Reflections on risk management

Guest blog Giles Parratt, Director of Audit, TIAA Ltd

Internal auditors are experts in risk management.

What then have we learnt about risk management and our internal audit role as a result of the pandemic?

As we move into a world of eased restrictions on the back of the success of the Covid vaccination programme, much will no doubt continue to be written about lessons learnt, what governments could or should have done better, how reliable was ‘the science’ and so on.

One thing that seems quite clear to me is that national governments and governance structures are generally quite good at mobilising to address crises (in varying degrees of course), quickly harnessing the resources needed to respond. People are more resilient and versatile than we sometimes imagine, notwithstanding those who are more vulnerable to the impacts.

But when a crisis hits, it is evident that we are often not prepared for it. The tendency to be reactive and not sufficiently proactive is commonplace, not just in relation to the pandemic but many other examples come to mind, such as the Grenfell tragedy and climate change. So, what does internal audit have to offer? Any internal audit plan designed to provide a meaningful chief audit executive opinion should include a review of an organisation’s risk management system. In my experience of the public sector, risk management is often ineffective and not well understood, even within the governance teams charged with designing and implementing the risk management and assurance systems.

I believe that we in the internal audit profession have a real opportunity to encourage and drive risk management processes that give greater prominence to the ‘what ifs’, providing a better balance between the known day-to-day operational risks and issues with the more strategic, intelligence-led risks. This is relevant to all sectors in terms of risk management and preparedness.

Taking the NHS as an example, we regularly see headlines about ‘scandals’ such as, recently, poor maternity care in East Kent and Shrewsbury, the Shipman murders, Mid Staffs, Bristol Royal Infirmary and others. The government has had pandemic and the lockdown measure on its national risk register for many year, yet it was still a surprise to businesses and society as a whole that it happened. How many of these risks could have been avoided or their impact reduced, through the use of available intelligence that would have identified each as an outlier worthy of further investigation?

We have had pandemic scares in the past (bird ‘flu, SARS). Would it have been unreasonable to expect better preparation for Covid-19 with, for example, some stockpiling of PPE to avoid the last-minute panic and the significant extra costs (and the associated damage to the reputation of Government)? Hindsight is, of course, a great thing, but some events are foreseeable and would rate as ‘highly likely’ in any risk rating matrix. My impression is that the intelligence community is very proficient at managing strategic risk. It has to be. From what we’re told, there is a continuing high threat of terrorist attacks, and we can only imagine the significant death and disruption that has been avoided through effective risk management interventions.

So, if we don’t already do so, let us as internal auditors ask this question of our organisations’ boards:

How assured are you about the high impact risks to your organisation?

Not overlooking those high impact risks that are perceived as low likelihood and which may therefore be off the radar.

I suggest that we need to think about how we add value to our risk management audits by examining how effectively strategic risk is identified and managed. We should also ensure that we are aware of relevant risks and issues that have materialised elsewhere, and check whether measures are in place to prevent similar ones or recurrences.

Will you be asking the question?

Content reviewed: 10 September 2021