New Zealand


  • Service: Advisory, Risk Consulting, Internal Audit, Risk & Compliance Services
  • Type: Business and industry issue
  • Date: 3/02/2010

Optimising organisational Risk 

Businesses always need to think about risks both inside and outside the organisation. If you understand your risks and have the controls framework in place, you can deal with them. The real value for an organisation comes when you elevate your risk management processes from a focus on compliance to something that creates value.
Internal audit has been moving toward more value-added functions, away from its historical focus on compliance and financial risks and controls. The role of the internal auditor has evolved to one that involves identifying risks and issues that previously lay outside of its ‘compliance-only’ remit. It is expected that internal audit and risk management should have a real and demonstrable impact on a company’s performance and financial position.

What are the problems I may face when tackling this issue?


Many businesses don’t realise there is a shortcoming in their organisational risk set-up until it is too late. The challenge is to look more widely at business risks than you are obliged to from a compliance point of view.

The questions you should ask include the following.

  • Are we too focused on basic compliance objectives?
  • Are we monitoring the right risks?
  • Are our risk mechanisms alerting us to the right risks, at the right time?
  • Why are we focusing so strongly on the financial risks when there are actually more non-financial risks within the business that go unmonitored?


So what should I do?


  • Take an assessment of your risks across the whole organisation, creating a ‘map’ of risk hot-spots. Don’t forget to include potential vulnerabilities.
  • Put an appropriate controls framework in place. This should include an emphasis on a risk aware organisation where management and staff members have a common understanding about the organisation’s expectations around risk management.
  • Ask questions about how your business is set up to respond to a risk issue and whether the right people, policies and procedures are in place.
  • Determine if internal audit has aligned its plan to address the organisation’s top risks and if it has the skilled people to execute it, or whether internal audit strategic sourcing is required?


In summary


Do you want your internal auditors to be monitoring solely those risks that tick a compliance box? Or do you want your internal auditors to operate within a framework that makes them much more valuable:

  • identifying diverse financial and non-financial risks across the whole business
  • heading off issues before they arise
  • driving recommendations to enhance controls and performance.


How can KPMG firms' professionals help


KPMG professionals can advise you on:

  • managing risk at the enterprise level
  • seeking efficiency and effectiveness of internal audit
  • achieving value from the risks and control framework
  • preventing, detecting and investigating fraud
  • helping to limit exposure to major capital projects, technology and global threats.

Sign up now

Subscribe to selected content and receive email alerts when new content is available for viewing on this site.


Already a member? Login


Not a member? Register