Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

"Risk Owners can potentially have conflict with risk auditors" Do you agree?Why?

user-image
Question added by Wasim Khalil Mustafa Ali PMP® , Consultant , Malomatia
Date Posted: 2014/03/22
DEBASISH BHATTACHARYA
by DEBASISH BHATTACHARYA , MANAGER , STATE BANK OF INDIA

Obviously

1.Risk owners take the pain but risk auditors take the gain

2.Risk owners come across the consequence but risk auditors do not.

3.Risk owners tunes practical application but risk auditors theoritical the main reason of conflict

Moataz Mohamed
by Moataz Mohamed , Head Of Sales - Industry Sector , siemens

Totally Agree. the reason is that there is always conflict of Interest between risk owners and risk auditors.

Mohammad Tohamy Hussein Hussein
by Mohammad Tohamy Hussein Hussein , Chief Executive Officer & ERP Architect , Egyptian Software Group

I think that this should not be the case if the subject team members were carefully selected and if risk identification and management was a team effort rather than a personal one. This is due to the fact that xpert team members can see the subject from different views.

Mostafa Hamamo
by Mostafa Hamamo , Senior operation Engineer , Sky distribution co. (local agent of Samsung)

yes

MOHAMED TILOULT
by MOHAMED TILOULT , Internal Control and Risk Management supervisor , HYDRAPHARM GROUP

Risk owners: Their main priority is accomplishing company goals, which occasionally entails taking measured risks.

Risk auditors: Regardless of how a risk may affect corporate objectives, their main priority is detecting and evaluating risks objectively.

KEITH JOHNSTON
by KEITH JOHNSTON , Various from Senior Internal Auditor to Internal Audit Manager to ERM/GRC Consultant , Both Public & Private Sector

For the purpose of this question I have assumed the word 'conflict' means 'disagreement'. For the purposes of illustration I have used the 'measurement' of risk to explain my perspective regarding this question. (Obviously disagreements might exist as to whether all relevant risks impacting business objectives have been identified, effective remedial actions implemented, etc,.)

 

In a mature ERM framework both the 'owners' of risks and risk based internal auditors should have a common understanding about how the organisation has agreed both inherent (before control measures) and residual risks (after control measures) should be measured. Disagreement mat arise if Internal Auditors assess risks with a different profile (business impact/probability) to risk owners. In such circumstances both parties should explain and discuss their justification for their respective assessments (e.g. KPIs and/or KRIs). If having consulted fully they cannot agree the Internal Audit report should record both sets of opinions and justifications. Whilst such disagreements would hopefully happen in a minority of instances, the important issue is that both opinions have been brought to the attention of senior management/board members (where considered sufficiently important to business objectives).

Such discussions and, hopefully rare, disagreements are indicative of a healthy and constructive relationship between risk owners and Internal Auditors. If there are never any such disagreements questions should be asked about the diligence/effectiveness of Internal Audit or, alternatively, whether Internal Audit is so intimidating that risk owners do not feel able to challenge Internal Auditors.

 

Keith R Johnston, MBA, CPFA, CMIIA.

 

More Questions Like This