Everyone talks about the need for good risk-management programs, but nobody seems to know how to audit them to ensure they actually work.
Who bears responsibility for setting the parameters of an ERM program is pretty clear: the board of directors and the C-level executives. They decide what the risks are, what level of risk they’re willing to tolerate, and what risks they do not want to tolerate. They are responsible for monitoring and responding to ERM outputs and obtaining assurance that the organization’s risks are acceptably managed within the boundaries specified. Also remember that risk management is not an end in itself; it has value only if it assists a company to achieve its business objectives over the long term.
Internal auditors, in both their assurance and consulting roles, contribute to ERM in a variety of ways. They spend most of their time assessing how effectively management has responded to key risks by developing adequate operations and control structures. Fundamentally, the audit team provides the board and management with an objective assessment of the company’s ERM efforts, including where the company can improve.
Why Care Whether ERM Works?
According to the Committee of Sponsoring Organizations, ERM is “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives.” Notice the process view—that is, risk management is more than a risk-management system. Or, as a friend of mine puts it, ERM is how you address uncertainty around organizational goals.
From an internal audit perspective, inadequate identification of key risks to an organization increases the likelihood of bad events occurring. Improper identification can result in wasting resources on areas of low risk with little reward. Conversely, it can leave a company more exposed to negative events. (An example from the financial industry: At banks and mortgage companies, how much of a priority did the boards place on oversight of lending activities? Not much, I’d say, and look where it got them.)
Still, even if top management effectively identifies its key risks, the company still needs assurance that its response to those risks is effective. Effective response is a crucial part of ERM, and that means attention to the design and operation of internal controls. Indeed, informal response to key risks increases your vulnerability to something going awry. Strong controls must exist and work for ERM to be effective—so, enter the internal auditor.
Risk is perfectly fine at an acceptable level, but management must define what that acceptable level is in the interest of achieving the company’s goals. Using another banking example, management might challenge the board to define the point at which losses from bad loans become unacceptable. If a $1 million loan goes bad, will the board become concerned? What about a $10 million loan? The specific number tends to change over time, so the question must be asked periodically to maintain an understanding of the correct risk appetite. Furthermore, banks face many other potential causes of loss as well, and some of them cannot be expressed in pure dollar terms. (Think of the cost of adverse publicity after a customer data theft.)
An audit of ERM should determine whether significant risks to the organization are appropriately identified and assessed on an ongoing basis. It should also confirm that those risks are monitored for possible changes, that risk-management techniques (insurance, hedging, and the like) are in place, and that management has the ability to recognize and respond to new risks as they arise.
The Guts of an ERM Audit
An audit can focus solely on the effectiveness of the ERM program if you want, but it can also be extended to look at ERM efficiency. Auditors can provide assurance that information about risks and the management of them is collected, summarized, and reported properly to the appropriate level of the governance structure.
There are two distinct elements to most ERM audits: evaluating the design and implementation of the program as a management system and evaluating the operational practices of the program, including an assessment of the risks currently being managed.
In general, internal auditors should assure management and the board that everything that should be done to manage risks is being done. Auditors should also provide guidance on control effectiveness and feedback on managerial decisions and results. Further issues worth considering in an ERM audit include:
Are the organization’s risk-management efforts appropriate to its needs? This includes management’s recognition of, and response to, emerging obligations and opportunities in risk management and corporate governance.
Has an effective risk-management program been developed and implemented? Is accountability well established and acknowledged by those to be held accountable? Has management and audit agreed on the program’s definition?
Are there appropriate systems, policies, procedures, and guidelines relating to ERM, supported by suitable awareness, training, and compliance activities?
Has the organization embraced the risk-management philosophy? Is executive management seen as a strong proponent, and is the consideration of risk an integral part of day-to-day business decisions?
How successful are the risk-management efforts? This is a tricky question to answer given the inherent uncertainties in risk, but a retrospective review of the organization’s identification of and response to risks, including incidents that indicate inadequate controls, should be revealing.
Do we need to increase the understanding of our key risks and what else needs to be done? Have we done everything necessary to get a grip on enterprise-level risks?
Internal Audit’s Role in Risk Management
The Institute of Internal Auditors proposes that risk-management activities be divided into three groups. One includes internal auditors providing assurances as discussed above. A second group includes activities exclusively related to management decisions, such as selecting risk appetite and risk responses. (This second group of risk-management activities should not be done by internal audit as they are deemed to be management activities.) The third group includes risk management activities that may be performed by internal audit when there are safeguards in place. Safeguards may be things like changing the internal audit charter to include these added responsibilities and receiving acknowledgements from management regarding their responsibilities.
Fundamentally, enterprise risk management is not a new concept. What perhaps is new is the importance of bringing risk management into the management decision-making process and ensuring a corporate view of the relationships between risks in different parts of the organization is regularly evaluated and responded to.
Risk management is inherent in every organization. Any manager or employee who have been given objectives will almost unconsciously assess the things that will prevent them from reaching their goal. At a minimum they will manage those risks in an informal ad hoc way. ERM is a high-level formalization of this natural process. As a formal process, it needs a coordinator to draw out of all areas of the organization key risks and current efforts to mitigate them. We also need to move from a focus on risk identification to a focus on how best to manage our significant risks. Finally, the goal of risk management is not to reduce uncertainty. It is, rather, to help organizations make better decisions and to respond more intelligently when the unexpected inevitably occurs.
The bottom line: Risk management needs to be integrated into the organization’s entire operations from board oversight to senior management’s strategic planning and leadership to the operating management’s day-to-day operational control. And perhaps this is nothing new, but certainly it is important to the organization’s long-term success and worthy of a formal evaluation by internal audit.
No comments yet