Effective Risk Management Supported by Internal Audit Activities
Contributed By Anthony Padilla
Most businesses today face a shifting landscape led by economic uncertainty, closely followed by growing regulatory burdens. These variables add to an already full plate of risks facing owners, executives, investors, and boards.
Enterprise risk is a collective term – it encompasses product, personnel, operational, regulatory, fraud, litigation, economic, country, credit and other risks which management has to address to varying degrees. This is on top of operating the business and making a profit. To maintain organizational integrity, has your firm developed a process to monitor, consider, elevate, and address enterprise risks? The objective: avoid surprises and give your business enough runway to address challenges in the least disruptive and most cost effective manner possible.
For privately held concerns that are considering an equity event or going public, the “tone from the top” should consider the company’s risk appetite, existence of internal controls, and an ethical value system which extends throughout the firm. The question for ownership: Are the values you hold individually and collectively well defined and understood at all organizational levels? Today, more investors, hedge funds, and potential takeover suitors are looking for companies that have these constructs in place. Why? They provide assurance to third parties that their investment is better protected if ownership values these attributes. Additionally, for almost any new public offering, existence of an Internal Audit function may be required by the listing exchange.
The decision to have Internal Audit may not be optional for firms listed on the NASDAQ. The exchange will announce final rules on June 6, 2013 calling for listed firms to have Internal Audit in place by end of 2013, similar to the NYSE requirements. For new applicants, the function must be in place at the time of listing. As an advisor to management and executives on all aspects of risk governance, and a former risk and audit executive in the public and privates sectors, I have started and directed de novo internal audit activities. In the leadership role, I balanced qualified staff with SMEs to provide effective oversight of the internal control environment. Guidance from an experienced risk executive at onset will result in an effective internal audit approach that suits the company’s risk appetite, needs, and culture.