Let’s see: are you sure that your risk-based approach is effective? If you haven’t updated it during the year…if only the Internal Audit talks about risks…or if the budget is not related to it…well, it’s clear: the risk-based approach is not effective.
How can this be resolved? First think that the risk-based approach is a methodology, not a technical concept that only Internal Audit should know about it. When you updated it, it’s the opportunity to explain to other areas what is and how can they benefit from it. If done correctly, the other areas will begin to participate in the risk map, propose new risk ideas. Remember: Internal Audit must know the company, but the detail is in each person at their job. So, include them and you’ll get a broader view of risks and there will also be a common language in the company.
Second: explain with concrete examples of how mitigating a risk could provide to the company efficiency and effectiveness, as well as increase income and reduce expenses. Include an example of a risk that is correlated to multiple areas. In this way, people will see that the risk they manage can trigger several problems in other areas. Generally, the areas in a company only see what they do, without realizing that everything affects the operation.
Third: teach that risk is not something to fear. On the contrary: it’s an opportunity for the company to analyze what could go wrong. “Several heads think better than one”…in this way, all employees’ ideas are key for risk prevention. Change the way Internal Audit implement and use the methodology and the results will change, as well as the way other areas perceive it… So the next time someone asks: Are you sure your risk-based approach is accurate? You will say: YES.
Need training about it? Join us at Advanced Risk-Based Auditing MasterClass which will be streamed ONLINE on the 10th and 11th of September, 2020.
By Mónica Ramírez Chimal, Partner of Asserto RSC, Mexico City