How much risk are you prepared to take Risk Management

  • Date:01 Aug 2005
  • Type:CompanyDirectorMagazine
As a board member or senior executive of a publicly-listed company, how much risk are you prepared to take and,more importantly, how much risk are you taking that you don’t know about and therefore haven’t measured or tried to mitigate?

Risk Management

How much risk are you prepared to take?

Dealing with risk can be fairly straightforward. But, as Krist Davood* points out, it's the risks which aren't on the radar can pose the greatest threat

As a board member or senior executive of a publicly-listed company, how much risk are you prepared to take and,more importantly, how much risk are you taking that you don't know about and therefore haven't measured or tried to mitigate?

Any number of directors will tell you that since the enforcement of the US Sarbanes-Oxley Act of 2002 (SOX), ASX Corporate Governance Guidance (Note 9A) and CLERP 9, the demands on board members and executives have increased significantly.

A recent survey backs these claims. According to results of the Board Member Best Practice Survey conducted jointly by the US advisory organisations Jaeckle Fleischmann & Mugel LLP and Kei Advisers LLP,75 per cent of directors are spending more time on board duties and 27 per cent are attending more meetings.

These meetings discuss risk mitigation and internal control governance issues as recommended by the Institute of Internal Auditors Australia in its handbook called the National Position Statement on Accountability and Control. This handbook directs organisations to have:

  • Clearly defined and communicated objectives of internal control
  • Assigned accountability for internal control that is commensurate with roles and responsibilities
  • The right attitudes, behaviour and training to support effective control, and
  • Appropriate policies and guidelines.
Most executives will tell you that they have a rigorous methodology in place to handle risk management and internal control issues. An example of such a methodology/roadmap is as follows:

These five basic components of the methodology are typically used to produce a risk mitigation plan for the board to consider. This plan is necessary because the regulations require periodic sign-offs from the CEO (or equivalent) and the CFO (or equivalent) to the board that sound risk management, internal compliance and control processes are in place.

In spite of this vigilance, few CEOs or CFOs serve their terms in office without being confronted with unwanted surprises arising from the failure of internal controls.

Typical surprises range from the monies coming in and going out not reconciling back with what's shown on the general ledger; staff, clients and service providers finding ways of defrauding significant sums of money, and IT staff not being aware of how weaknesses in the computer systems expose the organisation to risk. Such surprises can bog an organisation down in an endless cycle of firefighting activities, leaving decision makers with very little time to be innovative.

Frequently, the ensuing state of disrepair is so extensive that the organisation is competing in the marketplace with one hand tied behind its back. Then, as the organisation begins uncovering a frightening number of transactions that are processed manually, its internal controls take a back seat.

From an executive's perspective, it is easier and cheaper to maintain the status quo. If this logic were applied to cutting a 10 square metre lawn with a mower that broke down 50 times, it is easy to understand why an organisation in these circumstances has little room to eliminate internal control issues, let alone become innovative.

This risk-averse culture in Australia differs markedly from the culture found in the US, Europe and parts of Asia where executives see a strong link between efficiency, innovation and success. They adopt and embrace the attitude that failure/risk is a justifiable pit stop on the road to business success. In part, that success is shaped by an organisation's willingness to review and minimise its internal control issues so those issues don't get in the way of innovation.

Such a review of an organisation would occur between its internal audit and IT audit staff. This team can enhance and dynamically change a company's internal audit function to being a proactive force in true risk management activities. IT controls can represent up to 75 percent of an organisation's internal controls. It is ironic however, that the very people most suited to drive the internal audit to a new level of technical detail are the most difficult to find.

It is not realistic for an internal auditor with no technical background to sign off on a systems control review that he/she is not qualified to judge. An internal auditor should not have to be dependent on non-IT audit staff because these people can easily overlook key issues when extracting information from the system.

IT auditing staff are difficult to come by because most of the technical people who have the relevant skills lack the accounting background. The best people in an IT audit role are those who have both skill sets. The IT auditor would use his or her business/IT expertise to identify all risks to the appropriate processes. In turn, these processes will generate the transactions that will produce the journal entries in the general ledger.

An effective internal auditing function should be assessed on how well these transactions end up in that ledger. The aim is a "true and fair" representation of the processes into the financial statements that a CEO and CFO can feel comfortable about.

Examples of internal control issues that have been found in some Top 100 organisations include:

  • systems that do not keep adequate audit trails
  • modern executive information systems that do not prevent back door access into the company's data, and
  • investment clearing systems that allow users to swap their security profile so an inexperienced internal auditor would assume that the proper technical controls are in place.
Integrating risk management and internal controls is a vital evolution for most organisations, especially as they seek to comply with ASX Guidelines and CLERP 9.

The integration is critical also to organisations in Australia that must comply with SOX (eg NAB and BHP Billiton) and for Australian subsidiaries of US-listed companies (eg Holden as part of General Motors).

Before CEOs and/or CFOs can sign off on whether the financial statements are true or not, they need to see and understand the complete picture. It is a paradox that the very technical engine of today's transaction-driven market is the least available skill set in the internal auditing departments of most organisations. How much risk are you prepared to take?

* Krist Davood is director - professional services and enterprise risk management in the Melbourne office of global accounting and business advisory firm PKF. His e-mail address is krist_davood@pkf.com.au

Disclaimer

The purpose of this database is to provide a full-text record of all articles that have appeared in the CDJ since February 1997. It is aimed to assist in the research and reference process. The database has a full-text index and will enable articles to be easily retrieved.It should be noted that information contained in this database is in pre-publication format only - IT IS NOT THE FINAL PRINTED VERSION OF THE CDJ - therefore there might be slight discrepancies between the contents of this database and the printed CDJ.