Register now or log in to join your professional community.
Obviously
1.Risk owners take the pain but risk auditors take the gain
2.Risk owners come across the consequence but risk auditors do not.
3.Risk owners tunes practical application but risk auditors theoritical the main reason of conflict
Totally Agree. the reason is that there is always conflict of Interest between risk owners and risk auditors.
I think that this should not be the case if the subject team members were carefully selected and if risk identification and management was a team effort rather than a personal one. This is due to the fact that xpert team members can see the subject from different views.
yes
Risk owners: Their main priority is accomplishing company goals, which occasionally entails taking measured risks.
Risk auditors: Regardless of how a risk may affect corporate objectives, their main priority is detecting and evaluating risks objectively.
For the purpose of this question I have assumed the word 'conflict' means 'disagreement'. For the purposes of illustration I have used the 'measurement' of risk to explain my perspective regarding this question. (Obviously disagreements might exist as to whether all relevant risks impacting business objectives have been identified, effective remedial actions implemented, etc,.)
In a mature ERM framework both the 'owners' of risks and risk based internal auditors should have a common understanding about how the organisation has agreed both inherent (before control measures) and residual risks (after control measures) should be measured. Disagreement mat arise if Internal Auditors assess risks with a different profile (business impact/probability) to risk owners. In such circumstances both parties should explain and discuss their justification for their respective assessments (e.g. KPIs and/or KRIs). If having consulted fully they cannot agree the Internal Audit report should record both sets of opinions and justifications. Whilst such disagreements would hopefully happen in a minority of instances, the important issue is that both opinions have been brought to the attention of senior management/board members (where considered sufficiently important to business objectives).
Such discussions and, hopefully rare, disagreements are indicative of a healthy and constructive relationship between risk owners and Internal Auditors. If there are never any such disagreements questions should be asked about the diligence/effectiveness of Internal Audit or, alternatively, whether Internal Audit is so intimidating that risk owners do not feel able to challenge Internal Auditors.
Keith R Johnston, MBA, CPFA, CMIIA.