Connor Munro, IRMCert: Auditor, Veritau

How did you get your job?

After graduating from university in 2014 with a degree in Physical Geography, I enrolled on Veritau’s graduate internal auditor training programme. I have always had a keen interest in systems and processes and the training programme offered me the ideal opportunity to critically appraise these as a job. What I didn’t know about before I started with the company was anything to do with risk management. As I began finding my way in my new job and progressed through my internal audit qualification, I was introduced to a risk management facilitation service we were delivering to one of our clients. At the time, this service was being delivered by just one member of staff and the company was starting to invest in risk management. Having learnt about the service and gained some knowledge of risk management through my studies (risk management is considered a core competence of any auditor) I volunteered to jointly deliver the service. Thankfully, I was given the opportunity and I now work in risk management directly.

What’s a typical day like as an auditor?

There is no such thing as a typical day in the world of audit and risk! Ok, I say that tongue in cheek and there are a few things we tend to do more regularly than others. I’m pleased to say that most of these involve consideration of risk, if not directly then by extension. Through my role as an internal auditor I am required to provide assurances as to the effectiveness of our clients’ governance, risk and control arrangements. This sees me evaluating processes to establish their resilience to risk and then reporting on the strength of the control environment to senior management and the board. In my role as a risk professional I am more actively involved in the risk management framework of one of our clients. This sees me delivering training sessions to staff at all levels of the organisation and to the board, running risk workshops, facilitating risk register updates, performing policy and guidance reviews and supporting development of the risk management information system.

What do you enjoy most about your job?

The thing I enjoy most about my job is that I am in a position to provide practical support to our clients and increase their risk awareness. In this way, I am able to play an important role in improving our clients’ risk management frameworks. Having this responsibility is a challenge that I enjoy enormously.

What are the challenges?

The main challenge I have faced in my role is convincing senior management and leadership teams about the true benefits of risk management. Being able to demonstrate this added value is something which the profession itself is still grappling with and is a challenge that is likely to persist. My approach to overcome this is to make it ‘real’ for the individual. Taking an abstract concept such as risk appetite and bringing it to life with relevant examples from their day to day working life. This comes with the knowledge that I have managed to build with the client through my involvement in an internal audit capacity but, more importantly, by being directly involved in the risk management framework and the insights this brings.

In what way are your IRM qualifications relevant?

The IRM’s qualifications really do take you from cradle to grave in the risk management process. You begin by gaining knowledge of the definitions and concepts, then learn risk management standards, what it means to manage risk with an ‘enterprise’ mindset, how to assess and manage risk and about control theory. You then go on to learn about the interplay between business environment and risk management, the importance of risk culture, appetite and tolerance and the broader concept of corporate governance, all the time using real world case studies which bring to life the learning objectives and provide key moments of reflection.

By way of a specific example, module 1 of the Certificate in Risk Management (‘Principles of Risk and Risk Management’) introduces students to the risk analysis tool, the risk bow-tie. Our Risk Team first employed the bow-tie in a Corporate Risk Register Workshop which was attended by our client’s entire senior management team. Using the tool and our knowledge of how it works and what it shows, we were able to run a stimulating session where officers engaged with each other, encouraging that all-important portfolio view of the client’s key risks. This tool, along with a full suite of other risk identification and analysis tools and key risk concepts from the IRM syllabus, now feature as pivotal components of our client work programmes.

However, what has been most significant for me personally is having the confidence in what I am saying about risk management. Having this confidence enables me to contribute to strategic discussions around risk and to offer practical guidance on the appropriate consideration of risk and reward. After all, as the famous American entrepreneur Warren Buffett once said: “Someone is sitting in the shade today because someone planted a tree a long time ago.”

What would you say to others thinking about joining IRM as a member?

Without hesitation I would encourage you to join. It is almost a cliché but risk really does permeate everything that a business does. If you want to truly understand a business, what makes it tick and how it is influenced by its culture then do all you can to expand your knowledge on risk management. Where better to do this than with the profession’s leading body? Having a seat at the table where risk management is being discussed probably means you are doing well. From there, you can really begin educating and influencing the risk culture and risk management processes.

How has your role developed and what are your career ambitions? Has being linked to the IRM helped?

Since starting and completing my certificate qualification, the company has restated its desire for our risk management services to be developed further. Senior management now has the confidence in us to deliver risk management as a core output. With this backing, I will have the chance to develop my professional skills further and look to specialise in risk management. Being linked to the IRM has definitely helped. It has developed me this far and has provided the framework on which we base our client work programmes.

Top tips:

  • If an opportunity arises to become involved with risk management, even if only in a very small way, don’t be scared to grasp it. You won’t regret it.
  • Don’t rest on your laurels. Once you have completed your studies in risk management – to whatever level that is – go in search of opportunities to apply your new-found skills in a practical way so that you keep them current. 
  • Be enthusiastic about risk management as your enthusiasm will be infectious.