An organisation that understands its risks, understands its opportunities. If it does not know its risks, it doesn't know the risks it can accept, it doesn't know the risk to take, it doesn't know how to grow and, sooner or later, it will wither away.
When Harold Macmillan (UK Prime Minister 1957-1963), was asked by a journalist what can most easily steer a government off course, he answered ‘Events, dear boy. Events’. Times don’t change; investors and directors don’t like unexpected events. This is why organisations need to determine the risks which might give rise to these events and, in some cases, disclose them.
How does any organisation able to control events and seize opportunities?
By understanding the risks it faces;
The risks it is prepared to accept;
The action necessary to manage those risks it is not prepared to accept.
What is RBIA?
Risk-based internal auditing (RBIA) is one of many opinions provided to the board, and audit committee, on corporate governance.
IIA defines risk-based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
In implementing RBIA, the assurance required by the board from various functions will have to be taken into consideration, and this should be reflected in the internal audit’s charter. It is the internal audit department’s responsibility to fulfil the board’s requirements; and it is the board’s responsibility to fulfil the requirements placed on it by legislation.
The advantages of RBIA
Your organisation has objectives and risks threaten the achievement of these objectives. Your organisation reacts to these threats by introducing internal controls. The Board, therefore, need to know that these internal controls are reducing the risks to a level that they have approved.
By following RBIA internal audit should be able to conclude that:
Management has identified, assessed and responded to risks above and below the risk appetite
The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
Where residual risks are not in line with the risk appetite, action is being taken to remedy that
Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively
Risks, responses and actions are being properly classified and reported.
Is Your Organisation Ready?
Every organisation is diffe- rent, with a different attitude to risk, different structures/processes/language. Internal auditors need to adapt this idea to the structures, processes and language of their organisation to implement RBIA.
If the risk management framework is not very strong or does not exist, the organisation is not ready for RBIA. More importantly, it means that the organisation's system of internal control is poor. At this point, you can consider using a third party to assist with the development of a control system, or you can use a third party to perform internal audit functions and provide guidance on the development of audit control processes.
RSM is one of the leading trusted partners in providing risk management services, internal audit consulting and building internal control processes.
Key points
RBIA enables internal audit to provide assurance on the risk management processes both their design and how well they are working, and management of those risks classified as ‘key’, including the effectiveness of the controls.