How to optimise joint risk and audit teams

This blog post is an adapted version of a paper from Risk Leadership Network's Intelligence platform, contributed by international risk and assurance professional, Chad Miller. You can view a list of all contributions currently available to Members of the Risk Leadership Network here.

Joint risk and audit teams – where risk reports into internal audit or when responsibilities are combined into a dual role – can cause challenges for some, not least the issue of conflicting cultures and scenarios where one discipline is prioritised over the other.

Chad Miller, an international and senior risk and assurance professional, explains how a carefully planned and executed independent review can challenge and position a combined risk and audit function for success. Having a defined purpose with clearly understood roles and responsibilities will enable the risk and audit team to work collaboratively and leverage the learnings gained separately across the organisation.

Contents

• Executive summary
• Context
• Key steps
  
  • Getting sign-off from the senior leadership team
  • Choosing an advisor
  • Getting up to speed
  • Implementing recommendations
• Outputs
  • Understanding the current state of play
  • A step-by-step plan
  • New team structure and responsibilities
• Results
• Lessons learned
  • What worked well
  • What was difficult

Executive summary

Compliance, internal audit and risk management were managed and delivered by one team. This meant that individual personnel were simultaneously undertaking risk, compliance and internal audit tasks, resulting in a culture where one discipline (mainly compliance and internal audit) was prioritised over enterprise risk management.

When the Sarbanes-Oxley Act came into force, the dichotomy between risk management and internal audit became more pronounced. The combined risk and audit team were under pressure to ensure full compliance with Sarbanes-Oxley, reducing the focus on risk management. Instead, the team became ‘compliance-driven’ and known less for its risk management capability but as the ‘SOX team’.

The head of risk and audit set out to restructure the team and reinforce its risk management capability. They devised and executed an independent review that would challenge the current structure, provide greater support and resources to risk management, and rebalance the focus of the combined team.

The independent review and its execution resulted in the following:

• A strengthened and reconfigured risk and audit team, with greater capability in risk management through a risk transformation manager role.
• The recruitment of dedicated risk managers to the team. Personnel were recruited from a risk background instead of an auditing discipline.
  
• A clearly defined risk operating model, with roles and responsibilities mapped across both functional areas and the risk and audit team
• The establishment of a risk champions network to further support enterprise risk management.
• Enhanced communication of risk information, including defining when risks require escalation and sharing discussions with risk champions.
• Continual use of scenarios and the introduction of case studies to educate, improve risk awareness and test risk readiness.
• Revision of risk policy and procedural documentation to clearly communicate the risk process and the responsibilities within it.

Context

Compliance, internal audit and risk management were managed by one team. This meant that the same personnel responsible for internal or compliance audits were also responsible for the roll-out of enterprise risk management throughout the organisation.

This became more challenging when the Sarbanes-Oxley Act came into force. It distracted the team from risk management. In most instances, compliance, assurance and internal controls were prioritised over risk management: ensuring compliance to Sarbanes-Oxley was such a big initiative that the business began to view the team as the “SOX” team. As a result, we weren’t progressing our risk management initiatives.

We continued to juggle several work streams – risk, SOX, and compliance. Colleagues became unclear of our roles: what hat were we wearing today? When were we ‘internal auditors’ and when were we open to discussions about risk?

We also began questioning whether we had the right capabilities to achieve the risk changes we wanted. Like many organisations, we were a team of auditors that had assumed an evolutionary role in overseeing enterprise risk management. The majority of the team had little to no experience in risk management and therefore there was a need to identify and fill certain skill gaps.

We decided to bring in an external consultant to evaluate the team’s current capabilities, design a risk maturity plan for the next five years, as well as assess and make formal recommendations on whether we could continue to exist as a combined risk and audit department.

Key steps

Getting sign-off from the senior leadership team

I was keen to move risk management forward, so I approached the CFO and explained the current state and the issues that we were facing as a team. I emphasised that to achieve this, we needed an external view.

The conversation was very frank. We were extremely fortunate that the CEO and CFO supported risk management. The CFO had also received similar feedback from the business, so he understood the need to clarify the team’s role and responsibilities.

It was important to obtain an external and objective perspective: all relevant stakeholders – including me and my team – were too close to the situation. We were embedded in the detail.

Our recommendations were outlined in a proposal which the CFO then presented to the audit committee chairman. They agreed and supported our plans.

Choosing an advisor

Once the decision to move forward was made, our first step was to establish and articulate the specific needs of engagement: what are the deliverables? This could then be used as an initial assessment to determine whether any prospective provider had the experience, skills, and capabilities. It was important that the service provider could:

• Quickly grasp and understand our needs and assess the existing landscape
• Effectively engage with stakeholders in the business (obtain their buy-in to the project and change programme)
• Effectively benchmark audit and risk functions against those of similar organisations and sizes
• Demonstrate a strong and proven track record in successfully delivering similar project(s)
• Demonstrate the ability to communicate their results in a simple and concise manner and one that would be favourably received by the audit committee

With this criteria, we approached a range of consultants – the big four and second-tier options – and asked them to pitch for the project.

We briefed them with a high-level, one-pager that outlined the challenges we were facing, and asked them to detail their approach, articulate the deliverables and potential outcomes, and provide an estimate of costs.

The shortlist responded to our RfP in writing, from which we shortlisted two prospects to meet with the CFO and the audit committee chairman.

In the end, we chose the firm that met our assessment requirements but, more than anything, had a clear and simple plan, a deep understanding of the issues, and did not over complicate or impress with flashy diagrams or CVs.

We then briefed the consultant to focus on:

• The risk management and audit functions relevant to the purpose of the organisation
• The risk maturity goals and what should be done to get there
• The optimal structure for effective risk management
• Can risk managers and auditors be advisors as well as assessors
• Existing risk management skills and skills gap analysis

Getting up to speed

The appointed consultant submitted an informational request for documents and materials in order to provide an understanding of the current state of play for the team. This included charters, full list of stakeholders, existing policies, risk reviews and audit reports, audit committee reports, details of the annual audit plan, framework documents, company values, etc.

At this stage, we were a small team of around three people, so we divided up the different requests and collaborated to pull all the information together. We didn’t have to create anything new, it was just a case of collecting information that the department already had and putting it together.

Once the consultant reviewed and assessed the information, it was time to commence fieldwork (estimated to around six weeks).

This primarily involved a deep dive interview process with selected key stakeholders in the business. It was important for the consultant to understand the sentiment and reputation of the function, gauge existing risk management exposure and understanding, and establish the value and support that the team could provide to the stakehodler’s role or area. Interviewees included:

• Audit committee chair and members
• CEO
• CFO
• Executive risk committee members
• Functional heads (for example, heads of IT, HR and legal)

They were asked questions such as:

• What's currently happening?
• What do you need from the audit and risk committee?
• Are they supporting you?
• And what is your perception of risk?

The feedback – alongside the information from the desktop review – was assessed against a risk maturity model. 

Implementing recommendations

The consultant came up with a list of 46 recommendations to improve the structure and focus of the risk and audit committee, as well as the the risk maturity of the business.

These recommendations were shared with me first and then escalated up to the audit committee and the C-suite, who signed off on the approach.

The first set of recommendations were around the team structure. It was recommended that we brought in a new team member with experience in risk management (rather than audit). The consultant gave us a revamped suggested team structure, as well as outlining the responsibilities of each recommended job role.

Specific recommendations included:

• Reconfigure the risk and audit team to introduce greater capability in risk management through a risk transformation manager role; drive risk reporting; and provide clearer alignment of risk and assurance roles to business needs.
• Clarify and communicate the risk operating model and responsibilities across lines of business/functional areas, the risk and audit team, and ‘risk champions’ – and clarify how functional areas provide specialist input.
• Clarify the ownership of compliance and the model for managing compliance.
• Recruit people into the risk and audit team who are risk professionals, not auditors.
• Focus the development plans of the risk and audit team on enhancing skills such as leadership, analytical reasoning, relationship management and communicating.
• Selecting the right risk champions in lines of business and functional areas with consideration for their seniority, ability to influence and interest.
• Building the capability of risk champions through coaching, training and knowledge sharing.

The report had validated a lot of my thinking. Having the consultant’s view gave me the support I needed to be able to do something about it.

Once we had agreed to the new structure, some difficult conversations had to happen. People were removed from the team and then the recruitment process started.

We appointed an external consultant for a year to support the change programme. She assisted in writing job adverts, performed the first set of interviews, and delivered as many of the report recommendations as possible.

Other recommendations were focussed on improving the risk maturity of the business and needed to be implemented over a longer timeframe. There were 46 actions in total, but some examples included:

• Enhancing the communication of risk information, including defining when risks require escalation and sharing discussions with risk champions.
• Continuing to use scenarios and introduce case studies to educate, improve risk awareness and test risk readiness.
• Completing risk registers for all lines of business/functional areas.
• Developing an assurance map to guide the selection of internal audit activity and ensure there were no ‘blind spots’ in assurance coverage, or unnecessary overlaps.
• Revision of risk policy and procedural documentation to clearly communicate the risk process and responsibilities within it.

As we implemented the changes, we worked closely with the communications team. They provided weekly updates showcasing different projects and team members, which helped give a sense of team purpose, as well as making sure that the business understood who we were and what we were doing.

Outputs

Understanding the current state of play

We received two detailed reports that outlined in depth how the team was performing now, how the risk and audit functions were viewed by the wider business and, crucially, the factors that were preventing us from performing.

The reports benchmarked our risk maturity against that of other organisations and detailed how the team would need to be overhauled in order to achieve these aims.

A step-by-step plan

The consultant gave us a list of 46 prioritised actions for the business. These included new hires, redundancies, building a risk champions network, improving risk communication, and tightening up risk assessment and evaluation tools.

Because this list was defined by an external consultant, it gave us the third-party endorsement that we needed to deliver change. We had a clear path to improving risk maturity. We hired a consultant for a year to help us deliver these objectives, leading to a better risk and audit structure, as well as improved risk management.

New team structure and responsibilities

We completely overhauled the team, making redundancies and hiring new staff. This introduced greater clarity for stakeholders over who was responsible for what. We hired people looking specifically at risk, which helped separate out the purposes of the two functions. This meant that stakeholders were no longer confused about whether we were visiting them in a compliance role or a risk one.

Hiring a support team member to sit across both departments and to focus on reporting, freed up time for us to progress with advancing our risk management programme.

Results

An overhaul of the risk and audit committee resulted in clearly defined roles and responsibilities, stronger risk management capabilities, and time and resources to improve risk maturity. Stakeholders were also more engaged with risk management: they understood the value that we were providing to them and the wider business.

Lessons learned

What worked well

• We stuck closely to our selection criteria and hired a provider based on their understanding of the nuances of our business. This proved valuable: we were able to source a provider who had a demonstrable understanding of our challenges and could devise an effective plan.
• Restructuring the team delivered tangible results: risk maturity improved and engagement with stakeholders increased.
• Hiring a consultant to deliver the change programme ensured recommendations were successfully implemented, while the risk management team remained focused on supporting the business with enterprise risk management.

What was difficult

• The hardest thing was having to let people go. Having third-party recommendations behind the process helped us to articulate why redundancies needed to be made.
• I was also really lucky to have the support of the audit committee and at the CEO/CFO. Getting the resources to bring in an external consultant would have been really difficult without that support.

This blog post is an adapted version of a paper from Risk Leadership Network's Intelligence platform, contributed by international risk and assurance professional, Chad Miller.

Risk Leadership Network’s Intelligence platform is a searchable database of peer-contributed case studies, tools and templates. Contributed by Members, current and former senior risk managers and subject matter experts from around the world, the Intelligence platform is a melting pot of new ideas and shared learnings. You can view a list of all contributions currently available to Members of the Risk Leadership Network here.

Risk Leadership Network's Intelligence is one of four interconnected platforms that enable our Members to collaborate and share knowledge across different sectors and geographies to improve the effectiveness of risk management. Click here for more information about our different platforms.

Are you an in-house risk manager who could benefit from collaborating with a global network of senior risk professionals? Talk to us about becoming a Member today.