Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

31 May 2023

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised
Institute welcome | Anne Keim, CEO, Chartered IIA UK and Ireland

If we are serious about meeting objectives successfully, improving service delivery and achieving value for money, risk management must be an essential and integral part of planning and decision‑making. While risk practices have improved over time across government, the volatility, complexity and ambiguity of our operating environment has increased, as have demands for greater transparency and accountability for managing the impact of risks.

Integrated Risk Management is a framework for ensuring that the key risks facing the organisation have been clearly understood and that they have been considered in conjunction with other key risks, rather than in a silo. The key objective of IRM is to deliver improved outcomes for the authority in relation to the risks that may prevent it achieving its objectives. No matter the size, industry, or location, every business looks to achieve four IRM objectives — better performance, stronger resilience, greater assurance, and cost-effective compliance. Today we explore these objectives. 

 

Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member

It seems an age since we went from systems based to risk based internal auditing. Our councils have also evolved and embraced risk management. Risk is inherent in everything that we do and against a backdrop of austerity and crises has often involved novel approaches.

Our speaker today is Adam Lickorish, RSM will share thoughts on integrated risk management.   

  

Integrated Risk Management - click here for presentation slides

Integrated risk management (IRM) is broader than a system.

  • Risk culture is as, if not more important, than processes and documentation.
  • Risk appetite is becoming a useful tool to direct resource to manage risk within an organisation.
  • Risk capability varies. Everyone receiving risk and control information needs to know how to interpret it to use it effectively for decision-making.
  • IRM links directly to resilience. What happens when a risk materialises? What stress testing has been done? Has the impact been estimated?

Benefits of integrated risk management

  • Risk identification | helps to build risk culture through concise, improved risk awareness.
  • Decision making | confident choices, consideration of consequences, resilience and reputation.
  • Proportionality |strategic focus on resource allocation, practical risk appetite.
  • Collaboration | consistent approach, effective communication, brings all three lines together.

The first presentation slide outlines good IRM to enable us to think about internal audit’s role.

  • Use risk information to drive the audit plan – for example, is there value in auditing a risk if the controls are already known to be weak? Would an advisory engagement be more appropriate to support improving the design and effectiveness of controls?
  • Horizon scanning outputs – how do these inform internal audits view of the internal control environment? Using this information can aid insight and foresight by enabling future resilience not just providing assurance for today.
  • Internal audit has a role in bringing the whole organisation on the risk assurance journey. It is not obvious to everyone, particularly concepts like the three lines model or how risk management flows through from operational activities to strategy at the board.
  • There is growing demand for risk deep dives. This plays to internal audits strengths and is a useful exercise to give comprehensive insight to the board for decision-making. Particularly when interconnected risks are considered.
  • Internal audit actions typically have better traction than risk actions on a risk register. Why not treat them the same they are equally important? Also prevents duplication of effort if integrated.
  • When doing a risk management audit ensure to consider the risk culture not just the process. Is it moving the organisation forward, is it adding value or ticking a box.

Four key messages from today

  1. Be clear as to internal audit’s role in IRM
  2. Consider the impact of emerging risks in all audit engagements
  3. Take a proportionate approach, one size doesn’t fit all
  4. Communicate and collaborate, break down the silos

 

Chair closing comments

There is a clear desire for change from internal auditors for a more flexible way of working as seen in new proposed Standards. A big barrier is moving on from the comfortable, dealing with inertia and the capacity of teams. It’s all too easy to get caught up in defining and measuring days rather than the value of the work undertaken.  

  

Institute close | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA

It’s essential to have the right risk owners for the right risks. It drives accountability and risk management.   

Our next session is 21 June 2023 where we will hear from Richard Chambers about being a trusted advisor.

A spin-off Data Analytics for Local Authorities forum is being set up to address the specific needs of your sector. If you are interested in joining, please email mandy.coleman@iia.org.uk

Dates for your diary 

  • 14 June: HIA Forum – FRC Update on UK Corporate Governance Code (please e-mail mandy.coleman@iia.org.uk if you would like to attend)
  • 7 July: Midlands Conference – Birmingham (book here)
  • 3-4 October: Internal Audit Annual Conference – London/virtual (book here)

 

Chat Questions and Comments

Answers from speaker, anonymised comments from attendees

Question | Here is an early challenge. How much are risk registers and other risk artefacts just tokenistic rather than a means of actively managing risk?

Response | A risk register is a repository of risk information, it’s not what you use and report. Are you creating risk information for risk information’s sake? It needs to be a management tool.

Comment | It can be seen as a chore/task to be done periodically rather than being embedded in everything the Leadership Team do/consider. Risk management implications in Committee reports are often a token attempt and not really any use for decision makers. 

Question | Supply chain issues are pertinent for councils - perhaps not directly - but our suppliers and contractors may face more acute issues – obtaining raw materials/labour - which can affect our service delivery.

Response | Hasn’t always been seen as a local authority issue but increasingly supply chain management is a key part of resilience. It’s also not just about an individual authority’s reliance or concerns regarding a supplier – they can be contracted across multiple authorities which leaves a huge impact in the market if they have operational or financial issues impacting their service delivery.

Question | I would be interested in your thoughts on what effective risk escalation looks like. There have been a few instances recently where risks at a project level have been considered in isolation without thinking of the impact on other parts of the organisation.

Response | Often logging urgent or high severity risks on a risk register is not effective as the process is too slow. The culture at meetings needs to allow for risk conversations.

Comment | I have seen a guiding principle being applied that "good news must travel as quickly as bad news." What has followed has been a clearer identification of escalation points and a much clearer understanding that escalation must happen against the revised thresholds.

Question | Thinking about the linkages between risks. How do you think these should be recognised and documented?

Response | Can be difficult to administrate in Word and Excel – a reference can work well between strategic and operational risks for example.  

Comment | Sharing operational/departmental risks can give visibility to risks that aggregate to being material at an organisation level. It’s possible to then differentiate between risks that people have ownership of day to day and the few that need to be escalated to the board.