A short while ago, I was talking to an internal audit manager whom I had been helping with her audit of enterprise risk management at her company.
Not surprisingly, her team found a great many issues. Communicating her opinion, that the risk management team and related activities were not seen as helping management make informed and intelligent decisions, was not going to be easy.
Part of the problem was that there were some significant failings at a detailed level, such as not updating risk limits and other guidance on a regular basis as the business changed. It would be too easy to get distracted by the trees, rather than the state of the forest.
In addition, her manager (the CAE) was strongly of the opinion that the organization needed a risk appetite statement – which the manager realized was not the issue (and we agreed that it was not a great concept).
The CAE had dictated that every audit report had to follow a strictly enforced format.
So even though the best way to communicate an assessment of risk management is using a maturity model, that would not be permitted.
All I could do was sympathize and offer to meet with her CAE. I hope she can find her way through this.
My suggestion was to put a lot of effort into communicating the results of the audit through face-to-face meetings, even if they have…
