Jane Walde is a Risk Management professional at The Holistic Risk Practice
How can Internal Audit and Risk Management work together to improve governance?
Risk management looks forward into the unknown and alerts the company to uncertainties that might help or hinder achieving its objectives, whilst Internal Audit deals with the known and can only audit what is actually there, or has already happened, so there should be a logical sequencing of work between the two functions.
In the planning stages, working together to make sure the audit programme covers the most material risks, means that the Board gets assurance, or a reality check, on how the most important exposures are being managed.
Internal Audit findings can be good indicators for where Risk Management needs more engagement with the business, so Risk Management should see the Internal Audit reports.
If a risk is emerging and controls are in the design phase or not yet operated to, it is rather a waste for Internal Audit to spend time on checking and reporting that the risk is insufficiently managed. Although, being on the audit plan can be a good impetus to get the work done if it has been delayed without good reason!
Coordinating our risk and audit work results in better allocation of resource, helps to embed risk appetite and desired behaviours.
Controls are put in place to manage risks in line with risk appetite. Risk Management facilitates the business to decide what sort of controls should be in place, whilst audit checks if the controls are actually in place and effective. This is where blurring of these roles can be a problem - we know that when Internal Audit becomes more advisory, it becomes less independent. The same can be said for Risk Management giving assurance on controls and control systems.
Internal Audit is much more established than Risk Management and has a key role in providing information to the Audit Committee. Some governance structures do not have a Risk Committee. This can be problematic as most Audit Committee agendas are usually very full.
A good Risk Committee will look at the material risks in more depth and make sure that the Board gets to see the most relevant risks, including emerging and sustainability related risks. They will oversee the development of the more technical aspects of risk management (e.g. Risk Appetite, Policy and Framework). So the Risk Committee can address matters that may not easily fit into a normal Audit Committee agenda. Work between the committees can also be coordinated to close governance gaps and loops.
Working together, Risk and Internal Audit support a business to realise opportunities, whilst enhancing insight and instilling healthy oversight. In my experience, good communication and coordination between the two functions leads to improved governance.