#1/2011 - Internrevisorerna - Hem
#1/2011 - Internrevisorerna - Hem
#1/2011 - Internrevisorerna - Hem
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
RISK MANAGEMENT<br />
Artikeln publicerades första gången i ECIIA:s nyhetsbrev<br />
European, november 2010, Issue 19<br />
SPINNING<br />
A NEW WEB<br />
A new IIA study calls for internal audit to be the<br />
spider that ties together disparate strands of<br />
governance into an effective web. Arthur Piper<br />
reports<br />
INTERNAL AUDITORS have largely escaped blame in the post<br />
mortem of causes to the recent financial and economic crisis.<br />
Since 2008, dazed investors and regulators have been trying<br />
to make sense of what went wrong and, so far, the<br />
conclusion is that better and more strategic risk management<br />
could have helped.<br />
But three new reports question the value of throwing good<br />
money after bad. They ask whether it is worth doing the<br />
same sort of risk management exercises that companies carried<br />
out prior to 2008, or whether something else is needed.<br />
And, if something is needed, what could that something be?<br />
Many companies feel let down by their risk systems.<br />
Under half of respondents to Grant Thornton’s survey – published<br />
in conjunction with the Economist Intelligence Unit<br />
as A new risk equation? – said that their reviews of strategic<br />
risk had been effective prior to 2008. Only one in three claimed<br />
that their risk management systems had helped them<br />
keep a lid on the impact of the recession.<br />
The survey suggests that many companies may have been<br />
playing lip-service to good risk management practices, but<br />
failing to put what they preached into effect. For example,<br />
the firm has found that only 37 % of the 450 companies that<br />
participated in their research said that risk management processes<br />
had »created a common awareness of risk from top to<br />
bottom».<br />
The problem is that most businesses still focus on compliance-based<br />
risk testing. That approach provides a comforting<br />
mood music that everything is ship-shape and watertight.<br />
Michael Power, professor of accounting at the London<br />
School of Economics, says: »Quite a lot of risk management<br />
practice is essentially compliance-based, following rules that<br />
are often dictated by regulation. This has let us down because<br />
it creates an illusion of things being under control.»<br />
Bureaucracy<br />
Power reckons that this attitude to risk management helps<br />
sever it from strategy and the way that the board makes decisions<br />
and kicks it into the corporate bin marked bureaucracy.<br />
It is seen as a waste of time, particularly since many of<br />
the complicated ways businesses try to analyse the potential<br />
effect of risk were useless in practice.<br />
Even so, companies are ploughing money into what the<br />
consultant Ernst & Young calls GRC: governance, risk management<br />
and compliance. In its paper The multi-billion dollar<br />
black hole, it quotes research that claims financial institutions<br />
could spend up to $100bn on controlling risk in 2010,<br />
and that, taken as a whole, US companies will plough almost<br />
$30bn into such initiatives.<br />
The solution is, of course, better risk management. For<br />
Ernst & Young that means reinventing the way that governance,<br />
risk management and compliance knit together to<br />
provide over-arching assurance. Companies that insist on<br />
tinkering with a broken risk management system are likely<br />
to be throwing good money after bad: »Good investment<br />
risks slipping away because companies do not take a holistic<br />
view of enterprise and cannot deliver the value expected of<br />
them. Therein lies the multi-billion dollar black hole», says<br />
the firm.<br />
Ernst & Young says that one of the key hurdles companies<br />
face to getting it right are existing reporting lines and responsibilities<br />
in the area, which can be fragmented and working<br />
at odds. A first step is to see where existing GRC cash<br />
is being spent and to identify where efforts are badly co-ordinated,<br />
too complex or non-existing. Sorting this out means<br />
spending money where the business’ priorities lie. »Spend<br />
INTERNREVISION 1/<strong>2011</strong> • 7