This is intended as the first of a three-part series of articles looking at risk management, integrated assurance and the Chief Audit Executive’s Annual Report.

In this first article we will explore risk management, and how it differs from Internal Audit, and then how through knowledge, understanding and co-ordination we can pull this together, and arrive at the basics for real risk based Internal Audit. There are recognised standards in respect of risk management, for example BS ISO 31000:2018 or COSO’s Enterprise Risk Management, and for Internal Audit, the IIA Global Internal Audit Standards. This article is not intended to cover those standards, but rather shine a light on how the respective professions or functions are related.

There are of course also requirements for listed companies, regulated and public sector bodies to report upon their principal risks and appetite; many of these take their lead from the FRC’s Corporate Governance Code. The 'new' FRC Code (2024) was released January 2024 and becomes effective for financial years beginning on or after 1 January 2025. There is a strengthening of requirements surrounding the Board explaining within its published governance statements how they have monitored the company's risk management and internal control framework and their conclusion.

Risk Management: Navigating a World of Uncertainty

I have witnessed many risk management frameworks during my career, ranging from the extremely basic to complex. There are many pros and cons to differing approaches to risk management, whilst some will definitely be more robust than others, there is one common trait which they should all display without exception, and that is ‘suitability’, not necessarily to any particular standard, but suitability to the individual organisation, and the needs of its management and directors.

Risk management is not about crunching numbers, creating elaborate spreadsheets, or maintaining fancy systems; it is the art of foreseeing storms on the horizon and ensuring that our organisational ship sails smoothly. Risk management is akin to a seasoned Navigator scanning the vast ocean for hidden reefs or icebergs. It involves identifying, assessing, and mitigating risks that face an organisation. The ultimate goal? To help the ship (read: organisation) reach its destination while minimising potential negative impacts.  

So, who holds the Compass? Operational Management: the Navigator takes charge of risk management processes, their toolkit includes risk assessments, scenario planning, and risk registers. They directly assess, control, and navigate around the reefs or treacherous icebergs. The Crew (operational management) provides supports, they exercise the controls or actions needed to keep the ship on course, hoisting the sails or adjusting the rudder; together they are the ones who know the ship’s nooks and crannies, its strengths, and its vulnerabilities.

Internal Audit: The Lighthouse

In the same way as risk management it is not about crunching numbers, fanciful spreadsheets and check boxes, as the lighthouse Internal Audit is illuminating the course ahead. The Lighthouse Keeper (the Chief Audit Executive) is providing independent and objective assurance on the Navigator’s risk management processes and the Crew’s ability to help them stay on course.

Unlike risk management, Internal Audit does not steer the ship, it does not hoist the sails or adjust the rudder. Instead, it stands independent, shining its light on operations; independence is its superpower, it is the voice that says, “Hold on, Captain! Are we sure we are not sailing too close?”

Whether we are too close, is a factor of risk appetite; the Captain’s (in this sense the Board’s) willingness to accept and manage risk in the pursuit of its objectives and reaching its destination. Appetite represents the boundary within which the ship operates regarding exposure, how close, or how far it must sail around the reefs or icebergs which hinder its journey. Clear definition and articulation of risk appetite is crucial to ensuring that the Crew are suitably equipped to balance the acceptance of risk, opportunity and make informed decisions.  

This is why risk appetite statements are so important; particularly given that appetite is likely to vary by risk type. The structure of the statement should be aligned to the organisation’s own risk classification approach. Almost all organisations will have low appetite in relation to circumstances which will damage their reputation, issues such as data loss, fraud, and health & safety, however, they may be more accepting of risks surrounding product development, delivery, and finance.

It is also important that Internal Audit, the lighthouse, understands and operates with consideration of risk appetite, ensuring that the ship keeps within it and that its own illumination does not cause the ship to deviate unnecessarily to its destination, supporting efficiency and successful arrival.

The Relationship

So now we understand the roles, how do they interrelate? Let us think about the commonly referred to Three Lines (of Defence) and our analogy.

The First Line, operational management directly manages risks. They are the Crew swabbing the decks and adjusting the sails. Putting in place and exercising the internal control environment, policies, procedures, and processes necessary to manage inherent risk which could prevent its successful voyage.

The Second Line, specialist control functions. They are the Navigator, or their lookout in the crow’s nest, monitoring and facilitating risk management. Exercising management’s own monitoring and risk assurance processes including those escalated up through the governance framework to ensure that the ship is on track.

The Third Line, independent assurance, such as Internal Audit, the lighthouse providing assurance to the Captain (Board) and advice to improve the activities of the First and Second Line to better manage risk, but doing so in recognition of risk appetite.

Key considerations to successfully support the Board:

Recognition that a risk register no matter how good it looks, does not manage risk, but is ultimately a communication tool between the Crew, Navigator and Captain; communicating risks and what is being done about them. The key importance of the register is therefore clarity of messaging, context, understanding and equipping those charged with governance to exercise effective scrutiny.

Recognition that it is not possible to eliminate risk and therefore residual risk should be managed to within risk appetite; for this reason, appetite this needs to be clearly defined and communicated. 

Internal Audit should shine its light on the risk register, providing assurance to Board and challenging the assessment of risk within the register to give Board the assurance and therefore confidence necessary to make decisions and direct the organisation’s path. Reviewing how inherent risk is managed, providing assurance over the controls recognised therein, the assessment of residual risk and how risks are managed to within appetite.  

Internal Audit is sadly not an infinite resource and therefore should be suitably prioritised and directed; the risk register is a key tool which should be used to inform the direction of resources. Where does Board need assurance? What other sources of assurance exist? Where can internal audit act in a consultancy role to help the organisation better manage risk beyond appetite? How should internal audit frame its observations in light of appetite?  

By thinking in this manner, you begin to see how to arrive at good, robust, risk based Internal Audit; it is not simply auditing risk areas, it is creating linkage and completing the communication loop so that audit outcomes feed back into the risk management process; it is reviewing the ship’s logbooks, checking the compass points true and providing a guiding light. This facilitates real, risk based internal audit.

Clear structure and linkage within the organisation’s risk management, internal control and assurance framework can support Boards in making informed statements and conclusions within their financial statements. This is particularly important given the strengthening of requirements by the FRC Corporate Governance Code 2024; therefore, providing Internal Audit another opportunity to promote and strengthen its position within the organisation.

Full Speed Ahead

So, to wrap up, our organisational ships do not tend to just move under their own power, ‘making way’, they are making way using propulsive machinery and ‘steaming’ forward; effective risk management and collaborative internal audit help provide management and Board the confidence to make the decisions necessary to move ‘full speed ahead’, or where ‘slow’ or ‘smart steaming’ may be more appropriate.

At Validera it is our mission to help our clients Improve, Comply and Optimise their operations, navigating storming waters, keeping their eyes on the horizon and their ultimate destination.

Lee Glover FCCA - Director, Validera