Risk Management is not Internal Audit


Risk management is looking forward

Risk management is when you are driving your car on a foggy night and you cannot see more than 10 feet in front of you – there may be something out there: perhaps a deer, another vehicle or a zombie hitchhiking. But you don’t know when or if you will collide with any or all of them. By simply identifying that an animal, truck or undead creature may be there, you alter your behavior and proactively treat the risk (e.g., slow down, turn off the radio or ask kids to be quiet). You are practicing risk management instinctively. When you drive without knowing about these known unknowns, you are at the greatest risk of all.

Audit is what you have already seen or what you may see in the rearview mirror.

It is no coincidence that the front windshield is way larger than the rearview mirror because looking forward at unknowns (risk) is much more important that looking into a tiny mirror and what has already happened (audit). You may see something in the mirror but real value comes from looking ahead not behind. Auditors also tend to be very focused on the adequacy of controls rather than on uncertainty or causality of unknown events. While the risk manager is looking forward in the dark, the auditor is looking behind and checking off a box while noting that the tree they just passed is still there.
Finally, risk managers are way cooler than auditors. Risk management is to the high school football team what audit is to the chess club.


Leave a Reply

Your email address will not be published. Required fields are marked *