Is it really that the auditors talk about risk every time, all the time? That’s true but not as much as clients do!
Last week, speaking to a colleague I tried figuring out the reason of why the residential site club facility was closed on midday at a weekend. Here’s what I found, hardly insightful but all music to the ears! He said the club remains closed for most part of everyday including weekends and opens in the evening. The reason being that people usually visit it in the evening.
But what if someone intends to use the facility in broad daylight on a weekend, I insisted? Still must visit in the evening, came the answer. Why? Because it can’t remain open for most of the day, weekends included, because otherwise people misuse facilities, electricity and because supervising staff is also part time.
Clearly the answer was not aligned with how best to use a recreational facility or what time of the day is best to use it. But it was indeed, wholly and solely aligned with management of risks! Downside risks, mind you! Risk that facilities could be misused, risk that electricity costs might run higher, risk that an incident could occur since no one was looking after and risk that supervising staff needs to be paid more if asked to work in shifts.
So, why is it that only the auditors must be rebuked for thinking risk every time? Maybe because:
|
Client’s arguments |
Auditor’s answers |
|
The risk that auditors identify is always perceived to be insignificant |
How about the risk pertaining to overuse or misuse of the club facility for an answer? |
|
Risk will remain irrespective of auditor’s interventions, at least in terms of probability which can’t be zero, so, why care about audit findings? |
Likewise, misuse of the facility could also occur when someone’s watching or someone’s colluding |
|
Did it ever go wrong in the past? |
Probability is a measure of the future not the past! |
|
The way things are being done or have been done since ages is the right way. |
Then nothing should change when a new, previously unforeseen problem comes. |
|
The auditors learn from us and then make improvement advisory aimed at us. Why should we act on their advice? |
Solution is required to be suited to your needs that’s why auditors first must understand how you do things |
Though the pitfalls of a downside risk materializing are same in a personal and a professional or official setting yet somehow our approach around risk is different. For instance, we fully understand; why managing our personal finances is imperative, why we must look for investment avenues, why we must make schedules, why we should make plans for as trivial a matter as a recreational trip. Being weary of downside risk is an innate trait of every individual, according to one’s own appetite and tolerance.
However somehow this approach changes when it comes to the risks in the individual’s work environment. Even the entrepreneurial mind is cautious of downside risks; being more inclined towards the upside risks, unfortunately the average individual working for someone else has an ability to think differently about risk to his personal affairs and risk to his official affairs.
In my understanding, this isn’t simply about the differing approach of a person in someone’s employment from a person who’s an employer, it has a lot to do with the ownership of a process being managed by the person or more appropriately a lack of that ownership.
In the personal domain, we have responsibilities that come bundled with ownership. This ownership has a tangible feel attached to it, and we tend to safeguard it. That is almost how the colleague in the above example responded to a query on the club timings. It was not a personal possession of course, but a tangible responsibility of looking after all its affairs including making rules for usage meant ownership.
That’s not the case when we are looking after affairs of our workplace in an official setting. It is somehow perceived to be different. People usually don’t look beyond their job descriptions and mostly even align their approach with their compensation; for instance, being responsible for:
- A particular task but won’t take up other linked tasks,
- Performing control in a specific manner only,
- Limiting conduct in accordance with procedure but not thinking of improving the procedure
So on and so forth.
The reason for this differing perception appears to stem from assignment of responsibilities without ownership. A lack of ownership means an individual is only given a part of what’s needed to be done; they have not been given ownership of the objectives the tasks aim to achieve and hence the behavior.
Ownership intrinsically requires going the extra mile to getting the objectives accomplished. The individual who owns the objective, owns the whole, with its risks and rewards and thus aims to manage risks to enhance rewards, since when it comes to objectives accomplishment, risk is always the potential of jeopardizing this accomplishment.
The other reason of not adapting to manage risks is not understanding the dynamics of the operating environment. Since the entity’s operating environment is always evolving, so does its risk profile. New risks emerge, known risks morph, probabilities and impacts change, managed risks fade away such that they no longer pose a threat.
But because the understanding is myopic, tied to believing in a static environment, we continue to lose out not just on account of failure to manage downside risks but also on account of exploiting the upside risks to our advantage.
As for the problem with auditors talking risk all the time, it’s imperative to understand the difference between planning based on risk and actual risk management. The auditors are required to plan and approach audit engagements in a risk centric manner. They’re not the actual risk managers, risk management is management’s function, be it operational, senior or a specific risk management function, because that’s the front-line defense.
Risk is identified, monitored and managed by client, auditors are only there to commend them or advise them on how to improve further. So next time you have a problem with your auditors talking risk all the time, remember auditors are there to help, even if they help you find the risk manager in you!