While the three lines of defense model has drawn out some serious debates, offering strong arguments for and against the usefulness and practicality of the model, it is undeniable that organizations need to strengthen the relationship between the second and third lines of defense - the risk and audit functions. The roles of these two functions, although different, overlap in its purpose - a source of many, long-standing arguments.
The traditional roles of risk management in keeping a check on an organization’s assets and assessing its risks and internal audit in measuring the effectiveness and efficiencies of their internal controls have evolved over the years. This evolution comes from decades of scandals, disasters, and crises - the most recent being the tumultuous European debt crises – evidencing the need for a more robust risk management practices that addresses risk from an overall organization-wide perspective.
When organizations look for ways to minimize the impact of risks, boost internal governance, and increase business value, one thing is for sure: bringing their risk management and audit teams together will provide a consistent and comprehensive risk management approach across the entire organization. The aim of collaboration between these two functions is to cut across functional silos, leveraging each team’s resources, skill sets, and experiences to build risk capabilities within their organization.
Differences in perspectives and terminology can be a roadblock when collaborating. This is especially challenging when you consider the close proximity in which both teams work. Evaluating how internal audit and risk teams fit into the ERM equation is no easy task for organizations. On the other hand, those that have crossed that hurdle and developed a symbiotic relationship between their teams have been able to leverage each team’s competencies, skills, and resources to complement each other’s goals.
By promoting cross-team communication, risk and internal audit teams are able to share information and intelligence. This way, through their individual approaches, both teams are able to offer insights that correlate and use a common risk language to address risk, providing consistent and systematized visibility on the risk management process across the organization.
In an effort to provide the management with a holistic view of risks and the effectiveness of their controls, and to standardize the risk management process, it is imperative that the risk and audit teams work in tandem with each other to provide assurance that critical risks are being identified effectively and proactively. Internal audit has been recognized as an integral part of the risk management process, and its role - while not to manage risk itself - calls for close partnership with the risk management team to help the organization as a whole understand risk and examine the overall risk management process.1
Linking risk assessments with the risk-based audit plan is perhaps one of the most effective ways to ensure collaboration. There is tremendous value in sharing ERM results with internal audit so that these considerations can be factored into the audit plan. In addition, discussing the risk-based audit plan with the risk management team provides insights garnered from different perspectives on organizational governance and enterprise oversight. This enables the organization to cut across silo, reduce redundancies and duplication of effort in identifying critical risks and produce an aligned view of the organization’s risk profile.
Collaboration between the internal audit and risk management teams provide the necessary information and impetus to ensure that subsequent reports are aligned and refreshed with the same goals in mind. The enterprise risk assessment is designed to provide a sense of all the risks that an organization faces, and the audit plan defines the scope of work for the internal audit function over a given period of time. Both, the audit plan and the enterprise risk assessments are reviewed on a regular basis, allowing for changes in the business environment and critical risks to be brought to the management’s notice immediately. Aligning the internal audit and risk team’s views on the organization’s risk profile offers significant insight on how these changes can be managed better and which processes need to be scaled to meet new requirements.
Transparency and close partnership allows internal audit and risk management to work intrinsically together to address risks from throughout the organization, holistically and consistently. The synergy between these two teams will help management get a clear idea of critical risk areas, as well as areas that can be exploited as opportunities. Such a comprehensive report of risks – and their controls – will provide management with the necessary intelligence to make informed, timely business decisions, enabling them to choose the most appropriate and effectual measures to tackle changes in the business and regulatory environment.