Here are the top five corporate risk management areas in need of improvement, according to more than 600 internal auditors:
1. Emerging risks;
2. Evaluating and changing risk appetite levels;
3. Setting risk appetite;
4. Defining risk appetite; and
5. Strategic risk.
This information ranks among the most compelling findings of Protiviti's 2011 Internal Audit Capabilities and Needs Survey, a 40-plus-page report released last week.
This “Needs to Improve” analysis represents a new category within a report that has appeared each of the past five years.
Emerging risks are just that: risks that have yet to fully materialize. Robert B. Hirth Jr., Protiviti's executive vice president and head of global internal audit, gives five examples: new industry rules; new business regulations (think Dodd-Frank); the impact of new technology (think smart phones); geopolitical upheaval (Libya's effect on oil prices); and natural events (the impact of the Japanese crisis on high-tech supply chains).
Hirth, who I will interview about the study in an upcoming post, also says that the survey respondents' focus on risk appetite and strategic risk (which together relate to the risks companies choose to take on as the result of specific assumptions and certain organizational biases) reflect what he and his team recently have witnessed in the field.
The survey findings indicate that the following risk-management areas are performed with relatively high levels of competency (and therefore, are least likely to need improvement):
1. Process-level risk;
2. Functional-level risk;
3. Transaction-level risk;
4. Location-level risk; and
5. Operational risk.
Respondents also identify compliance risk for financial reporting, public company reporting of risk, risk avoidance and the evaluation of risk reporting (both at the operating unit level and at the senior management level) as areas of relatively high competency.
The fact that financial reporting risks are regarded as relatively low would suggest that internal auditors are impressed by the long hours their finance and accounting colleagues have logged in managing internal controls in accordance with Sarbanes-Oxley. This finding also suggests that GRC currently represents more of an efficiency effort, as opposed to an effectiveness effort, as it relates to financial reporting risk.