Why Risk & Internal Audit Aren't Focused on What Matters Most

Why Risk & Internal Audit Aren't Focused on What Matters Most

By
Key Takeaways
  • Mission-Critical Objectives Should Drive Assurance: Tim Leech argues that if risk is defined as the effect of uncertainty on objectives, then risk management and internal audit should begin with an organization's Mission Critical Objectives rather than disconnected risks, controls, or audit cycles.
  • Professional Incentives Shape Professional Behavior: Most Chief Risk Officers and Chief Audit Executives are measured on completing plans, maintaining compliance, covering the audit universe, and updating risk registers, not on helping boards oversee uncertainty surrounding the objectives that matter most.
  • Mission Critical Blindness Limits Board Visibility: Organizations often dedicate substantial assurance resources to operational and compliance activities while boards receive limited reporting on the uncertainty surrounding the handful of objectives that determine long-term success.
  • A Single Board Question Could Change Governance: Asking management to identify the organization's Mission Critical Objectives and explain who reports on the uncertainty surrounding them would fundamentally change the focus of risk management, internal audit, and board oversight.
  • Governance Change Must Start at the Top: According to Leech, meaningful reform depends on boards recognizing oversight of uncertainty linked to Mission Critical Objectives as part of their core purpose and demanding reporting that reflects it.
Deep Dive

In a recent LinkedIn post, I posed what I believe is one of the most important questions facing the risk management and internal audit professions today. If risk is defined in ISO 31000 as "the effect of uncertainty on objectives," why don't both professions begin with an organization's Mission Critical Objectives? It seems like an obvious place to start. Yet in most organizations, it isn't.

Mission Critical Objectives are the handful of strategic objectives that determine whether an organization succeeds or fails over the long term. They include both value creation and value preservation objectives. If uncertainty exists only in relation to objectives, then it follows that the greatest risks facing an organization are the uncertainties that could prevent it from achieving its Mission Critical Objectives.

Instead, many risk and internal audit functions continue to devote most of their time to maintaining risk registers with hundreds of disconnected risks, conducting compliance reviews, completing audit universe cycles, testing controls, performing process audits, meeting regulatory reporting requirements, and carrying out the activities their professional institutes have long considered standard practice. Each of those activities has value. The problem is that they are often only loosely connected to whether the organization will actually achieve the objectives that matter most.

That raises an obvious question. Why has the system evolved this way? The answer has less to do with the people working in risk management and internal audit than with how the professions are measured.

Most Chief Risk Officers and Chief Audit Executives are evaluated on whether annual plans are completed, the audit universe is covered, compliance obligations are met, and risk registers are maintained. Very few are evaluated on whether they are helping management and boards make better decisions about the organization's Mission Critical Objectives.

Organizations generally get the behavior they measure. If the measures focus on completing activities, the activities become the priority. If the measures focused on improving decisions linked to Mission Critical Objectives, the work of both professions would look very different. I describe the consequence as Mission Critical Blindness.

Organizations devote significant assurance resources to lower-level operational, compliance, and process risks while boards often receive surprisingly little reliable information on the uncertainty surrounding the handful of objectives that will ultimately determine long-term success or failure. Risk management and internal audit work hard, but too often the information boards receive is disconnected from the decisions that matter most.

A simple thought experiment illustrates the point. Imagine asking a CEO, "You can receive reliable risk and performance information on only six objectives this quarter. Which six would you choose?"

That single conversation would change the focus of many risk and internal audit functions. Instead of beginning with risk registers, audit plans, or control testing, the discussion would begin with the objectives that matter most to the organization. Everything else would follow from there. That, in my view, represents the greatest opportunity for both professions.

The future of risk management and internal audit does not lie in becoming better at assessing everything. It lies in becoming indispensable in helping management and boards understand the uncertainty surrounding Mission Critical Objectives so they can make better decisions and improve organizational performance. Unfortunately, changing professional practice is only part of the challenge.

In my upcoming book, Mission Critical Governance: Focusing on What Matters Most, I argue that meaningful change will not occur unless boards themselves redefine what they see as their purpose. If boards do not believe overseeing uncertainty and performance linked to Mission Critical Objectives is part of their purpose, there is little reason for CEOs to provide that reporting or for risk management and internal audit functions to organize their work around it. I describe that accountability vacuum as the Purpose Void.

Closely connected to it is what I call Don't Tell/Don't Ask Governance Syndrome. Most CEOs do not want to report regularly to their boards on the uncertainty and performance linked to Mission Critical Objectives, and most boards do not ask for that reporting. Chief Risk Officers and Chief Audit Executives generally support the reporting model their CEOs expect. The result is a governance system that continues to focus heavily on activities while giving boards limited visibility into what matters most.

One question captures the issue better than any other. What are the organization's Mission Critical Objectives, and who is reporting regularly to the board on the uncertainty surrounding their achievement? Few boards ask the question. Few CEOs volunteer the information. If more boards did ask, the work of risk management and internal audit would change rapidly. It would become more relevant, more interesting, and much more closely connected to whether the organization is likely to achieve the objectives that matter most.

Shareholders and broader stakeholders have every reason to hope more boards begin asking that question. The barriers to change remain significant, and in my view they continue to be reinforced by regulators, governance code authors, director institutes, risk institutes, and the Institute of Internal Auditors. But if boards begin demanding reliable reporting on the uncertainty surrounding Mission Critical Objectives, the professions of risk management and internal audit will change with them.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong