Etihad Airways’ Senior Vice President of Audit, Compliance and Risk shares his experience on the role of Internal Audit in risk management
In an exclusive interview, Internal Auditor – Middle East spoke to Harsh Mohan, CPA, CA, who joined Etihad Airways (Etihad) in 2011 and is now the Senior Vice President of Audit, Compliance and Risk. He started his career over 31 years ago in internal audit and used the experience gained to successfully work across various functions in the airline industry including finance, procurement, risk management and strategic cost management. Before joining Etihad, he was the Auditor General Auditor and Senior Director of Business Transformation at Air Canada. Harsh is an active supporter of the UAE Internal Audit Association (UAEIAA) and a prominent speaker on the topic of risk management.
Internal Auditor – Middle East met with Harsh Mohan at the Etihad Airways Head Office in Abu Dhabi.
How important is risk management to Etihad?
(Smiling) Our business is managing risk. I want you to think of a metal cylinder which is 70 meters long, has 400 people, with engines operating at temperatures around 1,000 degrees Celsius, packed with 100,000 liters of fuel and travelling at a speed of over 800 km/h. This is, very simply put, what an airplane is. But the passengers are reclining, watching videos, listening to music and are completely comfortable. This is what risk management is all about; taking an inherently high risk such as safety and managing it to a residually low level.
What role does Internal Audit take with respect to risk management at Etihad?
At the start of every internal audit plan, we carry out a thorough risk assessment, and based on inherent and residual risks, we formulate the internal audit plan. Doing proper risk assessments is a complex task which requires deep knowledge of the business. It also requires a high level of independence to report on major risks in a fair manner and for these risks to be acknowledged by management. Internal Audit has a solid understanding of the business and is sufficiently independent of management. It therefore makes sense to use the risk assessment carried out by Internal Audit as the basis for the company’s enterprise risk management framework. In most non-financial services institutions, having a separate function carry out this role would be a waste of resources. So we send the risk assessment results to senior management so they can identify existing or required controls that will manage a particular risk within the company’s risk appetite. So management identifies the existing or required controls, and we, at the time of our audit, assess the risk and audit the controls in place. Internal Audit at Etihad Airways validates the risks that the company is facing and assesses the effectiveness of the controls put in place to mitigate those risks.
Does this approach impair your department’s independence?
No. We do not own the risk mitigation process. The assessment of risk and corresponding facilitation sessions with management are the roles performed by Internal Audit. As my title suggests, we deal with risk and not risk management, differentiating between the two. We make a clear distinction between our role and management’s responsibility to manage risks. Our approach is based on the IIA position paper on Internal Audit’s role in Risk Management and each stakeholder’s role in the Risk Management process is clearly defined.
Also to give more comfort to our Board and regulators, we have a separate team within the department which carries out the risk assessment and facilitation sessions. This team reports through me to the full Board. This process of reporting to the Board makes the risk management process more effective.
How is Internal Audit able to assess and provide assurance on risks to strategic objectives?
Every risk management framework refers to risk as something which impedes the achievement of your objectives. We start our strategy by defining our top strategic objectives and cascading them downwards to the business units and individual departments. When we assess risk, we look at objectives from all three layers, and this way, it focuses on adding value to what really matters to the business. For example, one of our strategic risks is the capacity of Abu Dhabi Airport to support our growth. We are expecting to transport 15 million passengers in the coming years. So Etihad worked with Abu Dhabi Airports Company to expand the airport to Terminal 3 and is now adding additional capacity in the new Midfield Terminal. As Internal Audit, we will look at the controls in place to mitigate this strategic risk. In other words, what action is being taken by management to mitigate capacity constraints? This could include audits of project oversight, baggage handling, customer services etc. I also sit as an observer on the Midfield Terminal project committee to understand how management is addressing the capacity strategic objective.
“The company which manages its risk the best is the one which succeeds”
What about Internal Audit’s role in providing insight on emerging risks?
Risk management is an ever evolving process! Take for example the CEB’s (Audit Plan Hot Spots – https://www. executiveboard.com) views on the top risks from 2010 – 2014. You will notice that the top risks have changed over the past five years. Now one of the major emerging risks is cybersecurity. When carrying out our assessment of risk, we need to focus on such areas and ensure that management and the Board are made aware of them.
Some chief audit executives may not be providing advice or assurance on risk management. What are your thoughts on this?
As the needs of the business evolve, there will be a need for Internal Audit to evolve to support the business. Internal Audit has the skills required to support the risk management process and add value to the business. By focusing on risk, Internal Audit will be included in management discussions and committees and this will elevate its status because of our knowledge of the business. If Internal Audit does not step in, some else will and that department or person will go far ahead of Internal Audit. Chief Audit Executives who do not play a role in risk management face a high risk of becoming obsolete.