When it comes to corporate governance, I believe there is one enduring lesson from the past two decades: When boards of directors fail in their oversight responsibility of risk management, the results can be disastrous.

Managing risks for an organization is a complex and often dynamic undertaking that requires strong coordination among the board, management, the chief risk officer and the internal audit function. Identifying and mitigating risks through a sound risk-based internal audit process benefits all organizations, from mom-and-pop businesses to Fortune 500 corporations.

Failure to do so invites almost guaranteed problems at some level of the organization. It also can present a profound dilemma for the organization’s internal auditors who serve both management and the board.

Clearly organizations must embrace risk in pursing their goals. The key is to understand how much risk they are willing to accept. Creating a clear articulation of an organization’s risk appetite — the amount of risk an organization is willing to accept in pursuit of value — is a widely recognized aspect of effective enterprise risk management (ERM). It is probably one of the most important interactions between the board and management. As COSO states in its 2017 ERM Framework update (Enterprise Risk Management: Integrating with Strategy and Performance):

“Every board has an oversight role, helping to support the creation of value in an entity and prevent its decline. Traditionally, enterprise risk management has played a strong supporting role at the board level. Now, boards are increasingly expected to provide oversight of enterprise risk management…The board’s risk oversight role may include…Reviewing, challenging, and concurring with management on: – Proposed strategy and risk appetite.”

I liken the board’s role on risk appetite to painting lanes on a highway. The board should essentially say to management, “Here are the lanes to follow. Stay within these lanes.”

But what happens when management intentionally veers from the established risk appetite and, worse, misleads the board about the real risks associated with a particular behavior or business strategy? What happens when management goes rogue?

As I acknowledged when I first wrote about this topic several years ago, at times, an organization can inadvertently swerve outside the risk appetite lanes. For example, a big challenge is managing risk across several business units. Let’s assume, for example, that an organization has delineated and clearly communicated its risk appetite to its staff, but business-unit owners take the maximum risk within that appetite. In aggregate, they may exceed the overall level of acceptable risk for the enterprise. Everything may be fine until it isn’t. An extraordinary event like the Covid-19 pandemic may bring about a worst case risk scenario in multiple business units, creating catastrophic consequences for the enterprise.

Clearly, internal audit must be vigilant in helping to provide assurance to management and the board on the overall effectiveness of risk management, and an eye should be kept on whether risks that are being taken are outside the acknowledged or agreed-upon risk appetite.

But that is not what I’m referring to when I describe management going rogue.

I’m talking about management deliberately taking on risks that are clearly beyond the established risk appetite, perhaps motivated by an incentive tied to short-term performance, or a more widespread toxic culture.

When management goes rogue, it is intentionally taking on a level of risk that has not been agreed upon by the board, or of which the board is not aware. Perhaps management is not telling the board, or it is misrepresenting how extensive the risks are. In those instances, internal audit is in a difficult position because it has an administrative reporting relationship to management and a functional reporting relationship to the board. Ultimately, however, internal audit has an obligation to the board to highlight any improper risks.

An internal auditor in this position faces a tough question. Do I blow the whistle, fully understanding that I’m likely to annoy the CEO and others — and that it could cost me my job?

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), is very clear on this point: Standard 2600: Communicating the Acceptance of Risks states:

“When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.”

While the primary purpose of Standard 2600 is to address resolution of disagreements between internal audit and management over internal audit results, I believe that it also provides internal auditors with the mandate to ensure the board is aware of management actions involving “unacceptable” levels of risks.

I have always felt that conformance with this standard requires a degree of courage on the part of a CAE. After all, you might well be taking a point of disagreement with your administrative boss (the CEO or chief financial officer) to your functional boss (the board) for resolution. What I have always said to those who aspire to reach the top of their field is simple: If you don’t have courage — that is, if you are not willing to do what absolutely needs to be done under any circumstances — then don’t become a CAE. Don’t take on this role.

Clearly, any conclusion that management is operating outside established boundaries should be reached only after thorough examination. But once you’ve made such a conclusion, don’t let management dissuade you from making your case. You should also be prepared for possibility that the board will side with management. The board is the ultimate arbiter in these matters.

Also understand that every instance of rogue behavior may not be overt. It isn’t always black and white. They pay us for our judgment, as well. If all they need is for someone to tell them that something is black and white, you don’t need an internal auditor. A good software program or inspector can do that.

An internal auditor is capable of distinguishing additional shades.

As always, I encourage you to share your comments on this important topic.