Q&A: Board driven internal audit and ERM: next generation assurance Are we saying the internal audit dept. is losing value? My analysis is that if internal audit continues to perform traditional “direct report” audits and provide subjective opinions on control effectiveness they are not providing what their primary client, the board, needs to discharge their responsibility to oversee management’s risk appetite and tolerance. This means they risk becoming increasingly irrelevant. Can you please provide some practical examples of residual/retained risks that IA or ERM is not considering? Currently it’s my experience that few internal audit department’s complete formal risk assessments on their company’s top strategic objectives. I am currently working with a London financial services firm on a risk assessment of a publicly stated objective of producing long term returns to shareholders 5% above specified market indices. In traditional IA areas like reliable financial statements I see few IA departments that reporting to boards on the income statement/balance sheet/notes with the highest composite retained risk positions. Do you ever see the IIA adopting something akin to the approach to board driven / objective centric internal audit and ERM that you're outlining here? IA depts. will be driven by the standards and approaches handed down by IIA. It’s true that the IIA standards are still largely founded on the traditional direct report/subjective opinions on control effectiveness paradigm. This is changing but very slowly. The new IIA IPPF Standard 2120 requiring IA report on effectiveness of risk management processes in totality and the launch of the CRMA certification are positive developments. Richard Chambers and the new IIA Chair Paul Sobel are both calling on the profession to change but it’s true the majority of standards are still largely supportive of status quo IA approaches. The IIA has provided me with opportunities to present board driven/objective centric IA paradigm at conferences and via webinars. I am cautiously optimistic the IIA will officially recognize that traditional IA approaches are not well suited to meet emerging board risk oversight expectations. I encourage you to view the Oct 8 2013 IIA webinar I presented. It can be found at: http://bit.ly/1gIueQk Are there any successful large organisations that do not practise risk management? Many organizations that have suffered debilitating losses were considered by many to be “successful” before the event(s) occurred. All organizations manage risk. The challenge today is to be able to demonstrate to a third party that the company and the board have effective risk management and governance. Surveys and my own observations suggest there is a lot of room for improvement. Watch for a new Conference Board Director Notes article that I am working on with Parveen Gupta. It’s scheduled for release in December. A draft can be downloaded from www.riskoversight.ca.

How can we reduce the business risk in Call Centre or Web Based Marketing Industry in Companies Like Digital Globe Services Inc.? Although a lot of the focus has been reforms in the financial services sector I believe all for profit and not for profit sectors would benefit from the approach to ERM and internal audit we are promoting. Should head of internal audit attend board of director meetings? I don’t believe a CAE should attend all board meetings but should definitely provide regular reports to the company’s board.