بررسیهای حسابداری و حسابرسی (Aug 2023)
Designing a Risk Management Maturity Assessment Model in Iran's Insurance Industry with an Emphasis on the Role of Internal Audit
Abstract
Objective: The main purpose of this research is to design a model to measure the maturity of risk management in Iran's insurance industry, emphasizing the role of internal audit.Methods: To achieve the objective of the research, first, the existing theoretical and empirical literature was studied by using the qualitative content analysis method. The key propositions indicating the maturity of risk management and the role of internal audit in risk management were also identified. Next, the propositions were classified based on similarity, semantic connection, and also by referring to risk management frameworks and standards in the form of dimensions, components, and main indicators of risk management maturity. Then, to ensure the validity of the obtained model, the Delphi method was used to examine and apply the opinions of risk management and internal audit experts in the insurance industry. At this stage, a questionnaire was used to collect data. The reliability of the questionnaire was confirmed with the help of Cronbach's alpha statistic.Results: By employing qualitative content analysis, the process of identifying and categorizing significant and recurring propositions led to the identification of 68 indicators of risk management maturity. These indicators were organized into nine components, forming three primary dimensions of risk management maturity within Iran's insurance sector, with a specific emphasis on the role of internal audit. Subsequently, the developed model was presented to professionals and academics with substantial experience in the realm of risk management and internal audit. This was carried out through a questionnaire that was distributed to experts in these domains. They announced their agreement, disagreement, or their proposed amendments regarding each of the dimensions, components, and indicators. After gathering their feedback, 50 indicators were agreed upon by experts, and the rest were removed from the final model. The model put forth encompasses three primary dimensions: corporate governance, policy and strategy, and the risk management process, along with the roles and responsibilities of internal audit. The result is in line with the "three lines of defense against risk" model proposed by the International Association of Internal Auditors. Therefore, all operational units of the organization under good corporate governance and strategy form the first layer of defense against risk. Risk management is the second layer of defense by implementing the processes of identification, evaluation, response to risk and reporting. The internal audit, by monitoring and evaluating the risk management process, forms the third layer of defense against risk.Conclusion: The model developed within this study comprises 50 indicators sourced from risk management standards, existing research, and insights from experts in the Iranian insurance industry. These indicators delineate the ideal condition of risk management, organized into three primary dimensions and nine crucial components. Iranian insurance firms have the capability to assess the maturity level of their risk management practices by gauging their alignment with the indicators outlined in this model. This assessment aids in recognizing both their strengths and areas that require improvement. Also, unlike previous risk management maturity models, this model could successfully address the roles and duties of internal audit. Therefore, The internal auditors within the insurance industry can incorporate the indicators outlined in this model while devising and executing assurance and consulting services related to the organization's risk management procedures.
Keywords
