Executives and managers fret when it comes to internal audits and risk controls. It is a pity that most ignore the fact that the fundamental role of these measures is not a witch hunt but a preventative step to ensure a corrective mechanism that is a must for all enterprises. No matter how people perceive the function of internal audit and risk management, it helps businesses and professionals to develop a higher level of resilience in their areas of business responsibility and the achievement of their key performance indicators. While it safeguards their interests from professional liability-related risks, it also boosts their professional output and stature.
Risk mitigation and management are business-critical levers without which business continuity cannot be self-sustained, and full commercial enterprise value cannot be attained. Risk mitigation needs to be encrypted in the mainstream organization through a well-integrated enterprise risk management system. It needs to be fully aligned to the organization’s core values and needs to be co-owned as part of the shared vision and goals across the whole business.
These days most enterprises are exposed to multiple risks, which have significantly increased as businesses try to capitalize on the opportunities and threats emanating from digital transformation. They are required to build on a new-age enterprise risk management system that will help to assist their executives in effective decision making. The consequences of ignoring or failing to act on risk can be disastrous and lead to loss of customers and market value. Operational risk managers need to think about decision-making frameworks across the organization and how these can build influence when executives have to make quick decisions. The enterprises have to seek not only to embed risk controls but also to make such restrictions transparent and visible to promote greater organizational legitimacy. This makes management accounting, risk management and corporate governance interdependent and more effective.
How to make it work? Appointing an internal auditor or by undertaking random audit overtures, business risks cannot be safeguarded, but risk mitigation culture needs to be percolated across the organization and embedded into all core processes. It must not be an additional or isolated measure but be part of the key result areas of organizational performance management. Each department, position, and role must have specific Key Result Areas in this domain. It must not be enforced, or kick-started as a result of reactive acts but as a proactive outcome. Corrective risk management measures and related actions must emanate from its internal embedded risk management regime, not as a reaction to red flags raised by a third party or audit alerts. In an ordinary course of business as a part of routine business tasks, specific measures must be in place for risk controls. For instance, in context to reconciliations, management review is required across multiple areas as scrutiny is done for payables, petty cash and bank reconciliations, or other measures that warrant close monitoring.
Self-regulation and adaptation of risk management through collective ownership by stakeholders is an accurate sustainability benchmark, and it is the only way for risk management to achieve its desired goal. Building and maintaining a risk register with comprehensive risk guidelines across all facets of business is critical; it must not be left to Finance or HR alone. Effective corporate governance calls for all departmental functions to co-own each risk from operations, business continuity, commercial, insurance to market and many more driving the five basic risk management principles of risk identification, risk analysis, risk control, risk financing and claims management.
There needs to be a transformational shift in the organization’s culture too as the company’s treatment meted to the risk management professional, be it an internal auditor or statutory auditor, is not appropriate and is counterproductive. Usual responses by organizational executives to their observations and queries are met with suspicion and at times with aggression. Most professionals react to their views with adversity and in defensive posturing. Different perceptions are drawn that auditors want to raise a point. These disputes lead to the unnecessary fracas with little attention to actual merits of the issue accumulated therein, resulting in all missing the root issue. The desired outcome of effective risk management can only be achieved by not only putting SOPs in place, buying insurances, provision or reconciling the numbers but by putting together holistic measures for future sustainability through an effective enterprise risk management by moving away from a silo-based approach wherein risk is stonewalled as a private function.
Organizations need to build seamless integration between their core business and risk management while the necessary autonomy is given to the risk controls department and professionals therein. It is a collaborative function, but from a corrective perspective, certain lines need to be drawn, and a comprehensive framework needs to be built. Risk controls as a function must be able to freely raise the issues to enable an organization to act and develop a stronger culture than fostering a culture of hushing it up.