Wednesday 20 December 2017

Risk and Audit in the Age of Vulnerability

We are in the VUCA world

If we accept that profit is the reward for risk taking, all companies have to deal with risks in creating value for their customers, investors, and other stakeholders. This means that picking and choosing risks which correspond to the risk appetites set by boards, who are ultimately responsible for the governance of enterprises, should be an activity which boards and senior management must be familiar and comfortable with.

The strategic options chosen by enterprises shape their risk profiles, which would also be influenced by their chosen markets and operating environment. In the past few years, VUCA, which stands for Vulnerability, Uncertainty, Complexity and Ambiguity, has become synonymous with the state of the global business environment. Geopolitical events, natural disasters, market collapses and disruptions brought by technological advancements have made the world less certain and predictable, and thereby lifting the overall risk barometer.

Regulators have responded to this new environment by issuing tighter regulations which has led to compliance risks becoming key risks for companies, particularly for financial institutions and market intermediaries. Populist movements in America, Europe and many other countries against established political philosophies have also reshaped many governments and global policies. The election of President Trump in 2016, for example, has resulted in policy reversals by the United States in areas such as climate change and global trade which have in one way or another affected the strategies of many global businesses which developed strategies based on pre-Trump policies.

Risk management and effective audit becoming more important

The increased level of uncertainties means that boards and management have to continuously understand the shifting business landscape, assess and manage risks effectively and capture opportunities faster before their competitors do. 

Such expectations have created demand for companies to enhance their risk management and audit functions in order for them to continue to create and capture value in the VUCA environment while remain as sustainable enterprises on the long run. Why?

It is important that the risk management function of an enterprise is not only able to detect emerging risks but can work with management to find ways where those risks could be mitigated within the risk-appetite of the board and the enterprise could proceed to venture into opportunities within that market segment. This may require some controls to be put in place to address the identified risks but those controls should not result in unnecessary costs or in setting up of non-value-adding processes which could slow down decision making and time to market.

The audit function, another layer of defence mechanism in modern enterprise management, focuses on the assessment of effectiveness of the whole risk-taking and risk management processes and whether controls are working as planned. The assessments made by internal auditors would help audit and other relevant committees to perform their roles effectively. Internal auditors are now even expected to be able to add value at the strategic level by framing their views beyond the pass or fail approach. If internal auditors are able to meet this expectation, discussions in audit committee meetings would be more valuable.

While external auditing would normally focus on the auditors’ opinion on whether the financial statements are true and fair, external auditors are a great source of information and insights to audit committees and even the full board. They should be able to share their observations on the state of play of industries, emerging risks, best practices and above all, on the quality of management in dealing with matters which the auditors deem to be critical. Make the most out of private sessions with external auditors by asking them difficult questions and observing their responses. Even their silence could give you an idea of what they have in their minds.

This is the reason why audit committees must develop robust criteria for selecting external auditors. Who are the engagement partners, their background, their involvement in the whole audit, the audit team and their credentials and the value which the audit firm could bring to your enterprises beyond their opinion on your financial statements. In considering fees for the auditor, please bear in mind the consequences of a bad audit to your enterprise and yourself as a director.

What will make things work?

It is critical to have people in risk management and audit who have competencies and experience to deal with VUCA. While risks or failures of control would be more visible at the tactical and operational levels, strategic failures would be more catastrophic to enterprises. They should understand strategic issues and be able to connect them to emerging trends and form views on their impacts. The challenge has always been to find, recruit  and retain such individuals as many other organisations would be trying to entice them as well. One way of addressing this is to have good talent development programs and succession planning.

Boards should also enquire whether management has allocated enough resources for risk management and internal audit to function effectively. In this day and age, investment in technological tools would not only help them to be more efficient but they could add more value to their work which would eventually enhance the quality of risk management and governance at the enterprise level. There would always be conflicting demand for budget and the natural bias towards value creating and money making activities should not be underestimated. This is where the board or relevant board committees could step in to ensure investment decisions are made from the enterprise perspective, balancing between profits and risks and to enable risk management and audit to function effectively.

Amongst the inherent risk in developing strategies, assessing and managing risks as well as assessing effectiveness of controls are the reliability of assumptions and judgments which form their foundation and the quality of data and information used in the whole exercise. In some cases, these factors seemed to be overlooked with severe consequences when the risks around them eventually crystallised. Management should ensure the integrity of data and information used in their planning and decision making processes. All assumptions underpinning strategies and models used should be tested to ensure their reliability. On the other hand, professional skepticism must always be applied when dealing with strategic issues. This is not to suggest that all premises of decisions must be challenged but key elements of those decisions, especially assumptions and models, must be robustly scrutinised by all the parties who have to deal with those decisions.

For all the functions above to work properly, a culture of trust and openness is very crucial. People should be allowed to share their opinions, views and perspective without subsequent repercussions. Knowledgeable and experienced people should be able to externalise their tacit knowledge which is only possible through interactions. Without such trust and openess, the real value of having these check and balance mechanisms would not be realised in full. Hence, such culture must be shaped by the board in its deliberations and when dealing with management and other parties. This will be closely watched by the rest of the enterprise and it will eventually shape the culture of the whole organisation.

Culture, the new mystery

Since the aftermath of the 2008 global financial crisis, one of the areas which has become the focus of regulators worldwide is organisational culture. This includes the consequences of remuneration to risk-taking, especially by executives and traders of financial market players.

This is not an easy topic to be dealt with but it has been demonstrated that culture influenced risk profiles of organisations as “the way things are done here” had higher influence over values statements hanged on the walls of those organisations. In addition to imposing hefty fines, some regulators have revised their governance expectations and started reviewing culture of institutions under their supervisions.

The above development should not be overlooked by the risk and audit functions of organisations. The nexus between culture and risk has to be understood, assessed and managed. If the risk is material, internal audit should have their eyes on the issue of culture as well. Do we really have a good understanding of our organisational culture, its impact on our organisations and how to influence culture so that it becomes our pillar of strength? This is a mystery which will be the focal point of regulators until they are comfortable that enterprises are managing human behaviour properly and would not pose a threat to the stability to the market.


Vulnerability, Uncertainty, Complexity and Ambiguity are realities which enterprises have to deal with in continuing as sustainable value creation vehicles for many stakeholders. Such realities require risks to be managed with more understanding while allowing enterprises to be innovative and nimble. While technology would enable better oversight, the influence of culture should not be underestimated. Risk management and audit functions have to step up, remain relevant and be counted. 


This article was published in a Dubai-based magazine The Hawkamah Journal which can be downloaded here.

No comments: