#1/2011 - Internrevisorerna - Hem

RISK MANAGEMENT
Artikeln publicerades första gången i ECIIA:s nyhetsbrev
European, november 2010, Issue 19
SPINNING
A NEW WEB
A new IIA study calls for internal audit to be the
spider that ties together disparate strands of
governance into an effective web. Arthur Piper
reports
INTERNAL AUDITORS have largely escaped blame in the post
mortem of causes to the recent financial and economic crisis.
Since 2008, dazed investors and regulators have been trying
to make sense of what went wrong and, so far, the
conclusion is that better and more strategic risk management
could have helped.
But three new reports question the value of throwing good
money after bad. They ask whether it is worth doing the
same sort of risk management exercises that companies carried
out prior to 2008, or whether something else is needed.
And, if something is needed, what could that something be?
Many companies feel let down by their risk systems.
Under half of respondents to Grant Thornton’s survey – published
in conjunction with the Economist Intelligence Unit
as A new risk equation? – said that their reviews of strategic
risk had been effective prior to 2008. Only one in three claimed
that their risk management systems had helped them
keep a lid on the impact of the recession.
The survey suggests that many companies may have been
playing lip-service to good risk management practices, but
failing to put what they preached into effect. For example,
the firm has found that only 37 % of the 450 companies that
participated in their research said that risk management processes
had »created a common awareness of risk from top to
bottom».
The problem is that most businesses still focus on compliance-based
risk testing. That approach provides a comforting
mood music that everything is ship-shape and watertight.
Michael Power, professor of accounting at the London
School of Economics, says: »Quite a lot of risk management
practice is essentially compliance-based, following rules that
are often dictated by regulation. This has let us down because
it creates an illusion of things being under control.»
Bureaucracy
Power reckons that this attitude to risk management helps
sever it from strategy and the way that the board makes decisions
and kicks it into the corporate bin marked bureaucracy.
It is seen as a waste of time, particularly since many of
the complicated ways businesses try to analyse the potential
effect of risk were useless in practice.
Even so, companies are ploughing money into what the
consultant Ernst & Young calls GRC: governance, risk management
and compliance. In its paper The multi-billion dollar
black hole, it quotes research that claims financial institutions
could spend up to $100bn on controlling risk in 2010,
and that, taken as a whole, US companies will plough almost
$30bn into such initiatives.
The solution is, of course, better risk management. For
Ernst & Young that means reinventing the way that governance,
risk management and compliance knit together to
provide over-arching assurance. Companies that insist on
tinkering with a broken risk management system are likely
to be throwing good money after bad: »Good investment
risks slipping away because companies do not take a holistic
view of enterprise and cannot deliver the value expected of
them. Therein lies the multi-billion dollar black hole», says
the firm.
Ernst & Young says that one of the key hurdles companies
face to getting it right are existing reporting lines and responsibilities
in the area, which can be fragmented and working
at odds. A first step is to see where existing GRC cash
is being spent and to identify where efforts are badly co-ordinated,
too complex or non-existing. Sorting this out means
spending money where the business’ priorities lie. »Spend
INTERNREVISION 1/2011 • 7