jump to navigation

Just Done It September 1, 2015

Posted by Audit Monkey in The Joy & Pain of Internal Audit.
Tags: , , , ,

This is going to be a slightly different blog post as the source material comes from a blog reader! Whoa! However, as some of the contents of the email were missing, i.e. the role of governance in a modern Business, I’ve had to piece the full story together to ‘fill the gaps’. Note, I’m not bitter about this as over the years I’ve learnt that auditees (for that matter, people in general) often speak in riddles. Anyway, the contributor, ITMonkey, provided some gems in his email which were mildly amusing and worth sharing. Without further ado, here’s his story.

As many readers will know, this weekend was a Bank Holiday weekend in the UK where the majority of workers get a statutory holiday, essentially Monday off. Many employees enjoy this particular Bank Holiday as it’s the last chance to grab the remaining summer sun, take a small restbite before the children return to school and prepare for long haul to Christmas. The last thing you want in your inbox on the Friday afternoon before the break is an email from your Boss with work. So what does ITMonkey receive? You’ve got it, an email from his Boss with a shed load of work, which ITMonkey duly described as a ‘Snotogram’.

‘Why?’ I hear you ask. Well ITMonkey’s Boss received a long document from the Risk Department asking his Business Unit to confirm that certain risks with no controls, and risks with identified controls were being mitigated. As one would expect, ITMonkey’s Boss managed this request downwards to him. ITMonkey wasn’t terribly pleased as the risks with identified controls had not changed, i.e. the controls were just the same. As for the new risks, ITMonkey felt that this was just a rehash of the existing risks. ITMonkey argued the toss with this Boss, stating that ‘it was more unnecessary paperwork and detracts from the dayjob’. Needless to say, ITMonkey’s Boss was not overly pleased to hear this and replied ‘JFDI’. For the avoidance of doubt, JFDI means just f’ing do it….

One may think that this is the end of the story but alas, no. ITMonkey wanted to know the logic behind the Risk Department’s requests, so this is where I come in. First, why did Risk contact ITMonkey’s Business Unit on the Friday before the Bank Holiday? That’s easy. The text-book answer; the Risk Officer has been painstakingly working a document, probably for about a fortnight and the Business need to respond. No easier route than to circulate it! Second, why do Risk want the controls confirmed again? Again text-book answer; the controls may have changed in the intervening period after the last circulation and need to be refreshed. Third, why does Risk want to know the controls against the new risks? Text book answer; new risks emerge and the senior management team want reassurance that new strategic and operational risks are effectively mitigated.

One may think the story ends here but alas, no. We are missing the non text-book answers which I will provide but first, a confession. I don’t know what Risk Departments really do. From what I’ve seen, it isn’t much. Ignoring my lack of knowledge (read general ignorance or stupidity), the real answers are as follows. The Risk Officer has been working on his document all week and to justify his existence, is now circulating it, thereby creating work for everyone else in the Business. To continue this charade, no better than to do an annual circulation and pose new questions about pre-existing and emerging risks. Of course, we will ignore the fact that circulating a risk document on the Friday afternoon before a Bank Holiday is bad internal PR for the Risk Department and doesn’t help the relationship with the Business. That’s assuming that the third line ever cared about its relationship in the first instance but still.

So after all this risk analysis, toing and froing, what does it achieve? Can the Business control the risks? In truth, an awful lot depends on the firm’s risk appetite, i.e. how much risk the business is prepared to take. This is where the use of risk models and scholastic modelling enters a realm of its own in attempting to define appetite. Hundreds of man hours can be spent deliberating this. Personally I’m sceptical; I don’t think you can control all the risks as you cannot predict with any real confidence or insight how people, your competitors and the markets will behave. Ironically this is the predicament facing ITMonkey. While he will dutifully refresh the risk schedule under JFDI, his employer faces the prospect of being taken over by a competitor. I wonder if that was in the Risk Register.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: