ARC (trade) talks with... Berry Kok, Manager of Risk & Internal Audit at Bijenkorf

To keep close track of developments in our field, every month we interview an expert in the field. In a series of interviews with those ultimately responsible for audit, risk and/or compliance and we ask the question: what developments do you see and how do you deal with them? In the first interview in this series we talk to Berry Kok, currently Manager Risk & Internal Audit at Bijenkorf and as of October 1 Manager Risk & Internal Audit at HEMA.

When I started at Bijenkorf, risk management and internal audit were already invested together, although it was called internal audit. So it came down mainly to spending 90% of the time on fairly traditional audits and 10% of the time on risk record keeping and reporting. Being part of a family business that is not publicly traded provides opportunities to be a little more flexible about the separation between second- and third-line and work. 

Risk and audit are communicating vessels. They provide input to each other. For example, risk assessments provide input into the preparation of a risk-based internal audit annual plan and guide the scoping of audits. And on the other hand, audit results provide insights into risks that were not yet on management's radar and good input for quantifying (residual) risks. So as far as I'm concerned, combining only offers advantages. One point of attention is that I still have to account twice a year for how I continue to guarantee my independence. There are a number of measures in place for this, such as working in pairs, peer reviews in the team and also from the head of audit in the UK.

I estimate 75% risk and 25% audit. The balance has turned around quite a bit since I arrived in 2018.

Apart from the obvious challenges arising from the corona pandemic (e.g. store closures and huge shift to online sales), it remains challenging to continuously renew your service proposition, surprise your customers online and offline, but also to continuously grow within the Netherlands and Europe. Competition is always knocking at the door, so you need to have the basics in order, have a strong vision, strategy and policy, and look ahead together. And, not unimportantly, the right people to grow. A tight labor market is playing tricks on everyone.

The basics must be in order in all areas of the organization. Where necessary, we establish this basic hygiene together with the business, or we monitor it by means of audits, quick scans, self-assessments and data analyses. If your house is in order, you can look ahead and go out into the world. 

In practice, this means such things as taking the lead on drafting a revised cyber strategy and social media strategy, establishing a company-specific data governance model and maintaining project risk registers for our international expansion into Germany, Austria and France. But so we also provided assurance on basic hygiene, such as key financial controls and our health & safety policy.

Taking the lead here is in the form of initiating workshops and brainstorming sessions. Furthermore, we state what we expect in such a strategy. We don't take responsibility, but we hunt and use our tools, templates and knowledge (of cyber security) to determine these strategies. And ensure that key risks are covered. With risk goggles, we help the business do the right thing.

Of course, we also do "just" ERM. I want to guard against thinking in boxes of internal audit, risk or assurance. It's all about what the business needs.

Specifically, by a) meeting challenges together, as with the examples outlined above and b) keeping things simple. You need to demonstrate that something is relevant and not throw around terms. Call it storytelling: give concrete examples of what a risk means to them or rather, that they have already experienced so name things in their experience. And c) Positivity and looking forward. Emphasize not only what is wrong, but especially what is right and what has improved from last time. And focus on opportunities instead of only risks. Of course, this is also easier if you focus more on risk than on audits.

For example, we recently assessed business-critical datasets, such as customer and employee data, using a self-built maturity model. Then you establish with the business that you're at level 2, for example, and that you want to get to level 4. With this, you provide positive assurance but you also help the business move forward by showing what needs to be done to get there. 

In summary, if we can't explain the added value of what we are going to do, then we don't do it or adapt it.

And of course the preconditions apply that you must manage your relationships, you must always honor your commitments: say what you do and do what you say. Use healthy pragmatism: the objective chameleon, adjust where necessary, but keep your back straight.

Be involved in strategic and high impact projects as much as possible. Obviously in the form of support but not ownership. By extension: link risks as much as possible to strategic objectives and the vision and purpose of the organization. And make sure that the basis is demonstrably in order. That ensures peace of mind for the management.

And furthermore, we make what we do measurable through key success indicators. This is independent of the crisis time, by the way. Think about how long audit issues remain open; we are not responsible for solving them but we are responsible for driving them forward. And you also get that by sparring with the business on this. We report this to the management and head of audit in England. Nobody asked for this, by the way, but we want this ourselves. Demonstrating added value is also successful, otherwise we would never be allowed to grow from 2 FTEs to 7 FTEs. We also do this, for example, by demonstrating how we manage fraud through fraud reports. And nowadays we also formally evaluate our projects.

I'm thinking about 2 things. One are the emerging risk workshops: how do we ensure that risks are already on the map before they become relevant? We do that by looking at issues that are already happening in other sectors or in other parts of the world and then see if this can also come into play for us. They are not so much new risks, but they are for us. We then look at themes such as climate change, insurance or supply chains: which risks play a role now, which in a year and which in three years and what impact can they have for us?

The second is forward-looking (data-driven) insights. Here we extrapolate data, in collaboration with the business (e.g. BI and fraud teams), based on scenarios - could there be a problem? For example, think about the scenario with specific growth abroad and what fraud you expect there based on your current numbers and benchmark numbers from other parties. Based on that, you can monitor and also determine if it makes sense to hire additional staff to prevent the fraud.

I don't really think in audit or risk. Overall, I don't see much innovation or real breakthroughs. It's much of the same. We've been talking about soft controls, data analytics, etc. for years. But what's new? 

Furthermore, I expect and see integration of lines of defense: we need to be less panicky and more practical in this. 

Other issue is ESG and sustainability (as part of ESG) which is a broad/overarching topic. Governance is already fairly chewed out. Environmental has been around for a while and is starting to take hold. Social is a bit more of a new kid on the block for our field. We will have to develop more in that area.

That's right. It helps that we are not in the financial sector and we have owners who just want to see added value from a department like ours. Still, even an audit of risk in the financial sector can go more in the direction of giving insight.

We all need to (continue to) work on the perception of Internal Audit. If you don't explain what you do, nobody knows either. I then think of looking forward and participating more, rather than looking back and establishing what others already know.

Furthermore, I am for stopping using buzzwords such as analytics, AI, machine learning, agile auditing, soft controls and just applying common sense.

You are involved with all facets of the business, with all layers of the enterprise, across systems, processes and people, and you can get involved in everything. When people ask what I do, I can name a very wide range of topics: social media, data governance, cybersecurity roadmap, lunch with management. The work is so diverse. I'm talking about something different every hour. What job can say that now? And by also doing risk advisory, you can also effect change. We help with strategy. We go beyond providing assurance. You see the improvements. 

Berry studied business administration and then joined Deloitte in 2009 in the Risk Services division, where the services around risk come together (IT audit, internal audit, risk management, etc.). He has done several assignments at Deloitte at home and abroad in all kinds of industries. In the beginning of his career the focus was on IT audit (he followed an RE), but then quickly moved into the world of internal audit and risk management, developing into an all-rounder. 

Berry has been with de Bijenkorf since September 2018. Bijenkorf's Risk & Internal audit team (7FTE) is part of a broader international team within Selfridges Group Audit & Risk (20FTE). Bijenkorf is part of Selfridges Group, owned by the Weston family of Canada, a family-owned company with a focus on retail and food (such as Loblaw and several department stores in Canada, Ireland, England and the Netherlands). Effective October 1, 2021, Berry will transfer to HEMA, where he will also be responsible for combined Risk & Internal audit.