As political, economic, social, technological, legal and environmental risks continue to emerge and shift, risk management is a core business function that affects performance and possibly even the continued existence of an organization. Whether your risk management function is focused on enterprise-wide risk management or traditional insurance risks, an audit of the function should be among the first priorities.
The role of internal audit is critically important to bring additional expertise and resources to the process of identifying and evaluating risks and ensuring appropriate risk treatments are in place. Internal auditors also understand the importance of objectivity and bringing in subject matter expertise where needed. With this in mind, here are five ways organizations can benefit from an audit of risk management.
1. Internal auditors may learn about risks that guide future audit plans
When developing top-down, risk-based audit plans, there is usually no better place to start than by looking at what risk management has identified as key risks, especially if your company has an enterprise risk management (ERM) program. Such programs usually involve periodic risk assessments that identify and assess emerging or critical risk issues. The board or senior leadership establishes risk appetite and tolerance, and risk owners are engaged in discussion about how risks are managed and monitored.
The dialog from these ERM processes can surface many areas where controls are weak or non-existent. It may be helpful for internal audit to participate in the risk assessment process, or at a minimum, review key deliverables. These can be instructive in developing more detailed audit projects where warranted.
2. The stakes are high
Most risk management functions deal with events that could seriously threaten the company if not handled properly. Insurable risks include natural catastrophes, supply chain disruptions, industrial accidents, health crises, acts of maliciousness or violence, data breaches, multi-party casualty events, product liability and recall expenses, employment practices liability, management liability including unethical practices, protection of key persons from travel risks, and many others.
Many events are high-impact and low-likelihood. In other words, while the stakes are high, the odds are high that most will never happen. This is a good thing, but it creates a greater need for objective assurance. There are no test runs. Risks can be neglected for long periods of time and no one will know. If protection against a catastrophic risk is not in place the first time around, there may be no next time.
3. Objective assurance
Due to time constraints and short-term financial pressures, mid-level executives often discount the need to manage certain risks because they have never experienced one. However, a single career is a small statistical sample. It is important to look more broadly at the risk issue.
By way of analogy, a property in a 100-year flood zone is determined to have a 1% chance of loss in any given year. Yet multiple lifetimes could pass without that property experiencing a flood. Or, multiple floods could occur within a short period. Risk is uncertainty, and if the consequences of an event are not tolerable, one must stay protected at all times.
Audit executives understand the dilemma of working with limited data and are versed in how to obtain objective input from outside resources. Modern boards count on internal audit to provide objective assurance, not only on financial risk issues but also on the soundness of the overall risk management process.
4. A fresh look to keep pace with organizational change
Organizations often grow, expand their geographic reach, introduce new product lines or services, add new sourcing or distribution channels, or introduce new technologies. It is important for those managing risk and insurance programs to occasionally take a step back and examine why things are the way they are, and whether they are still optimal. Sometimes the best way to encourage that level of critical thinking is to prompt it through an audit.
Seasoned risk management professionals understand the importance of obtaining independent perspectives on their work. They recognize that they can become entrenched in the day-to-day and that everyone is subject to human error. An audit can promote fresh thinking and can bring about significant improvement or address previous blind spots. An audit may also highlight that the function is under-resourced and add support to a risk manager’s request for additional resources.
5. Verification that insurance policies actually provide the coverage expected
In most business negotiations the terms of the agreement are fully documented when the deal is made. Not so in the insurance industry. With few exceptions, many months pass before the buyer sees the insurance policy that they purchased. Renewal proposals are often delivered days before the renewal effective date, leaving little time for meaningful review. Unless requested, specimen policy language is often not provided during the negotiation process. Seemingly innocuous policy exclusions could be listed on the quote, but the language might encompass a broader array of matters than the endorsement titles suggest.
It is common for insurance buyers to assume that they can transfer responsibility to a broker to secure appropriate insurance to protect their businesses and verify that policies are issued in accordance with negotiations. However, unless special circumstances are created, the broker only has the obligation to place the coverages directly requested. Some broker agreements even require that clients review their policies and inform the broker of any errors within a set time frame.
Put risk management on the audit plan
If you have not already audited your organization's risk management function, add it to your internal audit plan in 2022. You may find a new project idea, prompt meaningful improvement in how key risks are managed, and find opportunities to improve insurance coverages. Organizations can only stand to benefit when their internal audit team proposes solutions focusing on key risks.