The Two Sides Of Risk (upside and downside)
Risk! Auditors are constantly addressing this four letter word. There are unrelenting attempt to better identify, assess and report risks. However, many auditors tend to allocate audit efforts and resources to and concentrate on negative risk impacts. In the planning phase, risks assessments center around negative outcomes. Audit testing is designed to determine the number and extent of deviations from expected outcomes. Reports quantify potential losses from expected deviations. These are all negative risk focused.
What about the risk rewards for engaging in specific activity. Shouldn’t auditors focus on these as well. Of course, they should. Auditors must make a conscience effort to identify, assess and report negative and positive risks opportunities. So what does a positive risk opportunity look like?
First, imagine an organization looking to raise capital. Considering the historically low interest rates, it may be more advantageous to engage debt financing now. Debt financing is risky, however, the reward is capital for the organization. At today’s low interest, the cost of debt financing is definitely an attractive transaction.
Next, consider an organization with substantial decentralized purchasing activity. You know departments with the ability to purchase travel, training, books, supplies, etc. This is risky actiity that can be partially mitigated using corporate purchasing cards (of course these pose risks of their own). However, many organizations receive a monetary gain, in the form of a rebate, for using corporate purchasing cards. In other words, they get paid to shop. This rebate, depending on the amount, can used to fund small initiatives, to set up a good purchasing card monitoring function or whatever.
So, when considering risks it is important understand that risks have negative and positive impacts. Internal auditors must recognize, assess and report not only negative risks, but also risk opportunities.