On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

In 1981 I joined the internal audit function at Gulf Canada in Toronto, Canada as a young recruit.  It took me very little time to realize that our clients weren’t particularly happy to see us arrive, and were generally quite happy when the engagement was over. This was true no matter how well intending or competent the team.  It took me another decade, including serving in line management positions where I was on the receiving end of audit reports, to realize internal auditing was, in succinct terms “supply driven” by generally well-intending people, usually accountants by training; not “demand driven” by discerning and demanding customers. 

Many customers seemed quite content with internal audit functions that used “percentage of audit plan completed” as a key metric.  This was true even though virtually none of those CEOs, CFOs, or board members would tolerate measuring sales people or sales departments on number of sales calls made, or the quality of sales calls made.  When I asked what would be different if the audit department disappeared altogether or, when phrased in the positive, what end results they wanted from the existence of an internal audit department, they rarely had given it much thought.  They quite rationally had low and narrow expectations of internal audit, a function that usually consumed a relatively small amount of total budget funds, didn’t impact much on real value creation and allowed them to say to the board, regulators and others that they had an internal audit function in place.

Following the 2008 global financial crisis enterprise risk groups started to emerge in a big way, largely because of regulatory expectations.  Companies, particularly financial services companies, were told by regulators they should have some form of enterprise risk management (“ERM”) process and/or “operational risk” groups.  In the UK, pursuant to the UK Governance Code, the Chair of the board of all public companies even had to start make representations to meet the expectation shown below.  

The UK corporate governance code April 2016

“C.2.3. The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report.”

Regulators in the U.S. have set a much lower bar than the U.K.   After the 2008 global financial crisis, the SEC added some vague requirements in their proxy disclosure rules suggesting public companies listed on U.S. exchanges should say something about how they manage risk.  There are no U.S. disclosure requirements I am aware of regarding what, if anything, boards should be doing to assess and report on the effectiveness of ERM or internal audit.  

Regulators have generally provided little guidance on what an “effective” ERM framework should look like. Many companies, often with full support of regulators, have taken the path of least resistance and put annual processes in place to create and maintain “risk registers,” a collection of bad things that could happen drawn from relatively cursory annual interviews and workshops designed to scoop top of mind thoughts from people forced to participate by “head office”.  These risk register processes appear “good enough” to meet regulatory expectations.

The new COSO 2017 ERM guidance broke new ground by clearly stating that ERM should be fully integrated with strategy and performance and that risk assessments and should start with important objectives.  It includes 20 principles and clearly states that risk centric/risk register based ERM frameworks are the “least integrated” form of ERM[i] and, by extension, least effective. Unfortunately, since the release of the 2017 COSO ERM framework, many risk and internal audit groups continue to use risk-centric, process-centric, and control-centric assessment methods.  For some reason risk specialists and internal auditors seem to have an aversion to starting with important end result business objectives, particularly value creation objectives.

On the professional association front, the Institute of Internal Auditors (IIA) seems to imply that if an internal audit function meets the “International Standards for the Professional Practice of Internal Auditing” it is, by extension, effective.  The IIA offers little in the way of specific end results metrics that should be used to measure the real effectiveness and value-add of an internal audit function.  Based on my 40 plus years in the profession, the IIA seems relatively content with the widespread status quo practice of measuring internal audit on percentage of audit plan completed or, worse yet, number of audit findings accepted or “closed”.   On the risk side there is little agreement among the leading risk professional associations including the IRM, PRIMIA, GARP, RIMS, and others, what an “effective” enterprise risk function should look like.  No risk association that I am aware of have taken a public position whether the widespread practice of creating and maintaining a risk register is more dangerous than useful as it can create the illusion of effective enterprise risk management.

A logical question at this point would be, “Since you think most organizations have not been using valid metrics to date what should companies use to measure the value-add from internal audit and risk spending?“ The answer is shown below in the Strategy and Value Oversight Imperatives.

The “STRATEGY AND VALUE OVERSIGHT” approach we propose (see https://bit.ly/2K6BYTf for an illustration) assumes that companies will be willing to hold management accountable for both assessing, managing, and reporting on the true status of residual risk linked to top value creation and preservation objectives, or more simply put, reporting whether the objectives they are responsible currently have residual risk positions that are, or are not within senior management and the board’s risk appetite and tolerance. In short, a much stronger “First Line” in the popular but harmful and incomplete Three Lines of Defense model.

While I believe Strategy and Value Oversight approach is significantly more effective than traditional ERM and internal audit methods I recognize that the culture in many organizations will not support the high accountability/transparency vision shown below.

End result “imperatives” for this re-engineered approach to assurance that risk groups and internal auditors should be measured on are detailed below.  

Details on the Strategy and Value Oversight approach and the proposed roles of all the key players are described in a sample policy available for download. The core business case for moving from traditional spot-in-time internal auditing and risk register driven ERM frameworks to Strategy and Value Oversight driven by objective centric ERM and internal audit includes the following:

1.     The approach puts equal emphasis on value creation and value preservation with a focus on helping companies create and drive long-term  value.

2.     Companies need to take intelligent risks to thrive and survive. Traditional assurance methods, including the popular Three Lines of Defense, are biased to risk elimination and mitigation, not intelligent risk taking or risk treatment optimization. Few companies succeed over the longer term with only “defense”.

3.     While many other approaches give lip service to “embedding” risk management in the business the Strategy and Value Oversight available on the links above really embeds risk management in the business by assigning “owner/sponsor” roles to those responsible for top value creation and preservation objectives and clearly articulating the roles of all the key players.

4.     Many agree that the lack of integration between the “risk silos” has been a root cause of many of the biggest corporate governance failures in history.  This approach integrates the efforts of all the key assurance functions by requiring all work be driven by a common objectives register populated with top strategic/value creation and value preservation objectives.

5.     Traditional approaches to internal audit and ERM have not focused on the goal of “risk treatment optimization” – the lowest cost possible combination of risk treatments capable of producing an acceptable level of residual risk linked to important objectives.

6.     The approach recognizes that formal risk assessment (as opposed to informal risk management practiced at all levels every day in organizations around the world) has a cost. Formal, structured risk assessment should only be done on objectives important enough to warrant the cost.

7.     Unlike traditional internal audit and ERM approaches, the approach being recommended emphasizes building fit-for-purpose risk management capability in the work units.  It has been shaped by the age-old adage, “Give a person a fish and they have a meal. Teach a person to fish and they have food for a lifetime.”

8.     This approach produces a concise report for the C-Suite and board that shows which important value creation/value preservation objectives are currently outside of an organization’s risk appetite/tolerance and who is responsible for bringing it back in to an acceptable risk status position.

9.     Staff working in risk management and internal audit have greater clarity how their work links to long-term value creation and preservation.  High potential staff will be more interested in working in groups that have clear linkage to an organization’s top value creation and preservation objectives.

10.  This approach helps organizations meet increasingly strident calls from powerful institutional investors for clarity on long-term value creation and how the Board oversees that process. See The Conference Board’s July 2017 Director Notes publication “Board Oversight of Long Term Value Creation and Preservation: What needs to change?” for more details.

The choice is quite simple – continue to allow internal audit and risk groups to be measured largely on execution of processes that add limited real value, or raise the bar, make transformational changes, and use end result objectives and metrics designed to help organizations better create and preserve long term value.