“I’ve had a long career in internal audit, and I’ve always thought about the three critical success factors for internal auditors.
Yet, studies, some of which we’ll review today, show that internal audit, senior management, and boards still have a lot to learn regarding strategic risk management — not so much identifying the top 10 risks, but in implementing such risks into strategy and operations, creating dashboards to monitor both known and emerging risks, and building continuity or resilience plans, along with crisis management plans. That’s our topic today, particularly the strengths, weaknesses, opportunities, and threats that are presented through strategic risk management, and how we as internal auditors can build our brand and add value to the organization.”
“For the second or third year in a row, The IIA’s Pulse of the Profession acknowledged that as chief audit executives, they were not doing enough to add value and help mitigate cybersecurity as a significant risk to the organization. Something has to change, or the chief audit executive will be changed.
I’ll give you an example. Several years ago, a retail organization, The Facilities Group, decided that they could reduce costs and energy usage by bringing in a new automated HVAC system that was tied to the internet. They put all the paperwork together, sent the appropriation requests to the finance folks who signed off on the ROI. Not one person thought through the cyber implications, since the HVAC system was going to be connected to the internet. Nobody talked to IT or the cyber folks. When that system was breached by the cyber criminals, lots of people lost their jobs, including the chief audit executive.
A few months after that, another retailer had a cyber incident, but they didn’t replace their chief audit executive because that person had been pounding the table for months about the need for additional controls and leading practices regarding cyber. What the board learned was that they needed to listen more to the courageous chief audit executive who was bringing to their attention the risks and the solutions.
At Raytheon, one of the things that we learned is that when you read about these kinds of events, you need to stop and ask yourself, could that happen to your company? After that first event with the retailer, Raytheon’s IT organization, engineers, and internal audit started to think through, ‘how do we identify every single point of entry and exit between an office, a factory, any Raytheon location on the internet?’ We started to inventory every single one of those. We started to proactively address what we learned from that retailer. As internal auditors, I encourage you to study these failures outside of your organization, and step back and think about how it might affect you.”
“Regulators, shareholders are pushing boards hard. Why didn’t the board anticipate that risk that kept us from achieving the strategic plan? How did they miss it? How did they not react properly? Just think back to the Volkswagen situation or the Wells Fargo situation… People at the CEO level, at the board level, chief audit executives are losing their jobs because of these failures in risk management. And it’s up to us to start taking more action.
Risk is complex, and often interdependent on other risks. Let me give you another example. When the pandemic hit, the global auto industry felt sales were going to drop dramatically. So they immediately cut back in supply chain, all of their orders, including computer chips. Now, cars today have so many computers. It doesn’t matter if the car is complete, you can’t ship it without the computer chips. They assumed that when business picked up, they would just reorder them.
They didn’t realize that the semiconductor companies weren’t going to sit idle. They were looking for other ways to ship those chips to other people. The pandemic drove sales on iPads, and electronics, and iPhones, and games — so they started selling all that new excess capacity to other users. At the same time the semiconductor industry faced several catastrophic failures that dramatically reduced capacity. When the auto industry came back and said, “We need those chips,” they can’t get them. Estimates are billions of dollars in lost opportunity costs to the auto industry, as cars sit waiting for those chips. U.S. dealerships have between 20 and 30% of a normal inventory.
When we think of strategic risk management, boards are under the pressure to really think about the ramifications in the second and third order, and how they all relate together. When internal audit brings these issues to the table, when we can bring whitepapers and leading practices and help our organization think differently about strategic risk management and how to implement that properly, then we demonstrate our value to the organization, that we help the organization achieve its goals and objectives. It gives us the opportunity to change how people think about us, and provide the thoughts to help our company be more successful.”
“I think everyone should either have audited ERM in the last year or two — or if not, be doing it now. Start with a comprehensive audit of ERM and business continuity, including the benchmarking to frame your recommendations for improvement. It is so important. Too many auditors have said, “I don’t do an audit in ERM, because I don’t feel comfortable.” We can’t hide our eyes anymore. We need to use the advantages of whitepapers. Whitepapers lay out all the key issues. If you’re suggesting something be done, and they say, ‘Larry, what makes you think you’re right?’ When I can show them four whitepapers from authorities saying, “That’s what needs to be done,” it helps. When I can show the board the kinds of questions they should be asking management, it makes a difference.”
“You also need to do a self-assessment within internal audit. Do you have the right skills? Do you have the right tools? Do you have the right resources? Because today, the skills we need for internal audit are different than just a year or two ago. And what we’re going to need in a year or two is very different than what we have now. We must become more dynamic. We must be able to utilize subject matter experts when we need them. Richard Chambers has said, “The worst question the audit committee could ask is, ‘Do you have enough resources?’” The better question is, “Based on the top 10 risks, what audits can’t you do because you don’t have the right people, or the right tools, or the right resources?” If we’re not having the discussion with the audit committee and with management, then when the problem comes, it’s on our shoulders for not discussing it, just like those two CAEs I talked about in retail regarding cyber.”
“Make sure you have a frank conversation, not once a year, but regularly, with the audit committee and management. At Raytheon, we used to meet four to six times a year in the audit committee. I didn’t just talk about the audit reports we just issued. Today, audit committees want you to look forward. I would use those meetings to talk about risk management, emerging risk, risk appetite, changes in regulations that could affect the company, fraud, culture within the company. I would do all that by sharing whitepapers. I would always have one or two whitepapers in every single pre-read material for the audit committee on these various topics. From The IIA, from Protiviti, EY, PwC, so many others. When you show them what the experts in that field are saying, it helps them recognize you as helping to educate them. If it’s someone who knows what’s going on, it helps them ask management the right questions. It allows us to partner with management and the audit committee to make sure the right things are happening.”
“If you were going to do an ERM audit, here’s how I would approach it today.
This is not an easy audit. In one sense, it takes some time and you need some subject matter experts. But there’s so much great information out there on every one of those bullets so that you can educate yourself, and you can utilize analysis and resources to help drive the points. It’s not ‘Larry’s recommending this, and it doesn’t make sense.’ This is what PwC, EY, and Gartner, others have recommended. Well, it’s kind of hard to argue with all those people. Utilize those resources to help you grow.”
“I want to give you a few other examples of audits we’ve done within Raytheon.
“I want you to think about how you can add greater value to yourself and to your organization.
“This is the best of times for internal auditors. There is so much value that we can bring. When I was the chairman of The IIA, my whole theme was “Invest in yourself.” If we have everybody that works for us, investing in themselves on these key risk areas, if we hire people that have the skills that we’re lacking, we can truly build our brand. We can help our organization with strategic risk management. We can help make sure they build it into all of the business plans, and the strategic planning, and the goals and objectives. We can help them with continuous monitoring. We can do the audits of these key areas and bring to them innovation, the insight, the foresight, and the leading practices, so that our organization has a greater chance of succeeding, and exceeding shareholder expectations. I want all of you to recognize that if you’re not part of the change, then someone’s liable to change you. I want you to be that change agent that makes a difference. I am so proud to be an internal auditor. I spent my entire life, almost, in internal audit. I spent some time as VP of HR, VP of Operations, and VP of Finance as well. But most of it was in internal audit. It gives you an opportunity to leverage change across the entire organization.”
Looking for an even deeper dive into strategic risk management? Watch the related on-demand webinar. Stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences