If the response to agenda papers on risk is to note them politely and move on, you could be making a big mistake. CIPFA can help internal auditors navigate the heat maps and assurance frameworks
Effective risk management, built on a culture of risk ownership, is essential to a high-performing organisation. It is difficult to see how else a governing body can fulfil its key roles of setting strategic direction and tracking performance to deliver positive outcomes. Yet so often boards and committees manage their organisations despite their risk management arrangements, rather than because of them.
Look at risk-related papers in your organisation. Risk registers (corporate, strategic and divisional) jostle with heat maps and assurance frameworks for your attention. These disparate documents can silt up your agendas and work plans. One reaction is to politely note the papers and move on. However, most committees and boards diligently grapple with the convoluted processes and rules put in front of them. A3 sheets display columns of risks that seem more like a log of issues vying for funding. Then there are columns of controls and assurances that appear to be indistinguishable from each other, built on aspiration and process rather than reality and outcome.
Last, but not least, there is the dark art of risk scoring. The relief of calibrating risks using the results of dubious scoring tends to prevent any challenge to the underlying methodology or rigour of its application. That scoring enables the welcome red, amber and green to emerge. These colours are familiar and comforting. The nursery may be painted blue or pink, but the boardroom has the tricolour of red, amber and green to guide its challenge and debate.
Perhaps this is unfair. Perhaps your organisation is the exception. But many inquiries into organisational failure tend to conclude that in a sea of chaos the risk management strategy, policies and processes were all in place – the boxes could be ticked. Unfortunately those arrangements were often operating on a parallel track to the rest of the organisation.
So, if you do recognise even a small element of the risk reporting described above, what is the solution? A great starting point is CIPFA’s recent publication It’s a risky business (2014). Totally revised from the original 2005 publication it navigates the landscape of public sector risk management and its related concepts. Although its principal audience is the internal audit profession, it is of great relevance to all those interested in, or responsible for, public service governance and risk management, including leadership teams, chief executives and audit committees.
The internal audit focus is important too. Internal auditors can be great allies in advising an organisation on the design and delivery of a proportionate and effective risk management system. In particular, make sure you value internal audit’s expertise in understanding controls and assurance.
Boards and audit committees, advised by internal audit, can establish a clear definition of assurance in terms of timing, evidence, frequency, scope, independence, etc, so that the concept carries a consistent meaning. So, are you making good use of your internal auditors? Also ask:
● Are your strategic objectives clear and up to date? Risks can only be defined accurately in relation to well-crafted objectives. If organisations have a mix of aims, values, mission and purpose it can be a weak foundation upon which to build a risk management strategy.
● Are you sighted on the pace and resilience of your risk escalation arrangements?
● Do you know the culture in relation to risk ownership and reporting?
● Do you have external insights into what happens elsewhere?
● Are risks framed and scored consistently?
● What is the quality and effectiveness of risk training from the board to the front line?
● When the word “assurance” is used, does everyone know what it means?
Tim Crowley is managing director of MIAA and chair of CIPFA’s Internal Audit Panel
For more information on It’s a risky business, please click here
