When Should I Establish a Risk Management or Internal Audit Function?

We are often asked the above question by organisations. Much like the answer to any business endeavour, the short and easy answer is when the value exceeds the cost.

However, the value is not always very easy to measure. Contrary to, for example, the value derived from starting a new manufacturing line or upgrading a key piece of equipment which is visible in the short term, the value derived from appointing a top non-executive director, strengthening the finance function to enable meaningful data analysis or establishing an internal audit or risk management function, is over a longer term. In addition, value derived from establishing an internal audit or risk management function is much more difficult to quantify.

It is our view that any organisation, no matter how small, will derive value through the generation of a Risk Register. As a contextualisation, justification and prioritisation tool, it has no equal. The process of generating the Risk Register simplifies and provides focus on the effective and efficient achievement of objectives on a very basic level. This is extremely valuable to the small business owner who is almost continuously in fire-fighting mode.

As a value-adding tool, the Risk Register plays a role in pro-active decision-making. The next step in the risk management process, which is defining the procedures of continuously updating the Risk Register, is however dependent to a large extent on the number of decision-makers in the organisation, as well as the specific requirements of oversight.

With regards to the establishment of an Internal Audit function, the decision is directly linked to the needs of the oversight function. “Oversight” is defined as the person/s mandated by the shareholders to ensure the continued, appropriate management of key risks within the organisation (ensuring that resources are being used appropriately to maximise my return in a sustainable manner).

If the main shareholder is actively involved in all activities, in other words if management and oversight reside in one person, it is our experience that the value derived from a permanent, risk-based Internal Audit function would not normally exceed the costs. However, this does not mean that Internal Audit activities would not be necessary. Any time an organisation feels the need for outside specialists to review a specific business process, the need for an Internal Audit function should be re-assessed.

In organisations where the shareholder is not involved in all day-to-day activities, the need for additional assurance on the appropriate management of key risks becomes of paramount importance to oversight. A robust Internal Audit function should be the main provider of that additional assurance