Strategic Risks: How Can CAEs Up Their Game?

Jim DeLoach, Managing Director Host, The Protiviti View

The latest Common Body of Knowledge (CBOK) survey of internal audit stakeholders reports 7 out of 10 stakeholders want audit leaders to focus on strategic risks, as well as operational, compliance and financial risks, during an audit.

The message is loud and clear. Board members and senior executives are saying they wish to look to the internal audit function for insights that will help them stay ahead of the curve on managing strategic risks — a responsibility that requires collaborations across all lines of defense.

The last thing we, as internal auditors, ever want to hear when something goes wrong is: “Where was internal audit?” But how can CAEs up their game to ensure that this doesn’t happen, particularly when there is increased interest in strategic disruption risk? I recently had the pleasure of addressing this topic joined by an outstanding CAE – Chuck Windeknecht, Vice President of the Internal Audit Department at Atlas Air Worldwide, at The IIA International Conference in New York.

A progressive CAE establishes relevance with the board of directors by understanding the organization’s business objectives, strategy and culture, and identifying risks that could impede the successful execution and achievement of the organization’s strategy and objectives. This baseline understanding positions the organization and the internal audit function to constantly scan the horizon and sift through the noise so the audit committee and executive team can be given strategically relevant insights – something they don’t already know.

To do so, CAEs must be alert, informed, and able to quickly discern the vital signs of change. Success is not a matter of luck, but of preparation that leads to doing four things really well:

  1. Understand the critical assumptions underlying the business model. From an internal audit perspective, this is important to be able to adopt a contrarian view, as well as constantly be on the lookout for changes that could disrupt and threaten the company’s strategic plans and business model. CAEs must be able to access and understand opposing points of view within and outside the organization. But they need a context – and that context would be the organization’s strategic assumptions. That’s not to say auditors shouldn’t remain focused on important operational, compliance and reporting issues. The key is to leverage all available technology and tools to allow themselves more time to think strategically.
  2. Help the organization apply scenario analysis capabilities to evaluate potential situations. As the third line of defense, internal audit is one of the organization’s key components of a comprehensive risk management organization. Accordingly, if internal audit could help identify an event or combination of events that could invalidate one or more of the critical assumptions on a timely basis, it would contribute value to the organization’s leadership. While it is universally accepted that risk assessments must be refreshed periodically, the internal auditor’s line of sight is directed to timely recognition of emerging and changing risks.
  3. Ensure the organization’s intelligence gathering activities are aligned with the key indicators evidencing that scenarios of greatest concern are either developing or have occurred. It is one thing to know what can derail the strategy. It is another to align intelligence gathering with factors that signal when such events or circumstances are occurring or have occurred. Competitive intelligence creates enterprisewide transparency by seeking out forward-looking nontraditional information and data that may offer decision makers a contrarian view and early warning signs. Internal audit is well suited to assist the organization’s efforts with analyzing its early alert capabilities to more effectively mitigate the impact of disruptive developments. The understanding of strategic assumptions and an effective contrarian viewpoint enable this analysis.
  4. Help distill and de-mystify timely information about assumptions, scenario analyses and intelligence gathered. Reporting insights to decision makers is what it’s all about – setting us apart and establishing our relevance. To this end, it is critical to establish direct access to customer and marketplace feedback and provide insights that are unfiltered by the suppression occurring when information passes through traditional information siloes. Internal audit should place an emphasis on improving risk information across the organization. That can lead to better information for decision-making used in the business.

To echo my colleague Brian Christensen, these are exciting times for the internal audit profession. Our strategic advice and insight are being sought like never before. We’ve come a long way to get here. Now that all eyes are on us, it is critically important to perform with skill, intelligence and dedication, to prove that our leaders’ faith and trust in us are well-placed.