Should internal audit perform a risk assessment?

Assuming that there is a credible ERM function/process in place, IA needs to provide assurance that the ERM processes are effective, and they also need to validate that the key controls that management assumes to be working in their RA are in fact effective, but also IA should be able to some extent opine on whether the company-wide RA done by the ERM and management teams are reasonably stated and that they are not aware of any major discrepancies. To your point about continuous, every internal audit according to the COSO framework should be concluding about the adequacy of management’s RA process for the area/function reviewed.

Post by John Fraser on Norman Marks on Governance, Risk Management and Audit

John, stripped of all the jargon and acronyms, the ultimate purpose of whatever ‘ERM’ and ‘IA’ are meant to mean or be, can surely only legitimately be that the organisation makes the best decisions it can. That is because the only way that organisations can pursue their purpose is to make (and implement) decisions to take advantage of opportunities, and the only way it can achieve its purpose is by ensuring that the decisions are the best that can be made. This has always been so (long before anyone uttered the ‘a’ or ‘r’ word) and always will be so (long after the ‘a’ and ‘r’ words disappear from the business lexicon … hopefully, a milestone that is not too far away). And yet decision-making is not the focus of either ERM or IA and never has been.

As Grant Purdy and I say in our recent book ‘Deciding’ (which Norman kindly introduced here in his 25 April blog) organisations will have more success in pursuing their purpose if they consistently make ‘even better’ decisions.
In describing what we contend is a universal method of decision-making (i.e. the method used by all ‘Deciders’ whether they realise it or not) we have attempted to explain how to excel in applying each element of this method as it is this – decision-making skill – that is the only way organisations and their ‘Deciders’ can determine their success.

All those responsible for governance need have confidence about, is how well this method is being applied by the many Deciders across the organisation. In the same way that sales, RoI etc are visible to the governance team (because they bother to look) so too is the quality of decision-making easily discernible especially if those involved in governance and management themselves, excel. Trying to contract-in reassurance, rather than looking themselves, is an easy (but generally unsuccessful) cop out.

Ensuring consistently good decision-making is analogous to manufacturers or service providers achieving the intended levels of performance of their product (i.e. delivering ‘quality’). In the 80’s, those efforts switched from checking the final product and throwing out the duds, to focussing on design and execution of each of the steps of the process through which those products were made (in the understanding that dud products are the outcome of dud processes and good products are the outcome of good processes). So too must the focus of organisation performance monitoring, switch to the quality of decision-making.

So the message is, whether it is the board and management (or the cop-out of using a hired gun – however they may be described) just look at the people who are making the decisions and their decision-making skills. As we say in ‘Deciding’, it is a tricky business being a Decider so helping them individually and institutionally to make decisions is where the effort should go. Not in irrelevant ‘r’ and ‘a’ stuff with the associated focus on failure and checking for duds at the end of the decision production line.

Useless Risk Management Edifices that Organisations Build

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." 

Hans Læssøe commented that: "I guess too many companies have a risk management function only for the sake of being able to say, that they have it – and to produce reports that shows “we are doing well”. Executives had (and have) no intention of letting risk people involve themselves or tamper with decisions they are making or how they execute/operate."

Roger responded as below.


Your first paragraph (3 April) makes an astute observation. The essentially useless ‘risk management’ edifices that organisations build, play no meaningful role in assisting the daily task of making sound decisions – from top to bottom. (I put ‘risk management’ in inverted commas, incidentally, because although the expression is common, there is little that is common across all its users as to what it means or consists of!)

These edifices are established at great cost and inconvenience either because of regulatory pressures as illustrated by John Fraser’s later anecdote (such regulations are often a forlorn hope by governments that this will somehow avoid society being disadvantaged in some way or other) or because of supply chain obligations which, as with Covid-19, spread up and down the chain with ease, or because of virtue signalling by the new breed of woke directors who are not focused on their real job of adding shareholder value.

The fact is, as you say, these ‘risk management’ edifices exist as an externality to the real management activity (including strategy setting) that is providing the engine room for the organisation.

This is why ‘risk management’ has little influence or, worse still, why it has an adverse effect which is the more common consequence as a consequence of its distractive effect and resource wastage. At very least, it’s not seen as helpful to the daily challenge of making sound decisions because as the world has shown, repeatedly, that with or without ‘risk management’ it is perfectly possible to make both good decisions and bad decisions.

One doesn’t have to invert normality in order to make good decisions – just become a little more skilled in the steps that are already followed. There is no need for a ‘system’ or ‘framework’ (for which, read ‘edifice’) just decision-making skill.