Have you heard of the "domino effect"? It's the reaction produced when one event sets off a chain of related events. A good example of this is literally setting up a chain of dominos to see how many you can add and how far the chain will go. I used to do this as a kid. I'd set up dozens of dominos in different formations and then I'd add ramps, jumps and other obstacles to see how far I could take it and how cool I could make it. However, if a ramp or jump was off a little bit or if any of the dominos were out of line, the dominos would tumble over to the side and I wouldn't get the full effect. Looking back, it took creativity and some foresight to really plan out an awesome domino chain. If I had to translate this into business terms, I'd say the key to success was alignment, coordination and having a strategy.
So, what does this have to do with Internal Audit (IA) and Operations Risk Management (ORM)? I'll draw an analogy - IA and ORM are the dominos. The better aligned they are, the better the end result is going to be in terms of identifying and managing risk. The strategy is having the right pieces and steps to the process in place. For example, this chart to the right shows those pieces in the ORM lifecycle, starting with the strategy at the top, and having the right organization, a framework and execution.
Marshal Toburen, GRC Strategist for RSA Archer, said in a recent OCEG webcast, "Too many organizations are implementing risk management in bits and pieces and in differing ways in silos across their organization. Operational risk management suffers when these silos don’t communicate and when they put together an incomplete and inaccurate picture of risk."
Why is it that most organizations have this disjointed and incomplete picture of risk affecting their organization? Here's just one example. In the majority of organizations we work with, IA is separate from ORM organizationally. That's not a bad thing in and of itself. However, in most cases, not only are they separate, but their methodologies and approaches to identify and evaluate risk are different. Both ORM and IA groups may have valid approaches, and they may even communicate and compare results but it's cursory and results from their different approaches is like comparing apples to oranges. Or, they may be doing many of the same things, like identifying, evaluating and measuring risk and finding ways to mitigate them, but they're not working together. The dominos in this example aren't even in the same line! To make the dominos fall correctly, IA and ORM should be working in tandem and with business owners (1st line of defense) to implement risk approaches, coordinate efforts, report results and follow up on issues. IA can and should have some level of independence, but they should also consider aligning their approaches with their ORM group based on regulations, best practices and industry standards.
Creating this formation of dominos isn't going to get any easier. As a kid when I'd set up the dominos, I always had to keep an eye on my little sister who took great delight in knocking over my grand creation. Like that threat I faced, according to the American Institute of Certified Public Accountants, 83% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. In addition, 20% of these organizations have seen the volume and complexity of risks extensively increase over the past five years. As complexity of risk increases, our approaches to evaluate and mitigate risk must also rise to the challenge.
Just as creating the perfect domino chain takes a lot of practice, so does creating an effective, aligned risk approach and partnership between business owners, IA and ORM. Think of it in terms of a maturity spectrum - on one end, the groups don't even know each other exist; to the far end of the spectrum where they work in perfect harmony. Every organization is at a different place on that spectrum, but what's important is to know where your organization is today versus where it needs to get to. Devise a plan and begin to make progress - any amount of progress is good. Consistency through practices, technologies, communication, dissemination, training and personnel will also build trust and better reliance between the three lines of defense.
I'm interested in your thoughts! Add your comments below or email me at Patrick.firstname.lastname@example.org. Also check out the latest Gartner Magic Quadrant for Operational Risk Management for more information here Magic Quadrant for Operational Risk Management.