The Four Horsemen of the Apocalypse

The four horsemen of the apocalypse, variously interpreted as representing war, false prophets or sickness, famine and death, have their modern day equivalents, Andrew Garner, CEO of Andrew Garner Associates, told conference delegates. 

Dipping in to what he called ‘an anecdotal pot’, he used the metaphor to present and examine examples of issues framing the world today in which his audience was trying to make a living and create a safe environment for their children and generations to come. These included battles within the European Union, those on its borders and in the Middle East; overstated profits at Tesco; the Ebola virus disease; austerity measures; and organisational death. 

Homing in on the challenges facing internal auditors in their working lives, including market changes, risk in its various forms and the current behaviours of plc boards and senior commercial management, Andrew hammered home the importance of moving beyond the interpretation of data to ‘looking out of the window’. If anyone in the audience hadn’t read that morning’s papers, he said, he wouldn’t give them a job. 

‘A systemic flaw in society in modern society is the reliance on what is being fed to you in the way of data,’ he said. ‘Data is our enemy unless we use it wisely. If you are an internal auditor you can't escape it and you have to augment that by being different: by looking out the window. 

'Mathematics is presented as the language of economics. It never has been and it never will be. Economists have criminally misled the world. How long did they say that interest rates would rise? No, they haven't. Did we have the predicted double dip recession? No, we didn’t and that’s because they were looking at the wrong data. 

‘The problem is that we can’t distinguish between the weather and the climate. Linear extrapolative thinking has dominated our lives.’ 

Andrew concluded by pointing out that brands existed and thrived by promoting their difference. In a career context internal auditors have to do the same thing. ‘There will always be another tick-boxer around,’ he said. ‘So look at how you can add value to your organisation. And keep looking out of the window.’ 

Implementing risk management – practical lessons

Rui Bastos, group head of audit & risk management at Reliance Industries, discussed the whys and wherefores of implementing ERM in a business undergoing a major transformation.

Reliance Industries Group (RIL) is India’s largest private sector company with businesses across the energy and materials value train and a strong presence in the rapidly expanding retail and communications sector. The business accounts for 17% of the country’s GDP. 

In 2012, RIL found itself at the start of a journey to transform what was essentially a family-owned business into a corporate, operating in an environment where emerging corporate governance requirements were driving higher standards relating to risk management, internal control and regulatory compliance. 

‘All the legislation you're seeing in the US and Europe is slowly migrating east into Asia,’ Rui explained. ‘Western businesses have been using quality standards as a means to protect their markets, so emerging markets are responding in the same way, raising the bar to equivalent standards in order to compete. India is going down this path.’ 

The ambitious business programme to transform RIL’s corporate governance and prepare the group for the future was not without significant challenges – starting with how to get people to understand why Enterprise Risk Management (ERM) needed to be put in place in the first place. Others Rui highlighted included: 

  • making the shift from a people-centric to process-centric business model
  • addressing workforce age demographics to reduce people dependency risks
  • recognising and addressing increasingly complex regulatory requirements across different industry segments and jurisdictions.

Once the business case for ERM had been made and management support and ownership secured, four core work streams were identified and addressed: 

  • formalising the corporate governance framework
  • strengthening the risk management and assurance processes
  • automating risk, controls and assurance management
  • enhancing internal audit skills and capabilities.

Rui ran through the operational challenges presented in establishing and embedding sustainable ERM processes, ensuring effective risk management discussion to drive value from risk management outcomes, and aligning the corporate risk management ecosystem – the risk management, internal control and assurance functions. 

And he had a clear message for auditors: ‘Audit plays an advisory role in the whole change management process,’ he said. ‘You play a fundamental role in helping an organisation get a sense of whether its corporate governance framework is being embedded and implemented because your work programme touches on so many different parts of it. You are the eyes and ears of the business – use them!’   

Practical auditing of project risk management

There are just thee key questions that auditors need to be able to answer when they are looking at risk management for any business project, according to Richard Archer, chief risk adviser, BT Business. These are: Are the risks known? Are the risks prioritised? Can the risks be managed?

‘To me, project risk is one of the most exciting aspects of risk management because so much is new,’ Richard said. ‘There are often new teams working together, new markets, new technology and new target customers. And “new” equals “risky”, so it is very important that enough time is spent identifying what the risks in the project are.’ 

Risk appetite has come to the fore as a key component of governance and risk management but Richard warned that it was a concept that everyone thought they had mastered but very few really had. ‘Even risk professionals struggle with this,’ he said. ‘The risk management competency of any auditor cannot be taken for granted, so it is worth checking out their maturity and level of experience.’ 

The easiest part of an auditor’s job, he said, is auditing for compliance, with a good starting point being the risk register. Common pitfalls include that key risks are not identified, the uncertainty of risks are not explicit; the risk matrix is not appropriate/risks not quantified; and controls and actions are confused. 

‘Another issue is that actions to be taken are often not defined or tracked,’ Richard noted. ‘Quite often you see a statement like “improve communication” but there is nothing explaining how this is going to be done. Revisit six months later and surprise surprise… they haven’t done it!’ 

The types of compliance violation can be varied. Richard grouped them into unintentional, routine, situational, optimising and exceptional, detailing possible causes and suggesting possible solutions. 

At the end of the audit process an auditor has to be sure that their recommendations are going to help the business. ‘But, above all, please keep risk management a creative process,’ he urged his audience.