• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
pexels-miguel-%C3%83%C2%A1-padri%C3%83%C2%B1%C3%83%C2%A1n-1061140.jpg

A view from the Third Line: how risk governance needs to change after Covid-19

September 24, 2020

On 3 September, The London Institute of Banking and Finance hosted a webinar to discuss how risk governance needs to change after Covid-19.  The panel comprised risk experts from the first, second and third lines.  In today’s blog, David Alexander, who has over 30 years financial services experience, mainly in senior internal audit, risk and consulting roles, summarises his key points from the webinar where he discussed his view from the Third Line.

Covid-19 has undoubtedly been an unfortunate and massive wake-up call for risk and internal audit professionals the world over.  As boards and executive teams come to terms with some unprecedented operational and strategic challenges, internal auditors have the opportunity to really prove their worth.

Internal auditors are often considered to be the eyes and ears of the non-executives, particularly those on audit or risk committees.  In the current environment, when uncertainty rules and oversight is more difficult, Internal Audit (IA) should be standing back and doing what they do best – listening, observing, and providing objective advice and insight.

The liberal use of the word “unprecedented” reflects the lack of experience that most executives have in dealing with the slings and arrows of misfortune that their firms are continually having to face.  For IA to prove themselves of real value to their stakeholders in a Covid-19 world, I believe there are three key areas of focus; flexibility, relevance, and collaboration.

Flexibility

Flexibility for IA simply means that they need to be quicker to react, quicker to plan and assess where are the real hot spots, quicker to spot the big-ticket issues and quicker in informing management about real opportunities to improve controls and mitigate key risks. 

Even before Covid-19, many IA teams had recognised that the traditional internal audit process took too long.  A more agile and collaborative approach to planning, data analysis and reporting could save weeks in elapsed time and accelerate much needed solutions.  Impact can be improved by talking to people and by using one page rather than 10 to 15.

Relevance

Flexibility is key but to grab stakeholders’ attention, IA resources must focus on what really matters.  This factor is the cornerstone of the views of that well-known internal audit and risk guru, Norman Marks.  His observations always seem to hit the nail on the head.  His focus on what matters is more relevant now than it has ever been.  And it’s not just auditing what matters, it’s auditing what matters today or tomorrow – not taking the traditional IA planning view which might look 6, 9 or 12 months ahead.

Collaboration

Today’s world is driving internal auditors to work more closely with both the first and second lines and to communicate more frequently with executive teams and with NEDs on audit and risk committees.  Collaboration is also critical for IA in terms of sharing ideas with their peers and listening to the profession.  We are facing a common fight and sharing good ideas and practices can only benefit the industry.

The Risk Coalition

The risk guidance produced late last year by the Risk Coalition is an excellent and timely example of collaboration, given the contributions from many relevant professional bodies, and it has even found support from the regulators.  The Chartered Institute of Internal Auditors has been one of those actively involved in supporting the guidance, building on their experience of developing the Financial Services Code (published in 2013 and refined in 2017).  This has really raised the bar for internal audit in financial services in the UK and the guidance from the Risk Coalition has the same aim for risk functions and risk committees.

In summary, internal audit has got to be more flexible and has got to turn things round and demonstrate its impact more quickly.  Worry less about the form and more about the substance.  Work closely with the first and second lines and audit what matters today.  At this critical time, we should all be raising the bar (even if the government is telling us it needs to be closed by 10.00pm).

David Alexander runs his own audit and risk consulting and training company, Daart Solutions.

Tags: David Alexander
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson