Today’s risk professionals are at an important juncture: the ongoing global pandemic and its economic and social repercussions have highlighted weaknesses in enterprise risk management (ERM) and resiliency programs, in addition to placing pressure on revenues. Simultaneously, never before have there been so many emerging technologies to help the organization reduce risk management costs and improve risk data quality.
In this episode of AuditTalk, Larry Harrington, Former CAE of Raytheon Company, delves into how internal audit can proactively confront operational weaknesses, including:
- Getting up to date on industry analysis and thought leadership regarding the current risk environment — and sharing your learnings with the C-suite and board.
- Step by step guidance to build more effective resiliency plans and enterprise risk management programs for the future.
- Examples of how Raytheon addressed key risks — including corporate culture, sustainability, and digitization and technology.
Watch the full AuditTalk video, and read the can’t-miss highlights below.
Risk Management & 3 Critical Success Factors for Internal Audit
“I’ve had a long career in internal audit, and I’ve always thought about the three critical success factors for internal auditors.
- Doing the right audits at the right time. It doesn’t help to do the right audits at the wrong time, and it doesn’t help to not do the right audits.
- Provide insight, foresight, and leading practices on every single audit you conduct.
- Help the organization you work for achieve its goals, its objectives, and its strategic plan.
Yet, studies, some of which we’ll review today, show that internal audit, senior management, and boards still have a lot to learn regarding strategic risk management — not so much identifying the top 10 risks, but in implementing such risks into strategy and operations, creating dashboards to monitor both known and emerging risks, and building continuity or resilience plans, along with crisis management plans. That’s our topic today, particularly the strengths, weaknesses, opportunities, and threats that are presented through strategic risk management, and how we as internal auditors can build our brand and add value to the organization.”
Strategic Risk Management Challenge 1: “Where Was Internal Audit?”
“For the second or third year in a row, The IIA’s Pulse of the Profession acknowledged that as chief audit executives, they were not doing enough to add value and help mitigate cybersecurity as a significant risk to the organization. Something has to change, or the chief audit executive will be changed.
I’ll give you an example. Several years ago, a retail organization, The Facilities Group, decided that they could reduce costs and energy usage by bringing in a new automated HVAC system that was tied to the internet. They put all the paperwork together, sent the appropriation requests to the finance folks who signed off on the ROI. Not one person thought through the cyber implications, since the HVAC system was going to be connected to the internet. Nobody talked to IT or the cyber folks. When that system was breached by the cyber criminals, lots of people lost their jobs, including the chief audit executive.
A few months after that, another retailer had a cyber incident, but they didn’t replace their chief audit executive because that person had been pounding the table for months about the need for additional controls and leading practices regarding cyber. What the board learned was that they needed to listen more to the courageous chief audit executive who was bringing to their attention the risks and the solutions.
At Raytheon, one of the things that we learned is that when you read about these kinds of events, you need to stop and ask yourself, could that happen to your company? After that first event with the retailer, Raytheon’s IT organization, engineers, and internal audit started to think through, ‘how do we identify every single point of entry and exit between an office, a factory, any Raytheon location on the internet?’ We started to inventory every single one of those. We started to proactively address what we learned from that retailer. As internal auditors, I encourage you to study these failures outside of your organization, and step back and think about how it might affect you.”
Strategic Risk Management Challenge #2: Anticipate risks that will keep the org from achieving the strategic plan and key performance goals
“Regulators, shareholders are pushing boards hard. Why didn’t the board anticipate that risk that kept us from achieving the strategic plan? How did they miss it? How did they not react properly? Just think back to the Volkswagen situation or the Wells Fargo situation… People at the CEO level, at the board level, chief audit executives are losing their jobs because of these failures in risk management. And it’s up to us to start taking more action.
Risk is complex, and often interdependent on other risks. Let me give you another example. When the pandemic hit, the global auto industry felt sales were going to drop dramatically. So they immediately cut back in supply chain, all of their orders, including computer chips. Now, cars today have so many computers. It doesn’t matter if the car is complete, you can’t ship it without the computer chips. They assumed that when business picked up, they would just reorder them.
They didn’t realize that the semiconductor companies weren’t going to sit idle. They were looking for other ways to ship those chips to other people. The pandemic drove sales on iPads, and electronics, and iPhones, and games — so they started selling all that new excess capacity to other users. At the same time the semiconductor industry faced several catastrophic failures that dramatically reduced capacity. When the auto industry came back and said, “We need those chips,” they can’t get them. Estimates are billions of dollars in lost opportunity costs to the auto industry, as cars sit waiting for those chips. U.S. dealerships have between 20 and 30% of a normal inventory.
When we think of strategic risk management, boards are under the pressure to really think about the ramifications in the second and third order, and how they all relate together. When internal audit brings these issues to the table, when we can bring whitepapers and leading practices and help our organization think differently about strategic risk management and how to implement that properly, then we demonstrate our value to the organization, that we help the organization achieve its goals and objectives. It gives us the opportunity to change how people think about us, and provide the thoughts to help our company be more successful.”
Three Things to Consider Regarding ERM
1. Studies show most organizations can improve their understanding of key risks
“I think everyone should either have audited ERM in the last year or two — or if not, be doing it now. Start with a comprehensive audit of ERM and business continuity, including the benchmarking to frame your recommendations for improvement. It is so important. Too many auditors have said, “I don’t do an audit in ERM, because I don’t feel comfortable.” We can’t hide our eyes anymore. We need to use the advantages of whitepapers. Whitepapers lay out all the key issues. If you’re suggesting something be done, and they say, ‘Larry, what makes you think you’re right?’ When I can show them four whitepapers from authorities saying, “That’s what needs to be done,” it helps. When I can show the board the kinds of questions they should be asking management, it makes a difference.”
2. IA must have the skills, tools, and resources (including SMEs) to audit ERM and the key risks
“You also need to do a self-assessment within internal audit. Do you have the right skills? Do you have the right tools? Do you have the right resources? Because today, the skills we need for internal audit are different than just a year or two ago. And what we’re going to need in a year or two is very different than what we have now. We must become more dynamic. We must be able to utilize subject matter experts when we need them. Richard Chambers has said, “The worst question the audit committee could ask is, ‘Do you have enough resources?’” The better question is, “Based on the top 10 risks, what audits can’t you do because you don’t have the right people, or the right tools, or the right resources?” If we’re not having the discussion with the audit committee and with management, then when the problem comes, it’s on our shoulders for not discussing it, just like those two CAEs I talked about in retail regarding cyber.”
3. Conduct regular discussions with Management/Audit Committee beyond IA findings.
“Make sure you have a frank conversation, not once a year, but regularly, with the audit committee and management. At Raytheon, we used to meet four to six times a year in the audit committee. I didn’t just talk about the audit reports we just issued. Today, audit committees want you to look forward. I would use those meetings to talk about risk management, emerging risk, risk appetite, changes in regulations that could affect the company, fraud, culture within the company. I would do all that by sharing whitepapers. I would always have one or two whitepapers in every single pre-read material for the audit committee on these various topics. From The IIA, from Protiviti, EY, PwC, so many others. When you show them what the experts in that field are saying, it helps them recognize you as helping to educate them. If it’s someone who knows what’s going on, it helps them ask management the right questions. It allows us to partner with management and the audit committee to make sure the right things are happening.”
Key Aspects to an ERM Audit
“If you were going to do an ERM audit, here’s how I would approach it today.
- The first part of the audit would be focusing with management and the board on risk appetite, helping them understand what is risk appetite, what does it mean? What is the appetite of the organization? And how do we communicate that?
- The next part of the audit, and these would be done in conjunction with each other, asks how does the board and management determine those top risks, often the top 10? And how do they communicate those across the organization?
- Moving down to the next level, I would be working with management to determine how they get the top risks into the strategic plan, and into the goals and objectives for every single function? I would be talking to the people that run the incentive programs to determine whether those incentive programs are aligned. I would make sure that I’m talking and auditing around the third parties — what controls do we have in place? What do we want to do in terms of management of third parties?
- How does management monitor these emerging risks? What dashboards do we have on the current risks, and more importantly, the emerging risks? I’d want to know that someone’s watching those, and they’re looking at how they interrelate to each other.
- I would also have a part of the audit that’s looking at the culture of the organization. How well is ERM understood across the enterprise, and how does it impact culture?
- Finally, what are we doing to transform the business, pre- or post-pandemic? How will that impact all of the above?
This is not an easy audit. In one sense, it takes some time and you need some subject matter experts. But there’s so much great information out there on every one of those bullets so that you can educate yourself, and you can utilize analysis and resources to help drive the points. It’s not ‘Larry’s recommending this, and it doesn’t make sense.’ This is what PwC, EY, and Gartner, others have recommended. Well, it’s kind of hard to argue with all those people. Utilize those resources to help you grow.”
Examples of How Raytheon IA Addressed Key Risks
“I want to give you a few other examples of audits we’ve done within Raytheon.
- Corporate Culture: In corporate culture, rather than do an individual audit, we came up with 10 questions that we thought were the right questions to ask. Are you afraid to speak up? If you’ve got an innovative idea, do you feel as though that you can present that, and people will listen to you? Do you understand the goals and objectives for your function or for the company? On every single audit we did, we would ask everybody we interviewed, from the lowest level to the highest level, these same 10 questions. We’d share the results with the people we were auditing. But we accumulated them over a three or four month period of time. Then, we’d sit down with senior management and the audit committee and share the results from a corporate culture standpoint. Do people really understand from top to bottom, Raytheon’s goals and objectives, Raytheon’s mission? Do people feel as though they can raise their hand if there’s a problem? Do people feel as though their innovative ideas are being listened to? This is the way we handle corporate culture.
- Sustainability: Early on, we got involved in sustainability reporting. Raytheon was putting out sustainability reports as early as 2011 to showcase the things they were doing to reduce energy usage, to water usage, or to improve our diversity statistics, et cetera. They put out a report the first year, and I recognized that none of that stuff was audited, not like the 10K or the 10Q or the financial statements. So I sat down with senior management and suggested that internal audit go in and audit each of the functions that provided the information. Make sure we had a documented process, that the collection of the information was accurate, and that we had the same kind of controls — because when we released that report, it was a public document that people were going to rely on.
- Digitalization and technology: The year before I retired, the company decided they wanted to eliminate all the manual transactions that people were doing in supply chain and in shared services, and replace them with bots. Then, they wanted to use people to analyze the output rather than create all the input. When they went out to bid, each of the companies that bid said that in addition to you and I, you need to have two other departments working with you. First, you need HR, because this is going to transform your workplace. And we need internal audit, because while Betty or Charlie might be able to do 100 transactions an hour, the bot’s going to do 10,000 an hour. So if we don’t get the controls right, if we don’t get the process right, if we don’t have someone like internal audit giving us that independent review, we could end up making a lot of mistakes on your behalf. So internal audit did a lot of work around the bots.”
Is Your Internal Audit Team Addressing Key Risks?
“I want you to think about how you can add greater value to yourself and to your organization.
- It starts with reading as many of these whitepapers as you can on ERM and on risk management. One of the advantages you have with a great organization like AuditBoard is they can help connect you with others like you. They, like The IIA, believe in progress through sharing. As a profession, people share audit programs, audit approaches, where the gold nuggets were hidden. If you haven’t benchmarked and audited your ERM process, you’ve got to do it. Leverage your experience, leverage the whitepapers, leverage your peers in AuditBoard. Ensure that your organization has a system in place to track the changes. Don’t be afraid to do it.
- Ask yourself if you’ve assessed your own function, the skills, the expertise, the resources, the subject matter experts, the tools. If you don’t have what you need, make sure every single quarter, when you’re talking to the audit committee, you’re sharing with them where your gaps are — and not because you’re greedy, looking for more people and more money. Because these gaps mean, “I can’t do these kinds of audits.”
- Change your conversations with the audit committee to not just be, “Here’s the audit reports I issued this quarter, and this is what they mean,” but talk about key risks, emerging risks, leading practices, what’s going on with cyber, regulatory changes, fraud. Demonstrate to them that internal audit is on top of all of these key risks. We’re spending our time understanding what’s happening, where the gaps are across the industry, where the leading practices are, and we’re a champion for change.
- Make sure that you incorporate the ERM considerations into every audit you do. If you’re going to audit something in accounting, you’re going to audit something in the supply chain, understand, “what were the key risks? How did they get flowed through to the goals and objectives? How are they being managed?” as part of your audit. It’s not just about internal controls. It’s about helping your organization achieve its goals and objectives.
- Ask yourself, are you doing enough in cyber, third-party risk, business changes as a result of the pandemic or disruptive technologies?”
A Call to Action for Internal Audit
“This is the best of times for internal auditors. There is so much value that we can bring. When I was the chairman of The IIA, my whole theme was “Invest in yourself.” If we have everybody that works for us, investing in themselves on these key risk areas, if we hire people that have the skills that we’re lacking, we can truly build our brand. We can help our organization with strategic risk management. We can help make sure they build it into all of the business plans, and the strategic planning, and the goals and objectives. We can help them with continuous monitoring. We can do the audits of these key areas and bring to them innovation, the insight, the foresight, and the leading practices, so that our organization has a greater chance of succeeding, and exceeding shareholder expectations. I want all of you to recognize that if you’re not part of the change, then someone’s liable to change you. I want you to be that change agent that makes a difference. I am so proud to be an internal auditor. I spent my entire life, almost, in internal audit. I spent some time as VP of HR, VP of Operations, and VP of Finance as well. But most of it was in internal audit. It gives you an opportunity to leverage change across the entire organization.”
Looking for an even deeper dive into strategic risk management? Watch the related on-demand webinar. Stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences