I recently attended the Risk Management Institute of Australia (RMIA) National conference in Brisbane, Australia. This was one of the most worthwhile conferences I’ve attended in quite a while. A real credit to the organisers. Well done RMIA.
What I most enjoyed about the conference was meeting lots of people who like me are passionate about risk management. One the key industry challenges that surfaced over the course of the conference was the need for more effective risk monitoring.
For example, Ian McPhee, Australian Auditor General, described is his keynote presentation Public Sector Risk Management how in his view “it is the monitoring of risk that is most important”. He then went on to add that “the Australian public sector is a bit soft when it comes to monitoring risk controls”, citing recent findings from the Royal Commission into the previous government’s Home Insulation Program (HIP).
The Honorary Michael McCormack MP, Parliamentary Secretary to the Minister for Finance, also raised the need for better risk monitoring in his keynote presentation entitled A New Commonwealth Approach to Risk Management. He also referenced the four installer deaths that resulted from the previous government’s botched HIP and the cost overruns associated with building of Australia’s Collins Class submarines as prime example for an improved government risk monitoring capability.
Another instance where the need for more effective risk monitoring came to the fore was the presentation given by Kristy Nicholson, Principal at Marsh Risk Consulting, Behavioural Based Safety Within the Workplace. In Kristy’s presentation she outlined how Marsh has spent a lot of time working with clients trying to develop more effective methods of monitoring employee compliance with documented safety procedures.
Peter Deans, Chief Risk Officer, Bank of Queensland, also shone the spotlight on the banking sectors search for more effective and efficient risk monitoring solutions in his keynote presentation entitled “Risk Taking and Risk Management in a Financial Institution”. Of particular interest to me was the amount of time and money the world’s largest banks are spending monitoring and controlling their non-compliance risks. As pointed out by Peter, one of the world’s largest banks Citibank will have almost 30,000 employees involved in compliance roles by the end of 2014. In his opinion “a lot of this work involving a duplication of effort”.
As an experienced quality and risk management consultant who has spent a lot of time in the Australian utility sector I found the presentation by Suzanna Hatch, ActewAGL Manager Assurance and Risk, most interesting. In her presentation entitled “When Risk Management Collaborates with Audit Function” Suzanna outlined how her group is working closely with Internal Audit to optimise their company’s risk monitoring and reporting capability. Interestingly, according to Suzanna, there still remains a lot of challenges before her group is able to work collaboratively with operational risk owners.
Finally, I’d like to mention Guy Underwood’s keynote presentation “Managing Corruption Risk”. Guy is the Executive Chairman and Founder of RISQ Group and Victorian President of RMIA’s Victorian Chapter. One of the things I found particularly interesting about Guy’s presentation was the comment he made about talking to senior managers and “what keeps them awake at night”? The answer; “not knowing what my employees are doing”.
What I was able to take away from the conference is that the demand for more effective risk monitoring systems appears to be driven by two common auditing limitations; and they are both related.
The first is that most auditing systems are not scientific based. In other words, there is no scientific logic behind the calculation of audit sample-size or the analysis of results. Without this information the level of certainty surrounding audit result remains unknown, thereby significantly restricting management’s ability to make important risk control decisions.
To demonstrate my point try this simple test. Ask yourself, is my current auditing systems are capable of determining whether an external vendor is delivering services or products in accordance with my specified compliance requirements?
Unless your auditing system is scientifically based, I’d be very surprised if you answered “yes”. The simple fact is that non-scientific based auditing systems are incapable of providing the level of assurance needed to make important risk monitoring and control decisions; i.e. reliable decisions need reliable data.
The other related weakness is that most auditing systems are incapable of determining when and what level of action should be taken to strengthen risk controls. This is a multifaceted problem, but I’ll try and keep it brief.
In my experience most companies will only take action to strengthen risk controls should a noncompliance be identified during an audit. And even then, one noncompliance will normally not be enough to justify and strengthening of controls.
The biggest problem with this approach is that unless your sample-size is big enough there is a good chance major non-compliances could go completely undetected during an audit.
It shouldn’t come as a huge surprise to learn that many of the most serious risk events to have occurred around the world over the last five years were caused by organisations that thought they had adequate risk controls in place; only to find this wasn’t the case after the event.
The other problem with this approach is not all non-compliances carry the same level of importance, or risk. For instance, you wouldn’t necessarily respond to a minor non-compliance (i.e. form not filled in correctly) in the same way as a major noncompliance (i.e. an unauthorised invoice).
In other words, it doesn’t make sense for organisations to response the same way to every observed non-compliance. Yet in my experience this is where a lot of conventional auditing systems tend to fall down. The net result is rather than focussing an organisation’s limited improvement resources on areas its greatest risk exposures, they are thinly spread across all risks.
It is for these reasons, and others that I haven’t had time to cover in this article, that I believe acceptance sampling holds the key to more effective risk monitoring and control.
Not only are its proven scientific methods capable of advising managers when action and what actions are needed to mitigate different type of noncompliances, it can also lead to less auditing work in most cases.
To find out more about how acceptance sampling can transform your current auditing processes into a reliable and cost effective risk monitoring and control system click on the following link, or go to www.compliance-master.com .