Risk Management Practices and Role of Internal Audit - Example

Summary of “Risk Management Practices & The Role of Internal Audit” Student’s Name Institutional Affiliation Report Methodology & Objectives The report starts off by stipulating the manner for which modern organisations have continued to ensure that the put in place a rigorous campaign and framework to aid with the identification, assessment and effective ways of responding to underlying risks as well as the ever-changing risk patterns (UAE Internal Audit Association, 2015). It further notes of the important role played by internal audit functions to foster an organization’s immediate risk undertakings. The focus of the report is specifically narrowed down to the ascertainment and assessment of risk management practices in UAE non-financial based institutions. In essence, the report’s main objective rests with gathering enough information related to the existing risk management undertakings in UAE non-financial sector as a way of availing relevant benchmarking materials as well as note prevailing chances needed for improvement by Chief audit executives and thus, enhance stringent relation with stakeholders regardless of the ever-changing business scenarios as well as risk dynamics for that matter (UAE Internal Audit Association, 2015). Information used to prepare this report came from an online survey administered to at least 90 participants that headed internal audit functions in UAE non-financial based companies. Responses from the survey were later cemented with face-to-face interviews with these heads of internal audit. Findings In regards to the state of risk management in the UAE, the report finds that a significant percentage of the organizations pay attention to the immediate importance of a need for an effective risk management practice in operations. Statistically, about 77% of all entities surveyed indicated that they enjoyed a risk management program while 14% were considering implementing in a near future (UAE Internal Audit Association, 2015). However, out of the 77%, only a third had a fully-operational program but with minimal or no specific critical components and processess in place. About 9% indicated that they had no intention of engaging in risk management practices despite operating under a huge financial budget (UAE Internal Audit Association, 2015). From this case, it can be noted that while most of these firms especially those dealing in oil & gas, aviation and government-based institutions, have ensured to adopt risk management practices, the activity is still not mature enough hence a need for embracing a much formalized risk management program (UAE Internal Audit Association, 2015). Notwithstanding, while there was a positive relationship that could be established between internal audit and risk maturity, there was none that could be found in relation to organization size and risk maturity. Efforts put in place to establish notable challenges in risk management indicated that the management misperception that they were already engaged in dealing with risks formed an enormous percentage (UAE Internal Audit Association, 2015). Other forms of challenges include; the lack of the board or executive sponsorship and, also a failure by management to perceive the need for a benefits to cost or rather the value of ERM program. It is argued that since support from the board or executives is necessary, the better way of overcoming their lack of fostering risk management programs could be to create awareness through educational initiatives aimed at enlightening them on the need for a fully-fledged risk management (UAE Internal Audit Association, 2015). The support can further be garnered through a clear and concise demonstration of value of risk management especially since most of the non-financial organizations in the UAE are not regulated in any given way. In fact, a training program is recommended by the CAE to demonstrate the core importance of embracing an effective ERM like value protection, increased profitability and also improved efficiency. Subsequently, the report identifies three major drivers for risk management that include; senior management support, internal audit’s efforts needed for the implementation of a risk management practices and executives or boards’ total comprehension and promotion of risk management. The framework for risk management calls for such aspects as a risk oversight authority, risk appetite, regular communication by senior managers amongst others. In UAE, at least 64% of companies indicated that they had implemented a formal risk policy and procedure framework while only 50% noted that that they enjoyed oversight authority (UAE Internal Audit Association, 2015). While risk appetite is deemed to be an important aspect in risk management, few UAE firms tend not put much emphasis in it since there are barely no standards attributed to the aspect. For instance, only 30% of all entities interviewed indicating that they enjoyed a definitive risk appetite framework. Thus, this unfavorable percentage calls for the strengthening in order to retain right degree of risks while at the same time prevent possible blind risk taking. Notably, the process of building a risk culture in the UAE calls for the formulation of workable philosophies and techniques towards risk assessment; this can be effectively executed through regular communication of risk management by boards and executives (UAE Internal Audit Association, 2015). Currently, only 52% of all UAE companies engage in regular communication of risk management, which calls for CAE to provide guidance on the management on the need for promoting an effective and reliable risk culture. Other notable areas that are proposed to effect an effective communication program include; proper risk governance frameworks and regular training of existing employees. In this regards, it can be established that most of UAE entities possess enormous perspectives needed for formalizing as well as strengthening a major structure for risk management within the confinements of a given organization. In regards to risk management oversight, the report findings indicate that a significant portion; 34% of entities are overseen by board audit committee while about 14% of them possessing other forms of risk oversight authorities like management committees or even functional heads (UAE Internal Audit Association, 2015). Just as in the UK, UAE board are also called to engage in the formulation and implementation of risk programs, determination of risk appetite, as well as the monitoring of the adequacy of the overall risk management program. In fact, according to Adele Westcott-Director Internal Audit at the Environment Agency, boards should be focused on reviewing and approving possible risk management framework as well as coming up with effective risk organizations and reporting mechanism (UAE Internal Audit Association, 2015). Of particular interest, the effectiveness of these boards is subject to the composition of directors with the right form of skills and capacities. In relation to the two global benchmark frameworks for risk management; that is, ISO 31000:2009 and COSO Enterprise Risk Management-Integrated Framework, none of them is adhered in the UAE sector (UAE Internal Audit Association, 2015). The failure to adapt to either of these standards is due to a lack of proper regulatory requirement to follow either of the standards. In truth, only 15% of all UAE entities within the non-financial sector adhere to a hybrid integration of COSO and ISO framework. The process of identifying the risk management organization in UAE indicated that the lead role for risk management within their entities involved mainly the chief audit executive with 34% of the entities conforming to the framework in comparison to only 25% of these entities being lead by chief risk officer (UAE Internal Audit Association, 2015). The report calls for these entities to establish a dedicated risk leadership as opposed to a single person playing a dual role like in the case of the chief audit executive. However, it is noted that larger entities with revenues exceeding AED 1 billion already have conformed to this calling for purposes of leading risk efforts. In most of UAE entities, the process of coordinating risk management is merely focused on leveraging on the underlying teams as well as resources given that there lacks a dedicated risk functionality in more than 57% of all interviewed companies (UAE Internal Audit Association, 2015). For such case, risk management activities are fostered by internal audit functions within the entities or the use of risk champions that are deployed within each of the business units. In other cases, regulations or rather ISO compliance functionalities helped to take care of the risk management processess (UAE Internal Audit Association, 2015). Notwithstanding, larger companies that showed sophisticated risk profiles engaged in the adoption of independent risk teams. Apart from company size, the nature of corporate structure also determined the kind of risk management to be embraced. In the case of risk management implementation processess, it is noted that most of UAE entities are still struggling to attain a minimum threshold. While the process concerned with the identification and assessment of risk are highly positioned at 80%, other crucial components of the overall implementation process like risk treatment, escalation and reporting has not been adopted in most of the organizations within the UAE as a whole (UAE Internal Audit Association, 2015). Markedly, the survey results postulate that most of these companies operated under a limited risk assessment structure. It thus goes without saying that CAE should make stringent efforts to provide a workable recommendation as well as support mechanism that seeks to implement such processess as internal audit function take a leading role to highlight areas that are not properly controlled and, which should provide necessary enforcement of development of risk response plans. Any form of risk acceptance should be presented to the board/audit committee or even the risk oversight committee (UAE Internal Audit Association, 2015). The update of risk assessment exercise indicate at least 30% of the UAE entities do it annually while 25% conducted it on a quarterly basis. Intrinsically, at least 84% of the entities utilized both a qualitative and quantitave criterion, which is indeed very practical in nature given that pure qualitative approach would be a challenge to adopt. The risk reporting mechanism in the surveyed UAE entities indicated that 74% used risk registers to highlight top priority risks as 48% used risk heat mappings or rather dashboards. KRI are utilised by 29% of the companies while robust quantitative risk exposures are reported in very fewer entities. Thus, it is noted that there should be intensive methodologies that should be adopted that can appraise key risks and, which can involve sufficient amounts of information to trigger effective decisions or matters related to risk. Consequently, these entities should fairly comprehend board’s immediate expectations on risk reports as being important and also challenging in design and reporting process (UAE Internal Audit Association, 2015). Despite there being a rising demand for risk management as well as a requirement for skills and expertise, 60% of all UAE entities do not utilize services provided for by external third parties due to limited budgets as well as an already workable in-house teams. In relation to risk management integration, it can be noted that not so many UAE entities have successfully integrated risk activities into such relevant business processess as strategic planning(45%), performance measurement and reward(14%) as well as critical decision making(38%). It is noted that only in 3 of the surveyed companies is risk management incorporated into all of the aforementioned crucial components (UAE Internal Audit Association, 2015). This is an indication that risk management integration efforts are only but evolving within the UAE as a whole. The adoption of technological advancements is deemed necessary in promoting capacities of risk management. However, it is established that majority of UAE entities do not adhere to this aspect while a smaller percentage of these firm using risk management systems incorporated with their respective ERP frameworks. In a nutshell, the report indicates that most of these UAE entities promote risk management practices however; they are still evolving and have matured enough. Suffice to say, the report also notes that there is a significant level of understanding on the immediate importance placed on risk management (UAE Internal Audit Association, 2015). A perfect area that portray imminent level of challenges facing effectiveness of risk management efforts rests with the poor support mechanism from both boards or even executive management, which is mostly associated with their lack of awareness. Subsequently, in most of the surveyed entities, it is established that risk management efforts are only limited to risk assessment while a few of them engaging in incorporation of all components needed for effective risk management initiative (UAE Internal Audit Association, 2015). A single positive and distinctive feature from the survey ascertains that internal audit functions play a significant role in catapulting risk management processess. Lack of support from the executives or boards can be offset by provision of relevant education and awareness program. References List UAE Internal Audit Association 2015 Risk management practices and the role of internal audit: A UAE perspective on non-financial institutions. Retrieved on November 23, 2015 from http://www.internalauditor.me/jomiz-ia/wp-content/uploads/2015/03/UAE-IAA-RM-Practices-Role-of-IA-March-2015.pdf Read More