External risk auditing services may be bought in from (or outsourced to) a number of sources, according to the particular risk profile of the organisation.
– Employment agencies
Employment agencies, covering unanticipated human resource requirements (e.g. unanticipated: demand, loss of staff through illness or accident, industrial action)
– Security services
Premises security services, providing security staff (e.g. warehouse guards, reception security), systems (e.g. alarms, surveillance systems, ID card systems), and risk assessments
Other security-based services and consultancies, providing services such as: travel risk or protective and security (e.g. body-guarding, defensive driving) services; ‘kidnap for ransom’ consultancy; corporate internal investigations (into security risks and braches); and computer and/or financial forensic investigations
– Risk audits
Specialist external auditors (typically working for firms of accountants) are engaged to carry out independent investigations into the corporate finances and internal controls of public companies. A similar role is taken in the public sector by the National Audit Office and the Audit Commission.
The role of external auditors in corporate governance and financial reporting is to:
• Express an opinion on whether financial statements give a ‘true and fair’ view of the financial position of a business: if not, e.g. if statements are thought to be affected by fraud or error, the audit report is qualified accordingly.
• Design audit procedures so as to have a ‘reasonable expectation’ of detecting misstatements due to fraud or error
• Document any findings which indicate that fraud or error may exist, and report there to management: (If the matters needs to be reported to external authorities, in the public interest, the external auditors will request that the directors make that report. if the directors do not do so, or if the fraud casts doubt upon the integrity of the directors, the auditors should make the report: themselves.)
• The external auditor will normally investigate the systems of internal controls operating in the organization. The outcome of this review will often include identification of areas of potential vulnerability and unmanaged risk.
• One of the key benefits of using external auditors is their independence: that is as third parties, they are outside the systems and operations they are called on to evaluate, and so less likely to be subject to conflicts of interest. There are limits to the independence of external auditors in practice, however.
• Although in theory the auditors are appointed by the shareholders, in practice it is the directors who select the audit firm.
• Auditors are only human. They may, for example, be subject to intimidation by directors, or fearful of the consequences of pressing concerns forcefully.
• Audit firms invariably perform other non-audit work for their audit clients: tax advice consultancy. They naturally wish to retain such business, and may therefore be reluctant to ‘rock the boat’ with an unfavorable audit report. (Many countries have placed restrictions on the amount of non- audit work that the external auditor can perform for a client.)
Risk consultants
There are many commercial risk consultancy services, often specializing (or offering access to specialist expertise) in, identified risk categories, such as: international risks; kidnap, hostage and extortion risks; health and safety risks; premises security; fire and flood; and environmental impact assessment.
Government agencies (such as the Health and Safety Inspectorate), trade associations, insurance providers, third-sector organizations (such as environmental research and pressure groups) and police, fire and emergency services also offer risk appraisals and advice in regard to relevant risk categories. Some of this assistance may be offered free of charge, or on a low-cost basis, in order to further the mission of the providing organization and such options should arguably be pursued before commissioning a commercial (profit-seeking) consultancy.
The appointment of external risk consultants has several benefits.
a) They bring a ‘fresh set of eyes’ to the organization or supply chain, without the constraining effect of existing norms, assumptions and vested interest in the status quo.
b) They offer independent judgment, without the constraints that an internal consultant or line manager may face (in terms of criticizing colleagues, say, or criticizing a system they helped to plan anti implement).
c) They bring specialist expertise aid wide experience of the risk category and issues, which may enable them to pinpoint risks more accurately and quickly than insiders (of a generalist bent and limited experience) could do.
d) They may offer specialist resources and competencies for managing risks: for example, the installation of Security systems or the provision of security staff, or environmental clean-up services.
There also a downside of using external consultants.
a) The costs of consultancy and service provision
b) Potential disruption to operations during the audit and change processes
c) Time and resources required to brief the consultants on the particular circumstances, culture and risk factors of the client organization
d) Potential stakeholder resistance and conflict, as a result of the perception that ‘outsiders’ are being used to judge the adequacy of current performance, or to force through unwelcome changes on behalf of management (but enabling management to distance itself from the responsibility).
– Research service provider
The organization may commission third party research providers to conduct environmental scanning, market and competitor intelligence gathering, consumer or industry trend analysis and other forms of risk-focused research. Alternatively, it may purchase generic published reports from such organizations (e.g. on industry, market; political or commodity risk). A company planning to expand into a new overseas market for example might commission dedicated research on market conditions, the local economy the activities of competitors, existing consumer perceptions of the brand (if any) and so on. Alternatively, it might purchase or subscribe to published reports on the country and market.
A range of research reports and briefings is also available from organizations such as the government departments, Chambers of Commerce, industry associations and other organizations designed to support trade, industry and exports.
Specialist consultancies may be used for the gathering of competitive intelligence and competitor analysis, which may be a key issue in strategic risk. The focus of such research will be on:
– Identifying the key competitor5 of the firm: not just obvious players in the market, but likely new entrants (both domestic and international)
– Identifying the competitive strengths and weaknesses of existing and potential competitors; their distinctive strategic competencies and resources; their sources of competitive advantage (in relation to the strengths, weaknesses and resources of the focal firm)
– Comparing available competitive criteria (e.g. market share)
– Analyzing key benchmark areas; to learn from the competitor’s strengths:
e.g. through reverse engineering (analyzing competitor products and processes to see how they are achieved), comparing cost structures and supply chain relationships and so on.