It also can present a profound dilemma for the organization's internal auditors who serve both management and the board.

intimidating management-53

​​If we learned anything from the global financial crises of 2008, it was this: When boards of directors fail in their oversight responsibility of risk management, the results can be disastrous.

Managing risks for an organization is a complex and often dynamic undertaking that requires strong coordination among the board, management, and the internal audit function.

But that is not what I'm referring to when I describe management going rogue.

I'm talking about management deliberately taking on risks that are clearly beyond the established risk appetite, perhaps motivated by an incentive tied to short-term performance.

It is probably one of the most important interactions between the board and management.

I liken the process to the board painting lanes on a highway.In those instances, internal audit is in a difficult position because it has an administrative reporting relationship to management and a functional reporting relationship to the board.Ultimately, however, internal audit has an obligation to the board to highlight any improper risks.The board has essentially said to management, "Here are the lanes to follow.Stay within these lanes."But what happens when management intentionally veers from the established risk appetite and, worse, misleads the board about the real risks associated with a particular behavior or business strategy? It should be acknowledged that, at times, an organization can inadvertently swerve outside the risk appetite lanes.I have always felt that conformance with this standard requires a degree of courage on the part of a CAE.