Risk Management Practices and the Role of Internal Audit by Ravindran et al - Article Example

Name Professor Course Date Ravindran, V, Ahmad, H, Mohapatra, P & Choksy, S. Risk management practices and the role of internal audit. Research Report, 2015. This paper critically assesses the article by Ravindran and associates, and provides an overview of the article. The report is portioned into well-organised sections that provide insights into risk management and the role of internal audit functions in risk management. Section one entails the introduction that highlights the need for the research, research objectives, research methodology and an overview of the report. Ravindran and associates assert that economic interconnectedness and globalisation has altered the risk landscape an aspect that makes organisations to invest in enhancing risk management practices. These practices are essential as they help firms to address the ever-growing challenges and uncertainties facing them. Successful firms have plans in place to manage risks. As a result, it is essential for organisations to employ robust mechanisms to determine, evaluate and productively respond to the risks. This requires firms to embrace ERM (enterprise risk management) that allows them to control unacceptable risks and capitalise on the right risks to augment their competitive advantage. Ravindran and associates explores risk management practices and the role of internal audit to ascertain the role of internal audit functions with respect to risk management. The authors underscored several practical objectives that were attained through an online survey conducted by UAE-IAA. The survey involved ninety participants from different firms across UAE. Risk Management in the UAE This is the second section of the report that highlights the state of risk management in the UAE. The authors found out that majority of firms in the UAE do not consider the significance and the call for risk management. Only 77% of the involved firms have implemented a risk management program partially or completely. Fourteen percent of the organisations surveyed confirmed a need to introduce a formal risk management in the future. Less than one third of firms in UAE have a fully implemented risk management program. However, these firms do not have crucial processes and elements needed to ensure effective risk management. Approximately nine percent of firms hold no formal program and do not demonstrate any sign of implementing such a program in future. This is a clear indication that firms understand the significance of risk management but risk management has not fully matured in most firms. The authors affirm that firms should start adopting a more formalised perspective towards risk management (12). Based on different sectors, energy/oil sector, government institutions and aviation sector appears to adopt a formalised approach to management of risk. The variation between industries is because of the level of risks and regulatory supervision for diverse industries. The article confirms a positive link amid maturity of risk management and the years of existence of internal audit functions. In 62% of firms with risk management, internal audit has been in place for over six years. This demonstrates that the presence of internal audit function helps organisations to develop the interest and direction needed to enhance governance, controls and risk management. In firms that lack a risk management systems, internal audit uses risk assessment as a way of enabling the firms to centre on major issues and develop risk management process. Ravindran and associates confirmed that the size of an organisation does not affect risk management maturity (13). As regard challenges affecting risk management, the article confirmed that the perception of the management is a major factor that hinders implementation of risk management in firms. Lack of sponsorship by board members besides lack of knowledge regarding the benefits and value of ERM are key challenges that affect the implementation of risk management. To overcome these challenges, CAEs should enlighten and educate executive management and the board on the need and significance of risk management. External advisers can also be used to obtain the support of the board and the executive management. Ravindran and associates assert that firms operating in the financial sector adopt appropriate risk management practices because of strict regulatory needs. Therefore, firms that are not subject to strict regulations face challenges when implementing risk management. To address these challenges, Ravindran and associates affirm that it is crucial to demonstrate the importance of ERM to gain the support of executive management. This requires CAEs to present findings on potential and existing gaps in risk management and stress the call for a formalised approach to handle risks. However, the CAEs require effective communication skills that facilitate effective selling of risk management concepts to the executive management. Risk Management Framework and Governance This is the third section of the article and it examines major drivers of risk management. Ravindran and associates explore introduction of risk management programs and how these programs are structured in UAE firms. According to the authors, senior management support, internal audit’s efforts to execute risk management and board’s awareness and enforcement of risk are the key drivers of implementation of risk management. These results were realised from an assessment involving 69 firms that have fully or partially implemented risk management processes. Apparently, risk management is a major area of interest for board members in firms that have implemented risk management processes. On the contrary, in firms that lack risk management, board support is minimal. This clearly indicates that sponsorship by board is a determining aspect for the maturity and success of risk management. In approximately 67% of the firms surveyed, the effort of the internal audit facilitates implementation of a formal risk management program. Despite the fact that strict regulation in firms operating in the financial sector contribute greatly to the implementation of risk management, Ravindran and associates confirmed that regulation is not a crucial driving force for risk management (18). More so, financial crisis does not influence implementation of risk management. External factors of do not influence implementation of risk management in firms. As a result, implementation of risk management is not viewed as a compliance exercise or a response to risk events or major failures. The article confirms that developing a risk management program is an intricate procedure. A productive risk programs must have a powerful and apparent definition of the basic elements that include risk management blueprint, procedures and policies, risk oversight authority, risk appetite, regular communication from the top management and major risk indicators. While risk appetite is a key factor in the implementation of risk management programs, very few firms in the UAE have well-defined risk appetite statements. According to Ravindran and associates, lack of risk appetite statements mirrors the intricacy and evolving temperament of risk appetite statements (18). Risk appetite should be defined at a strategic level and may utilise qualitative or quantitative definitions to determine levels of risk tolerance. To ensure effective implementation of risk management, development of risk culture is essential. Risk culture entails the conduct of individuals within a firm particularly, how they respond to risks. Therefore, the productiveness of risk management is influenced by a firm’s philosophy and approach towards risks. However, frequent communication programs help in developing the tone at the top across firms to develop the correct risk culture. In the UAE, only 52% of firms hold a regular communication program for risk management. Besides productive communication, it is imperative for firms to ensure the correct risk governance structure, implement regular training and develop policies on code of conduct and ethics. Internal audit can evaluate the risk culture of a firm and offer guidance on how to promote the correct risk culture. CAEs can promote the risk management blueprint through t risk management workshops or training involving executive management. Ravindran and associates confirm that the success of risk management depends on oversight authority that includes a firm’s board or a formal committee (22). The board helps in approving the risk blueprint and in assessing major risks in a firm. Involvement of the board is essential as it facilitates positive effects on the efficiency and maturity of risk practices. In this respect, 14% of UAE firms hold risk oversight authorities. Particularly, the board is completely accountable for developing the risk management program. The board is involved in the approval and review of the risk management blueprint, development of reporting structure and risk organisation. The board with the support of executive management and CAEs is tasked with ensuring that the risk program attains the requirements of the firm. As a result, the board should have directors with correct capabilities and skills. To ensure robust risk management practices, acceptable standards that include ISO 31000:2009, Risk Management Principles and Guidelines and COSO ERM Framework are used. The two standards offer guidelines for designing, executing and upholding a risk management program in a firm. With regard to UAE, a common blueprint used by organisations lacks because there is no regulatory requirements. However, over half of the surveyed firms used ISO or COSO standards. Risk Management Organisation This is the fourth section of the article and it explores that different approaches embraced by UAE organisations to help in the organisation of risk management activities. An effective risk management calls for the correct leadership. Ravindran and associates assert that one of the major issue facing firms is the comprehension of the functional heads required to lead the risk management efforts. The authors confirmed that CAE lead the risk management efforts in most firms. However, chief risk officers lead 25% of firms while chief financial officer leads 16% of firms. However, the perfect approach for risk leadership entails a committed senior executive role such as chief risk officer. Moreover, the leadership of risk management efforts depends on other factors such as the size of a firm, and the complexity and temperament of the risks. However, 88% of firms led by chief risk officers demonstrate good returns with revenue that exceeds AED one billion (25). More so, firms with mature risk practices are led by chief risk officers an aspect that indicate that it is more preferable to have chief risk officers lead risk management officers than having CAEs. However, in firms that have no formal risk management functions, CAEs should take the lead role. Functions that management risk and functions that oversee risks should not be combined to avoid conflict of interest. A distinction should be made amid different functions. The risk lead role should report to a correct authority level that offers sufficient independence to facilitate transparent communication on risk. There are different approaches and role for risk management responsibilities and activities structure. However, most firms in UAE use existing resources and teams to coordinate risk management activities. The survey indicate that there is no a committed risk function in 57% of firms with risk management processes thereby making internal audit function or risk experts to facilitate risk activities. In rare occurrences, firms use services of third party service providers and when used they are used to support the existing teams that facilitate risk management practices. Most firms implement risk management function to support and oversee effective management of risks. Risk Management Implementation Practices This is the fifth section of the article that highlights the activities and processes that takes place in firms while rolling out risk management efforts. Ravindran and associates define risk management processes as the combination of different activities and steps that a firm undertakes to identify, evaluate, prevent and report risks. The risk management processes include risk identification, risk assessment and prioritisation, risk treatment, escalation of risk acceptances, risk reporting and constant update of risk assessment. With respect to firms in UAE, identification and assessment of risks have been implemented by around 80% of the assessed firms but other crucial activities such as risk treatment, escalation and reporting are not implemented in many firms. Only 20% of firms have all the major processes involved in risk management. As a result, CAEs and internal audit should facilitate implementation of all the risk management processes. Particularly, risk reporting should be transparent and can include risk registers, risk heat dashboards and risk indicators. With regard to risk management integration, only three firms of the surveyed firms had embedded risk management in their major business areas. Overall risk management integration is developing. Technology is promoting the abilities of risk management with systems offering powerful capabilities for analysis, reporting and monitoring of risks. However, over 57 percent of firms do not used dedicated IT systems for risk management. Notably, use of IT promotes alignment of people, processes and technology. To address fraud risks ethics and code of conduct are developed. Role of Internal Audit in Risk Management This is the last section of the article and it highlights the role of internal audit in risk management. Internal audit promotes an effective and efficient risk management program. In addition, the internal audit offers independence and objective assurance to the senior management and board on the effectiveness of risk management, governance and internal controls. Because internal audit practises should correspond with the expectations of shareholders, the function receives directions from the board and executive management. The audit committees and boards seek internal audit’s recommendations regarding risk management. In 56% of the surveyed companies, the board requested assurance of the risk management from the internal audit function. The survey indicated that most firms depend on audit function to provide assurance and advice for improvement of risk management efforts. Additionally, the audit function facilitates establishment and implementation of a formal risk management program and offer advice and consultation on risk management. However, internal audit functions in UAE do not do well in their endeavours to contribute to development of risk management programs. Only 51% of UAE firms are involved in consultations linked to risk management. Internal audit functions have demonstrated the importance to provide assurance on overall risk management. With respect to facilitation and consulting activities, internal audit is involved in identification, assessment and reporting of risk. In this view, Ravindran and associates assert that the role of internal audit in UAE in enhancing risk management practices should be recognised. However, the audit functions should refocus their practices to strengthen risk management. Despite the crucial role of internal audit in risk management, lack of coordination and lack of sponsorship and support from top management besides lack of skills are major challenges that the audit function faces in its risk management efforts. In conclusion, Ravindran and associates explore and offer insights into risk management practices in the United Arabs Emirates. The authors also evaluate the role played by internal audit functions in risk management. They confirm that risk management is gaining attention in major organisations although the practices of risk management practices are still developing and have not yet matured. To attain their results, the authors surveyed ninety CAEs and leaders of internal audit working at firms in the UAE. The survey indicated that most firms lack understanding of the significance of risk management. The authors confirmed scores of challenges facing risk management efforts such as lack of sponsorship from executive management and boards attributed to lack of understanding. More so, in most firms, risk management are restrained to risk assessments with only few organisations in the UAE having introduced all the crucial processes and elements needed to allow a productive risk management program. Based on the result from the survey, internal audit functions are a major component that drives the risk management process. Despite lack of understanding and sponsorship from executive management, the article demonstrated that the executive management demonstrate willingness to enhance risk management practices through the support of the internal audit function. The authors conclude that internal audit capabilities should be enhanced to attain the novel demands from risk management linked roles. Work Cited Ravindran, V, Ahmad, H, Mohapatra, P & Choksy, S. Risk management practices and the role of internal audit. Research Report, 2015. Read More