and subjective analysis, areas of material risk are identified. Audit resources are effectively assigned so that the resulting audit schedule concentrates on these high-risk components.

Other best practices in the area of risk assessment involve updating and sharing the results of the assessment. Given the rate of change in today's business environment, annual risk assessments can become obsolete during the year. For example, audit findings and other operational developments can affect the risk environment. Risk assessments are, therefore, continuously reevaluated, and audit schedules are adjusted accordingly. As dollars at risk are quantified, or as these quantifications are revised, the assessment is changed to reflect the true risk level of the activity.

In addition, the audit department improves the risk management posture of the company by sharing the results of its assessments with executive management. While some may view this act of sharing as a violation of independence, management teams engaged in developing or improving a fully integrated risk management strategy need a corporatewide risk assessment. By utilizing this approach and taking advantage of its independent and objective position, the audit department is able to produce a high-quality risk assessment. As long as the actual audit schedule is not revealed and no auditor influences the decisionmaking process within the organization, the standard of independence should not be breached.

2 ANALYZING MANAGEMENT'S ABILITY TO ACHIEVE ITS STATED GOALS AND OBJECTIVES IN PRE-AUDIT NARRATIVES. Many audit departments routinely write pre-audit management narratives that cover the nature, history, issues, successes, and failures of the business activities to be audited. When this narrative also evaluates risk management activities, it can be a highly effective tool.