Optimizing organizational risk 

The real value for an organization comes when you elevate your risk management processes from a focus on compliance to something that creates value.

Prior to the implementation of Sarbanes-Oxley legislation, internal audit had been moving toward more value-added functions. But, as a result of greater regulatory compliance burdens, internal audit teams, of necessity, had to behave more like internal policemen.
 
Companies’ approach to this compliance burden is now more settled and it is time to re-assess the internal audit function. The role of the internal auditor should evolve. It should add value to the business by identifying risks and issues which previously lay outside of its ‘compliance-only’ remit.

This isn’t a case of professional advisers trying to make an issue sound dramatic: ratings agency Standard & Poors has stated that it will now be taking a company’s Enterprise Risk Management (ERM) frameworks into consideration, thus elevating the issue to one which can have a real impact on a company’s finances.

What are the common problems I may face when tackling this issue?
It is difficult to talk about common problems — many businesses don’t realize there is a shortcoming in their organizational risk set-up until it is too late. The challenge is to look more widely at business risks than you are obliged to from a compliance point of view.

The questions you should ask include the following:

• Are we too focused on basic compliance objectives?
• Are we monitoring the right risks?
• Are our risk mechanisms alerting us to the right risks, at the right time?
• Why are we focusing so strongly on the financial risks when there are actually more non-financial risks within the business which go unmonitored?

So what should I do?

• Take an assessment of your risks across the whole organization creating a ‘map’ of risk hot-spots. Don’t forget to include potential vulnerabilities.
• Put an appropriate controls framework in place.
• Ask questions about how your business is set up to respond to a risk issue and whether the right people, policies and procedures are in place.
• Determine if internal audit has aligned its plan to address the organization’s top risks and if it has the skilled resources to execute; or whether internal audit strategic sourcing is required?

In summary
Do you want your internal auditors to be monitoring solely those risks which tick a compliance box? Or do you want your internal auditors to operate within a framework that makes them much more valuable:

• identifying diverse financial and non-financial risks across the whole business
• heading off issues before they arise
• driving recommendations to enhance controls and performance.

This is about getting the most out of compliance-driven value preservation.

How can KPMG firms' professionals help?
KPMG professionals can advise you with:

• managing risk at the enterprise level
• seeking efficiency and effectiveness of internal audit
• achieving value from the risks and control framework
• preventing, detecting and investigating fraud
• helping to limit exposure to major capital projects, technology and global threats.