There was once a village plagued by livestock theft. So they hired a watchman.
Each night, he locked the front gate, inspected the fence, and logged everything in his notebook. Every morning, he presented his report: “No breach. All controls in place.”
Yet the goats kept disappearing. Turns out, the thief wasn’t breaking in. He was the trusted farmhand, walking out through the side gate, laughing at the audit reports.
This is the tragedy of Risk-Based Internal auditing today.
We are securing the gates our frameworks told us to monitor, while real risk walks out the side door of flawed decisions, toxic culture, and unchallenged power.
RBIA is not future-ready
Risk-Based Internal Auditing (RBIA) was a good step 20 years ago–a shift from routine compliance to relevance. But it has become a comfort blanket, not a compass.
Here is why it’s failing today’s auditor:
a) It assumes the risk register is reality. It is not. Most top risks are what leaders are willing to disclose, not what keeps them awake at night.
b) It’s too slow. Risks now evolve faster than your quarterly risk review cycle. RBIA is strategic archaeology–digging up yesterday’s threats.
c) It ignores the battlefield of decisions. Risks do not fall from the sky. They are born at decision tables–in silence, bias, and false consensus.
From risk-based to decision-centric auditing. Forget processes. Forget the heat map. Ask:
“What are the top 10 irreversible decisions made this quarter?”
“Who made them, with what data, and under what pressure?”
“Did anyone challenge them?”
“How did this decision feel to the people involved?”
Most insurance trainers tell a story of an African insurance firm that had solid RBIA. Policies, procedures, and control tests passed with flying colours. Regulators were happy.
Then it collapsed. Why? A single decision, to underprice motor insurance premiums to win market share, had been made by the CEO and endorsed silently by a weak board.
There was no fraud. Just ambition. No red flags. Just a silent misjudgment. RBIA never flagged it because the control existed. Decision-Centric Auditing (DCA) would have.
RBIA makes auditors feel in control. But it lulls executives into false safety.
You passed the audit, but no one challenged the CEO’s magical thinking.
You flagged control weaknesses, but never asked who benefited from them.
Audit without courage is blind trust.
If your internal audit plan still begins with a spreadsheet of risks…You’re too late.
If your team still measures success by “auditable units covered,” you’re not a strategist. The most dangerous risk in your organisation right now is not on your risk register.
It’s in the boardroom. In the silence before a bad decision.
And if you’re not there, auditing that silence, you’ve failed.
What are the top bets your company is making?
I remain, Mr. Strategy
