Everyone talks about the need for good risk management programs, but nobody seems to know how to audit them to ensure they actually work. Who bears responsibility for setting the parameters of an enterprise risk management (ERM) program is pretty clear: the board of directors and the C-level executives. They decide what the risks are, what level of risk they’re willing to tolerate and what risks they do not want to tolerate. They are responsible for monitoring and responding to ERM outputs and obtaining assurance that the organization’s risks are acceptably managed within the boundaries specified.
Remember that risk management is not an end in itself; it has value only if it assists a company to achieve its business long-term objectives. Internal auditors, in both their assurance and consulting roles, contribute to ERM in various ways. They spend most of their time assessing how effectively management has responded to key risks by developing adequate operations and control structures. Fundamentally, the audit team provides the board and management with an objective assessment of the company’s ERM efforts, including where the company can improve.
WHY CARE WHETHER ERM WORKS?
According to the Committee of Sponsoring Organizations, ERM is:
“… a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives.”
Notice the process view – that is, risk management is more than a risk management system. Alternatively, as a good friend of mine puts it, ERM is how you address uncertainty around organizational goals.
From an internal audit perspective, inadequate identification of key risks to an organization increases the likelihood of bad events occurring. Improper identification can result in wasting resources on areas of low risk with little reward. Conversely, it can leave a company more exposed to negative events. (An example from the financial industry: at banks and mortgage companies, how much of a priority did the boards place on oversight of lending activities? Not much, I’d say, and look where it got them.)
Still, even if top management effectively identifies its key risks, the company still needs assurance that its response to those risks is effective. An effective response is a crucial part of ERM, and that means attention to the design and operation of internal controls. Indeed, an informal response to key risks increases vulnerability to something going awry. Strong controls must exist and work for ERM to be effective, so, enter the internal auditor.
Risk is perfectly fine at an acceptable level, but management must define what that acceptable level is in the interest of achieving the company’s goals. Using another banking example, management might challenge the board to define the point at which losses from bad loans become unacceptable. If a $1 million loan goes bad, will the board become concerned? What about a $10 million loan? The specific number tends to change over time, so the question must be asked periodically in order to maintain an understanding of the correct risk appetite. Furthermore, banks face many other potential causes of loss as well, and some of them cannot be expressed in pure monetary terms. (Think of the cost of adverse publicity after a customer data theft.)
An audit of ERM should determine whether significant risks to the organization are appropriately identified and assessed on an ongoing basis. It should also confirm that those risks are monitored for possible changes, that risk management techniques (insurance, hedging and the like) are in place, and that management has the ability to recognize and respond to new risks as they arise.
The audit perspective should also address what would improve the organization’s governance efforts and whether or not the risk management program proactively contributes to the organization’s results.
THE GUTS OF AN ERM AUDIT
An audit can focus solely on the effectiveness of the ERM program, but it could also be extended to look at ERM efficiency. Auditors can provide assurance that information about risks and the management of them is collected, summarized and reported properly to the appropriate level of the governance structure.
There are two distinct elements to most ERM audits: evaluating the design and implementing the program as a management system, and evaluating the operational practices of the program, including an assessment of risks currently being managed.
In general, internal auditors should assure management and the board that everything that should be done to manage risks is being done.
Auditors should also provide guidance on control effectiveness and feedback on managerial decisions and results. Further issues worth considering in an ERM audit include:
Are the organization’s risk management efforts appropriate to its needs? This includes management’s recognition of, and response to, emerging obligations and opportunities in risk management and corporate governance.
Has an effective risk management program been developed and implemented? Is accountability well-established and acknowledged by those to be held accountable? Have management and audit agreed on the program’s definition?
Are there appropriate systems, policies, procedures and guidelines relating to ERM, supported by suitable awareness, training and compliance activities?
Has the organization embraced the risk management philosophy? Is executive management seen as a strong proponent, and is the consideration of risk an integral part of day-to-day business decisions?
How successful are the risk management efforts? This is a tricky question to answer given the inherent uncertainties in risk, but a retrospective review of the organization’s identification of and response to risks, including incidents that indicate inadequate controls, should be revealing.
Does the organization need to increase the understanding of its key risks? What else needs to be done? Has everything necessary been done to get a grip on enterprise-level risks?
It is very important to consider the organization’s environment, i.e., what areas of business the organization operates in and what industry-specific challenges it faces.
INTERNAL AUDIT’S ROLE IN RISK MANAGEMENT
The Institute of Internal Auditors proposes that risk management activities be divided into three main groups. One includes internal auditors providing assurances, as discussed above. A second group includes activities exclusively related to management decisions, such as selecting risk appetite and risk responses. (This second group of risk management activities should not be done by internal audit as they are deemed to be management activities.) The third group includes risk management activities that may be performed by internal audit when there are safeguards in place. Safeguards may be things like changing the internal audit charter to include these added responsibilities and receiving acknowledgements from management regarding their responsibilities.
Fundamentally, enterprise risk management is not a new concept; organizations have been operating successfully for many many years. What perhaps is new is the importance of bringing risk management more formally into the management decision-making process and ensuring a corporate view of the relationships between risks in different parts of the organization is regularly evaluated and addressed.
Risk management is inherent in every organization. Any manager or employee who has been given objectives will almost unconsciously assess the things that will prevent them from reaching their goal. At a minimum, they will manage those risks in an informal, ad hoc way.
ERM is a high-level formalization of this natural process. As a formal process, it needs a coordinator to draw key risks and current efforts to mitigate them from all areas of the organization. We also need to move from a focus on risk identification to a focus on how best to manage our significant risks. The goal of risk management is not to reduce uncertainty. It is, rather, to help organizations make better decisions and to respond more intelligently when the unexpected inevitably occurs.
The bottom line: risk management needs to be integrated into the organization’s entire operations from board oversight to senior management’s strategic planning and leadership, to the operating management’s day-to-day operational control. Perhaps this is nothing new, but it is certainly important to the organization’s long-term success and worthy of a formal evaluation by internal audit.
The best approach for your organization may be evaluating the program through a series of audits, completing a high-level assessment of the program and then organizing a series of audits over time to provide assurance coverage in a reasonably sized way.
There are many standards for risk management; the ISO 31000 standard particularly stands out. When deciding on the criteria to be utilized during the audit, do complete a comprehensive survey of standards of good practices for risk management and ensure the good work of the ISO organization is leveraged.
This article was written by Dan Swanson and originally appeared on the KnowledgeLeader website.