Companies need to determine strategy to be able to achieve objectives in the Next Normal; getting independent assurance is therefore critical. Since ERM is about achieving organisational objectives and improving the quality of decision-making, one of the things auditors should challenge is the decision-making process. This can be done if there is proper recording or documentation of processes, and identification of unsound or biased decision-taking.
Risk managers need to understand how to de-bias decision-making at management level, or they will not be able to improve the quality of decision-making of the organisation. This is especially difficult as people can make biased decisions without even realising it. There are many risks to consider, not just the ones which are confined to the risk registers. The emphasis should be on the formulation of risk management plans and their execution. These should be scrupulously tracked, executed, monitored and reported by auditors, making the role of internal audit a truly critical one. This is further complicated by the temporal and constantly changing nature of risk.
Due to this dynamism, the impact and probability of risk are apt to change as well, making it truly challenging to determine if risk is being appropriately mitigated. In this environment, the audit function provides objective assurance that risk management processes are working effectively. Assurance may also be given from different sources, such as management, external audit or independent subject matter specialists. These forms of assurance are what the board will rely on, when making decisions that affect the entire organisation. Ramesh cautioned, however, against auditors providing consultation, as this may turn out to be in conflict with providing assurance.
There are other reasons for auditing for compliance with corporate risk policies and procedures as well. One of these is assessing the organisation’s risk maturity levels. Existing standards such as ISO 31000:2018 may be used to assess these effectively.
19 The IERP® Monthly Newsletter December 2021