Who is responsible for risk guidance? This is a harder question that it might first appear. At the moment, there are a number of professional bodies, including the Chartered IIA, that have some role in helping organisations to identify, manage and mitigate their risks. There are also regulatory bodies, such as the PRA, FCA and FRC, which have defined legal roles, but which are also limited in their scope to specific sectors or topic areas and may get involved only after things have gone wrong.
Many individuals in organisations, from those on risk committees and audit committees to senior executives and non-executive board members are also responsible for elements of risk assessment and management, but it has become apparent that there is no clear guidance setting out responsibilities or what good practice looks like. Existing bodies may have a slice of responsibility for a single sector or area of training, but none has the whole pie.
This needs to change – not least because the failures of organisations such as Carillion and Patisserie Valerie are raising important unanswered questions about why they happened and who exactly was accountable. People want to know who was to blame in situations like this, and at the moment it is not clear what must be done better and by whom.
This is why a group of organisations and professional bodies have come together as the Risk Coalition to create guidance for risk committees and risk officers that will define best practice and set out what they need to be doing to demonstrate effective risk management. It is a long overdue and essential step – not least because if we don’t do this voluntarily then it is likely that regulators will have to step in and create new rules and regulations. This is rarely a good outcome, since most organisations will benefit more from principles-based guidance and help to develop aspirational best practices than they will from legal rules that often constrain accountability and may have many unintended consequences over time.
I see this as a wonderful opportunity to create a clear code with input from all the various stakeholders in this field. I am a non-executive director on a number of boards including experience of a bank, listed firms, start-ups and the public sector, and I have also worked closely with regulators and am an adviser to the FRC, so I have seen the urgent need for this across a wide range of boards and organisations.
The risk committee is currently only as good as the people on it and the average water line at the moment is probably not even half way up, in some it’s almost at the bottom. Similarly, many senior managers still do not really understand the assurance expectations of regulators regarding the Three Lines of Defence model. The wider set of people involved with risk need guidance that is brief, principles-led and aspirational. We want people to read it and think “well we don’t look like that yet, but we could do in future”.
So far, the Risk Coalition has completed draft guidance for risk committees and for chief risk officers and we put this out to consultation in June. I’m delighted that the Chartered IIA got involved early on and was quick to see the advantage of joining the conversation. Internal auditors need to have a place at this table and be part of the discussion – building on other guidance already published by the profession, of course.
The Chartered IIA is in an important position because its members work across all sectors. The new guidance should also help them to do their jobs because it will emphasise areas such as the importance of the risk officers' independence and reporting lines, why internal audit should be involved in discussions about the most important risk issues in the business and how these need to work across so much of the governance structure.
The aim of the coalition is to get past technical debates about job definitions and turf arguments about where boundaries between functions lie and to set down what organisations need to achieve to ensure their current and emerging risks are adequately identified and managed, and that their risk appetite is established correctly, understood and applied. Internal auditors are in a
central position to contribute to this discussion and help their organisations to understand its importance. We’re pleased to have you on board.
Bryan Foss is an independent non-executive director with 15 years’ experience in a variety of sectors. He is also a visiting professor at Bristol Business School.
More about the Risk Coalition and Risk Guidance Initiative can be found at riskcoalition.org.uk
This article was first published in July 2019.