Internal Auditing & Business Risk | November 2005

Never ending story

Embedding risk management has been one of the hot topics in internal audit over the last few years. Two heads of internal audit share their experiences in implementing it across their organisations;

THREE YEARS AGO board members at the construction company Shepherd Building Group (SBG) decided it was time to get a better understanding of its approach to risk management at a company-wide level. Like many growing businesses, the £650m turnover company had operating divisions that had a great deal of financial and legal autonomy. As a result, the construction and engineering division, the manufacturing division and the property division each had its own approach to risk management. Between them they employed over 3500 people.

The group internal audit manager Mohammed Taj, who was then a recent appointment, was asked to look at ways of getting to grips with understanding how risk was currently managed and reported in order to develop a more unified approach that would be useful at group level.

“Once they could see the tangible benefits their colleagues were getting from it, they were keep to learn from each other”

Bottom up

“The group didn’t want to impose yet another thing from central management,” says Taj. “There was nothing inherently new in embedding risk management, except that it was a way of formalising and recognising processes that were already in place. That was my starting point.”

SBG took a bottom-up approach by initially focusing on the risks to its three separate divisions. This entailed internal audit facilitating risk workshops, reviewing business strategies, risk registers and risk strategies, but all of the actual work in collating this information was carried out by management – not by internal audit. Taj also drew on support from the group risk assurance manager, so resources were never a big issue.

“Companies felt more comfortable and more open to us because we included them in what we were trying to do and asked them for their help,” says Taj. He found that each division was at a different stage of development and implementation with its risk management. “Some had formalised risk registers and clear methodologies, others were a bit more hit and miss. Internal audit helped them to share best practice among the different divisions. Once they could see the tangible benefits their colleagues were getting from it, they were keen to learn from each other,” he says.

This initial review identified several holes in the policies and procedures of each division and also identified the common risks between them. A similar process was repeated at group level with the aim of identifying key risks and approving a risk register. Finally the board was able to agree the ten major risks SBG faced and there is now a group board statement about group risk management in the accounts.

“It wasn’t all plain sailing,” says Taj. “It was initially difficult getting full board backing from each company because some directors were pretty sceptical, even though others were quite forthcoming. Internal audit had to educate them about risk management and spell out their responsibilities as directors. I think you’ll always find the ‘old school’ of thought quite difficult to overcome at first.”

“We want people to look at both how to mitigate risks and how to think about them more positively if they perceive that there might be an upside”

Building

Taj said that all the individual companies and the main group company have started to embed risk management in much of what they do. They now review their risk strategies and risk registers on an ongoing basis. In doing so, his internal audit function can ensure that management is aware of all of the relevant commercial and operational risks; that an effective risk management strategy is defined, authorized and implemented; and that adequate control mechanisms are in place within each division to identify potential risks and ensure mitigating action is pursued pro-actively.

Undertaking these reviews has meant that the internal audit plan now reflects the key risks facing SBG. It has allowed internal audit to play a key role in highlighting the importance of risk at both group and divisional level, thereby pushing the issue of risk up the board agenda. Internal audit is now involved in risk reviews on projects and helps to assess risks associated with tenders for high-value contracts.

Taj has wondered whether it would have been better to approach the project using a more top down method by focusing on the needs of the group first and, he says, he would have done a few things differently with hindsight.

 “It would have been a great benefit to have had a half-day conference with every manager in the business right at the beginning of the process to point out the advantages of embedding risk management and to lay out the positive sides up front,” he says. “Some people just saw it as a layer of bureaucracy, just another piece of paper even at group level and we had to gradually overcome that through education.”

With risk awareness now high up on the agenda at SBG Taj says that he is ready for the next stage, which is to encourage the group of companies to focus on the upside of risk and the opportunities that they create. “Now that risk management is an ongoing process we are developing it further and embedding it at all levels of the organisation,” he says. “We want people to look at both how to mitigate risks and how to think about them more positively if they perceive that there might be an upside. The question is now: how can we improve what we are doing in our daily work?”

Agnes Wilson, head of internal audit at the Open University (OU), also says that there is no such thing as a one size- fits-all approach to embedding risk management. The OU is Europe’s largest university with 220,000 students, 287 undergraduate courses and 142 postgraduate courses on offer. She says that the OU had approached its programme to embed risk management by building on the existing risk management framework within the organisation in four main areas: annual planning, project management, business appraisals and committee papers.

Embedding

“Because we were able to build on existing processes and business procedures, what we were doing wasn’t really seen as an add-on,” says Wilson. “People were already used to doing business appraisals. But that doesn’t mean that we didn’t have to try to win over the hearts and minds of the staff here who have experienced a lot of change over the past few years. We didn’t want to add another level of change and become the straw that broke the camel’s back.”

Because the culture at the university had developed on the principle of openness, developing embedded risk management involved building some boundaries around the term to streamline the previously diverse approaches to risk management, says Wilson. She says that it had been important to keep in mind the differing interpretations of what risk meant in different parts of the organisation, at the same time as ensuring consistency of risk frameworks across the group.

“The biggest challenge has been dealing with the sheer variety of risk attitudes across a very diverse organisation,” she says. “Internal audit gave guidance for scoring risks, templates for the risk register and provided prompts for thinking about risk.” Previously, it had been difficult to compare risks across the 30 or so business units in the university.

One new initiative that Wilson has been involved in is the introduction of scenario planning in the risk management process. She says that this has helped simplify the future risk landscape by focusing on its main features. While this did not predict the future, it helped in enabling the organisation to decide on its future direction. This was then cascaded down to the units in the university, which used this centrally agreed strategic plan to help them develop their own individual plans.

“Embedding risk has meant getting it into the culture of the organisation, rather than allowing risk management to be an annual event,” she says. “The dynamic system that we are still developing has given the OU a sound basis for decision-making and contracting throughout the university. It means that those making decisions have more information at their fingertips. And we can provide evidence to funding councils that support the decisions we have taken. We are constantly learning from our experiences.”

“The dynamic system that we are still developing has given us a sound basis for decision-making and contracting”

Embedding risk management is still ongoing at the OU, she says. The current phase involved integrating risk management with human resources policies, which would be used in staff appraisal and development.

At both organisations, there have been problems to overcome, not least at the level of organisational culture. Both internal audit functions have spent time educating managers and directors about the benefits of good risk management and reminding them of their fiduciary duties. The embedding process has also been dynamic and ongoing, changing with new organisational initiatives and seeping down into every level of the business. It looks like it is going to be a never ending process.