Just look at the number of sessions at audit conferences that address risk management in some form or another. Or Google “Risk Management Conferences” and you will get some idea of how big this area has become outside of the audit world.
Yet whenever I ask an audience at an audit conference how many of their organizations have a formal enterprise risk management program or function in place, I am still surprised by how few actually do. I can see why this is the case in practice. To establish a comprehensive enterprise-wide risk management process must often seem to be overwhelming. “Boiling the ocean” could look like a simple task in comparison.
I suspect one of the challenges is that in many parts of an organization, risk management can be seen as just one more overhead, one more process or system that someone has decided needs to be implemented and is going to create more work and headaches. Most auditors do not think this way — risk and control being fundamental to so much audit thinking. But the auditors’ mindset is normally focused around risks in financial and operational systems. When these topic are shifted into a business area context, the eyes of many business managers start to glaze over as they see just one more thing that is going to get in the way of their own priorities in getting their job done.
So, the topic of risk management has probably already created the wrong impression in many organizations. But this view can be changed if business managers think of risks in a different light: one that is very pragmatic and fundamental to their roles.
In my own past direct business management experience, I have noticed a reluctance by some business leaders to openly discuss risks to key projects and initiatives. The focus is usually on the objective and what needs to be done to achieve it, rather than a balanced approach to recognizing and assessing business risks and then working out the best ways to monitor and address them.
This can be where the disconnect occurs between audit’s support of risk management processes and the business’ interest in actually implementing them. Auditors have not traditionally done a good job in talking about the business risks that business managers should really care about. Recent surveys show that audits of strategic and key business risks represent a very small fraction of the overall audit universe.
Auditors are usually great at thinking about all the things that can go wrong in processes, systems and controls, but often lack experience or insights into fundamental business issues. At the same time, business managers are often reluctant to practice a healthily risk-oriented approach and mindset.
(Source: ACL Blog)