To clarify, the question I am asking is twofold. One relates to the perceptions created for the end client, management and the Board. The second relates to governance.
Taking the second question first, does having risk and audit report through to one person mean that that person has a conflict of interest? When might this be the case? Under what circumstances? Does it depend on the specific arrangements for risk and audit or is it simply better practice to not have them linked? Are they linked simply for the organisation to save money or for good reason? My premise for considering this a potential dilemma is that risk management is a support function and audit is an assurance function and audit should be assuring management and the Board from time to time that risk management is doing a great job of supporting the business.
Second, does linking risk and audit serve to confuse the business? Does it create or reinforce existing perceptions that risk is a compliance function?
I have plenty of reasons to argue that risk and audit should not report to one person, however, let me give you some perspectives from speakers at the RMIA Conference in Brisbane last week.
Collaboration of Risk and Audit:
Several speakers discussed how as Group Manager for Risk and Assurance or with similar titles they had seen great benefits from the collaboration of risk and audit. This I can see, there is no doubt that risk should know what audit is thinking so they can help support the business while audit should know the results of risk profiling and the controls the organisation is relying on for the management of risk.
My problem is when the risk team and the audit team report to the same person. I made a comment and asked a question at the conference that went like this:
“I am not entirely convinced of the merits of risk and audit coming together under one person. I quite regularly have phone calls from professionals asking me for information to support their view to management that their dual role should be split. The main reason, because they feel conflicted. I asked ‘Is this because of the personality or skill set of the person, because of the business model they are operating under or simply because it is true?’
Cannot two different teams reporting to two different managers ensure collaboration between the two teams while remaining independent and free of conflict?
Perceptions of Risk and Audit:
My view of the risk function is that risk should be striving to become a trusted advisor to the business and leave assurance that risk is being managed well to the auditors. The main reason is that to be a trusted advisor your (internal) client should not look at you as an internal cop.
There were two very important statements by Chief Risk Officers at the RMIA Conference that reinforced my view on this:
Peter Dean, Bank of Queensland. Peter said that his role as a member of the executive team is as a strategic advisor. Personally I believe any amount of the “compliance brush” being painted on that role will diminish its effectiveness. Managers will tend to “game” anyone that is checking up on them.
The second was Mark Hamill from Fortescue Metals. Now I only came in on his presentation just as he was saying this, so this is not a direct quote. He said words to the affect that one of the managers he was working with was saying that he was happy to help him with the risk profile rather than Mark help the manager! This is classic management perception that risk is a compliance function and not a critical success factor for the business.
What a long post! My apologies, however, I am really keen to hear your views and wanted to give some good background to my thinking.