Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Risk assurance
416 Risk management and internal audit In many large organizations, the working relationship between risk management and internal audit can be difficult. Internal audit will be working to an agenda that concentrates on the effective implementation of efficient controls. In general, the head of internal audit will have a senior reporting line to the most senior non-executive member of the board, perhaps even the chairman. The risk manager will often have a less senior reporting line, typically to an execu- tive member of the board. This is likely to be the company secretary or finance director. The difference in reporting lines can be a frustration for the risk manager, but the complementary roles of risk management and internal audit should be seen as an opportunity to ensure more effective implementation of the risk management protocols and procedures. Both parties should look for areas where they can co-operate without compromis- ing the overall aims of their individual contributions. For example, both risk manage- ment and internal audit should attend risk assessment workshops. Risk managers may facilitate the risk assessment workshop, but the responsibility for managing risk will always rest with the manager of each operational department. Also, the presence of an internal auditor at the risk assessment workshop should not be seen as a threat by line management. Internal audit professionals require that control measures are identified in very precise terms that can be audited. The focus of internal audit activities is on the impact that the control measures actually have in practice. During an audit, internal auditors will request and be provided with information and data. The approach of the internal auditor is to test that information, so that the facts of the situation may be established. In summary, internal auditors take the somewhat challenging view that information plus testing equals facts. An approach that has become increasingly popular in recent times is usually referred to as the three lines of defence. This approach is entirely consistent with the role of internal audit in enterprise risk management, as identified in Figure 35.1. The three lines of defence model is based on the ideas that: 1) management has primary re- sponsibility for the management of risk; 2) specialist risk management functions can assist management in developing an approach to fulfilling their responsibilities; and 3) the internal audit function checks that the risk management process and the risk management framework are effective and efficient. The primary role of management can be divided into the three layers of top management (directors), middle management (managers) and staff or employees. This division is compatible with the roles and responsibilities allocated to the three levels of management in Table 22.1. Specialist risk management functions may operate at corporate or group level as an overall facilitator of the development, implementa- tion, monitoring and improvement of the risk management framework. Risk management functions will also include business continuity, as well as health and safety. These specialist risk management functions fulfil the same role as the group risk management function, but in a more specific area of risk. Typical roles and responsi- bilities allocated to risk management functions are also shown in Table 22.1. |
