Non-execs must step up scrutiny of risk management
19 September 2011
A worryingly large percentage of non-executive directors still need to step up their focus on risk management, according to new research just undertaken by the Chartered Institute of Internal Auditors*. Nearly a third (32%) of Heads of Internal Audit said that their Non-Executive Directors' scrutiny of risk management was inadequate.
Heads of Internal Audit are responsible for providing an independent opinion to the company's board on how the organisation's risk management and governance is working.
The research findings highlight a number of problems that company boards still need to address:
- Non-Executive Directors' analysis of risk may be too narrow: 28% of boards in the survey do not have a formal process to determine how much risk the business should be prepared to take on, and operational and compliance risks are given too little attention.
- A significant minority of Non-Executive Directors may not operate sufficiently independently to challenge the business's executive team: 17% of Heads of Internal Audit reported that this was a problem within their board.
- The review of risk within many companies is left entirely to the Audit Committee: in 63% of the companies in the survey only Audit Committee members had contact with the internal audit team, so that the other Non-Executive Directors may be missing out on the opportunity to bring their experience and knowledge to bear on an independent and objective assessment of risk management in crucial areas.
Dr Ian Peters, Chief Executive of the Chartered Institute of Internal Auditors, said:
"Boards' scrutiny of risk management still needs to become more robust. This must be the number one lesson from the financial crisis."
"Although our survey shows that the importance and quality of Non- Executive Directors has improved over the last five years, it is clear that Non-Executive Directors still need to become much more questioning and hands-on in their approach to risk management if they are to meet the needs of the company and the expectations of investors."
The Chartered Institute of Internal Auditors' research also identified two major barriers to Non- Executive Directors gaining a proper understanding of their company's risks.
Firstly, most NEDs have access to a limited range of information on key company issues, and are not sufficiently exposed to alternatives to the executive's views. 66% of Heads of Internal Audit reported that their company NEDs are wholly or very dependent on the business's executive management for the information they receive.
Secondly, this may in turn be limiting their understanding of a company's operational risks, such as health and safety or supply chain issues. While 93% of Heads of Internal Audit rated their NEDs' understanding of strategic issues, such as M&A activity, as good or very good, 28% of Heads of Internal Audit reported that their NEDs had only an average or poor understanding of the company's operational risks.
Dr Ian Peters commented: "One way of addressing this is to ensure that Non-Executive Directors are taking full advantage of the resources that the Internal Audit team can provide to ensure that they are sufficiently 'under the skin' of the business to provide the level of insight required."
The survey also identified that many businesses need to take steps to improve the understanding of risk company-wide: 71% of Heads of Internal Audit said that there was substantial scope for improving the understanding of risk within their organisation.
*141 Heads of Internal Audit in private sector organisations responded to a survey by the Chartered Institute of Internal Auditors on the part Non-Executive Directors in their organisations play in identifying and managing risk. 66% of the companies surveyed had an annual turnover of over £200 million, with 36% exceeding £1billion in annual revenues. 19% had a turnover of over £50 million.
For the complete summary analysis please read here.
ENDS
