Rethinking Risk & Internal Audit as Strategic Decision Support

Key Takeaways

• Transformation of Internal Audit: Internal audit (IA) needs to move beyond its traditional role of compliance and policing to become a key partner in supporting management and the board with strategic decision-making.
• Risk Functions Reevaluate ERM Tools: The use of outdated methods like risk registers and heat maps often fails to provide actionable insights on mission-critical objectives (MCOs), which are crucial for decision-making.
• Alignment with Strategic Objectives: Companies should define and document their MCOs, ensuring that risk assessments are directly linked to these objectives to provide valuable, actionable risk information.
• Board's Role in Decision-Making: The board must decide if it wants reliable risk information tied to MCOs. If so, it must determine whether management or a dedicated risk function will assess and report on this risk.
• Quality Assurance for Reliable Information: To ensure accurate and timely reporting on MCO-related risks, internal audit or other quality assurance functions should be assigned responsibility for overseeing risk management processes and board reports.

Deep Dive

In this article by Tim Leech, he explores the evolving roles of risk and internal audit functions, exploring how they can transition from their traditional, compliance-focused image to become key decision-support partners for management and the board. Drawing on his extensive experience, Tim outlines the need for change in how internal audit and risk functions operate, emphasizing the importance of aligning with mission-critical objectives to drive better decision-making and organizational success.

Can Risk and Internal Audit Transform from Compliance-Focused/Police Image to Management/Board Decision Support Roles?

Answer: YES

In the early 1990s, when assisting companies with the implementation of objective-centric risk self-assessment, we often started workshops with a simple word association exercise: “What is the first word or expression that comes to mind when I say ‘INTERNAL AUDIT’?” The results consistently reflected what the 2024 IIA Vision 2035 report highlighted last month—most people still view internal audit (IA) through a compliance-focused or policing lens. Our goal back then was to transform IA from a traditional, historical model to something aligned with the new vision. At that time, very few risk functions existed.

Following the 2008 global financial crisis, risk units began to emerge to meet regulatory and board demands for an Enterprise Risk Management (ERM) framework. Most companies, often following the advice of major consultancies, implemented risk registers and risk heat maps to comply with those demands. Unfortunately, regulators often expected risk units to act as "risk appetite" police, monitoring management’s compliance with vague “risk appetite statements.” It’s no surprise then that the majority of risk groups are still viewed as compliance-focused or as the “House of No.”

To Drive Positive Change, What Needs to Stop?

1. Internal Audit (IA) Needs to Evolve: IA must move away from the outdated and harmful approach of identifying and reporting what it perceives as management’s “material weaknesses” or “significant deficiencies.” This practice, essentially issuing tickets for internal control infractions, undermines management’s responsibility to assess, manage, and report on the status of risk. It’s a negative and obsolete approach that needs to be rethought.
2. Risk Functions Need to Rethink Risk Registers and Heat Maps: Risk functions need to stop relying on risk registers and heat maps as the core of ERM. The ISO definition of risk is “the effect of uncertainty on objectives,” but these methods do not provide management or boards with actionable information regarding the status of risks linked to mission-critical objectives (MCOs). They fail to equip decision-makers with the insights necessary to improve performance and make better strategic choices.

What Needs to Start?

1. Agree on Mission-Critical Objectives (MCOs): Companies need to define and document their MCOs—those strategic and value-driven objectives that are critical to long-term success. True “top risks” are the risks linked to these MCOs.
2. Boards Must Decide on Reliable Risk Information: Boards must decide if they want reliable information on the risks associated with MCOs. If they don’t, legacy IA and ERM methods might still be adequate. However, if they do want reliable, actionable information, it’s time to make changes.
3. Management's Role in Risk Assessment and Reporting: If boards want more reliable insights into risk related to MCOs, they need to decide who will be the primary risk assessors and reporters. Will it be first-line management—those directly responsible for achieving MCOs and managing risks—or will they need support from a separate risk function? The goal here is to reach consensus on what constitutes acceptable risk related to MCOs, all the way up to the board level.
4. Assigning Responsibility for Quality Assurance: If the CEO or board desires additional assurance on the reliability and timeliness of information related to MCO risks, they should consider assigning Internal Audit (IA) or another quality assurance (QA) function to oversee the ERM process and board reports. However, some boards may be comfortable relying solely on management to provide this information.

The transformation of risk and internal audit functions into decision-support roles is not only possible, it’s essential for modern organizations. By focusing on mission-critical objectives, aligning risk assessment with strategic goals, and fostering a collaborative approach between management and the board, companies can break free from the traditional compliance-driven models. The future of risk and internal audit lies in enabling better decision-making, not policing. This shift will empower organizations to manage uncertainty more effectively and drive long-term success.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.