WHY CARE WHETHER ERM WORKS?
According to the Committee of Sponsoring Organizations, “ERM” is defined as the following definition:
“A process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise designed to identify potential events that may affect the entity, to manage risk to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives.”
Notice the process view – that is, risk management is more than a risk management system. Alternatively, ERM is how you address uncertainty around organizational goals.
From an internal audit perspective, inadequate identification of key risks to an organization increases the likelihood of bad events occurring. Improper identification can result in wasting resources on areas of low risk with little reward. Conversely, it can leave a company more exposed to negative events.
Still, even if top management effectively identifies its key risks, the company needs assurance that its response to those risks is effective. An effective response is a crucial part of ERM, and that means attention to the design and operation of internal controls. Indeed, informal responses to key risks increase vulnerability to something going awry. Strong controls must exist and work for ERM to be effective, so enter the internal auditor.
Risk is perfectly fine at an acceptable level, but management must define what that acceptable level is in the interest of achieving the company’s goals. For example, management might challenge the board to define the point at which losses from bad loans become unacceptable. If a $1 million loan goes bad, will the board become concerned? What about a $10 million loan? The specific number tends to change over time, so the question must be asked periodically in order to maintain an understanding of the correct risk appetite. Furthermore, banks face many other potential losses as well and some of them cannot be expressed in pure monetary terms. (Think of the cost of adverse publicity after a customer data theft.)
An ERM audit should determine whether significant risks to the organization are appropriately identified and assessed on an ongoing basis. It should also confirm that the risks are monitored for possible changes, that risk management techniques (insurance, hedging and the like) are in place, and that management can recognize and respond to new risks as they arise.
The audit perspective should also address what would improve the organization’s governance efforts and whether the risk management program proactively contributes to the organization’s results.
THE GUTS OF AN ERM AUDIT
An audit can focus solely on the effectiveness of the ERM program, but it could also be extended to look at ERM efficiency. Auditors can provide assurance that information about risks and the management of them is collected, summarized and reported properly to the appropriate level of the governance structure.
The following are two distinct elements to most ERM audits: evaluating the design and implementing the program as a management system and evaluating the operational practices of the program, including an assessment of risks currently being managed.
In general, internal auditors should assure management and the board that everything that should be done to manage risks is being done.
Auditors should also guide control effectiveness and feedback on managerial decisions and results. Further issues worth considering in an ERM audit include:
- Are the organization’s risk management efforts appropriate to its needs? This includes management’s recognition of, and response to, emerging obligations and opportunities in risk management and corporate governance.
- Has an effective risk management program been developed and implemented? Is accountability well-established and acknowledged by those to be held accountable? Have management and the auditor agreed on the program’s definition?
- Are there appropriate systems, policies, procedures and guidelines related to ERM supported by suitable awareness, training and compliance activities?
- Has the organization embraced the risk management philosophy? Is executive management seen as a strong proponent, and is the consideration of risk an integral part of day-to-day business decisions?
- How successful are the risk management efforts? This is a tricky question to answer given the inherent uncertainties in risk, but a retrospective review of the organization’s identification of and response to risks, including incidents that indicate inadequate controls, should be revealing.
- Does the organization need to increase the understanding of its key risks? What else needs to be done? Has everything necessary been done to get a grip on enterprise-level risks?
It is very important to consider the organization’s environment (e.g., what areas of business the organization operates in and what industry-specific challenges it faces).
INTERNAL AUDIT’S ROLE IN RISK MANAGEMENT
The Institute of Internal Auditors proposes that risk management activities be divided into three main groups. One includes internal auditors providing assurances, as discussed above. A second group includes activities exclusively related to management decisions, such as selecting risk appetite and risk responses. (This second group of risk management activities should not be done by internal audit as they are deemed to be management activities.) The third group includes risk management activities that may be performed by internal audit when there are safeguards in place. Safeguards may be things like changing the internal audit charter to include the added responsibilities and receiving acknowledgments from management regarding their responsibilities.
Fundamentally, enterprise risk management is not a new concept. Organizations have been operating successfully for many years. What perhaps is new is the importance of bringing risk management more formally into the management decision-making process and ensuring that a corporate view of the relationships between risks in different parts of the organization is regularly evaluated and addressed.
Risk management is inherent in every organization. Any manager or employee who has been given objectives will almost unconsciously assess the things that will prevent them from reaching their goal. At a minimum, they will manage those risks in an informal, ad hoc way.
ERM is a high-level formalization of this natural process. As a formal process, it needs a coordinator to draw key risks and current efforts to mitigate them from all areas of the organization. We also need to move from a focus on risk identification to a focus on how best to manage our significant risks. The goal of risk management is not to reduce uncertainty. It is, rather, to help organizations make better decisions and to respond more intelligently when the unexpected inevitably occurs.
The bottom line is that risk management needs to be integrated into the organization’s entire operations from board oversight to senior management’s strategic planning and leadership, to the operating management’s day-to-day operational control. Perhaps this is nothing new but it is certainly important to the organization’s long-term success and worthy of a formal evaluation by internal audit.
CLOSING THOUGHTS
The best approach for your organization may be evaluating the program through a series of audits, completing a high-level assessment of the program and then organizing a series of audits over time to provide assurance coverage in a reasonably sized way.
There are many standards for risk management, and the ISO 31000 standard particularly stands out. When deciding on the criteria to use during the audit, complete a comprehensive survey of best-practice standards for risk management and ensure that the good work of the ISO organization is leveraged.
Learn more about ERM on KnowledgeLeader through the resources listed below:
Strategic Resilience: Are You Among the 30%?
A Look at the Top 2020 Risks
Enterprise Risk Management Capability Maturity Model (CMM)