The Purpose of Every CRO & CAE Should Be to Help Management & Boards with Important Decisions – It Often Isn't Today

Key Takeaways

• CROs and CAEs’ True Purpose: The primary role of CROs and CAEs should be to assist management and boards in making informed decisions related to mission-critical objectives (MCOs).
• Strategic Focus on MCOs: Risk and internal audit must focus on aligning management with MCOs, assessing threats and opportunities, and managing uncertainty within acceptable risk levels.
• Shift from Compliance to Strategy: Risk and internal audit functions need to evolve from a compliance-driven role to a more strategic function that adds value to the organization’s long-term success.

Deep Dive

In today’s business environment, the true purpose of every Chief Risk Officer (CRO) and Chief Audit Executive (CAE) should be to support management and boards in making informed, critical decisions. Unfortunately, this is often not the case. In this article, Tim Leech dives into how risk units and internal audit functions should be guiding management and boards in the decision-making process, particularly when it comes to managing risks and uncertainties linked to mission-critical objectives (MCOs).

Key Roles of Risk and Internal Audit in Supporting Management and the Board

Risk and internal audit should focus on helping management and boards with:

1. Agreeing on Mission-Critical Objectives (MCOs): These are the top strategic objectives necessary for value creation and preservation, which are essential for sustained success. This is where the real “top risks” lie.
2. Identifying and Assessing Significant Threats and Opportunities: Risk units should help identify and assess significant threats and opportunities related to MCOs. This enables the decision of whether these uncertainties are within the company’s acceptable risk appetite and tolerance.
3. Increasing the Likelihood of Achieving MCOs: Risk and internal audit can increase the likelihood that MCOs will be achieved by managing the level of risk and uncertainty in a way that is acceptable to the CEO and board.
4. Optimizing Risk Treatment Strategies: This involves choosing the most cost-effective risk treatments capable of producing an acceptable level of risk and uncertainty associated with MCOs.
5. Meeting Legal and Regulatory Expectations: Ensuring that the organization complies with its fiduciary duty to oversee the management of MCOs and their associated risks.

The concept of "risk" is defined by ISO 31000 as the "effect of uncertainty on objectives," and by COSO as the "possibility that events will occur and affect the achievement of strategy and business objectives." Despite these definitions, many risk groups and internal audit functions today focus on "risk management" and "top risks." It is time for these functions to either accept ISO and COSO’s objective-centric definitions of risk and focus on the risks linked to MCOs, or clearly explain their own understanding of "risk" and their role within the organization.

If the true purpose of risk and internal audit is limited to compliance with laws and regulations such as SOX 404 or adhering to reporting rules like the UK Governance Code (which calls for boards to oversee "principal risks"), then it might be more accurate to rename these functions to “Risk & Control Enforcement.” This would better reflect their actual purpose.

Surveys, including the IIA Vision 2035, show that many management teams and other stakeholders already view risk and internal audit in this light. If this perception holds true for the majority of CROs and CAEs, it spells trouble for the future of the risk and internal audit professions, as well as for the companies and organizations they support. A shift in focus is necessary.

The Trillion Dollar Question

A significant opportunity for change lies in the ongoing COSO and NACD governance guidance project, which is working to answer the “Trillion Dollar Question” – Are boards responsible for overseeing the acceptability of risk and uncertainty linked to MCOs? The answer to this question could dramatically shape the role of risk and internal audit in organizations.

If the answer is no, then there is no need for risk and internal audit to provide reliable information to management and the board regarding the risks and uncertainties linked to MCOs. In this case, the status quo—focused on Enterprise Risk Management (ERM) lists of potential "bad things" and outdated internal audit practices disconnected from MCOs—would be sufficient. However, if the answer is yes, it is essential that risk and internal audit evolve to offer actionable, strategic insights that are aligned with the organization’s most critical objectives.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.