Role play: internal auditors differ in their opinions on just what part they should play in the implementation of their organization's enterprise risk management.

IT IS, PERHAPS, A TESTAMENT to the comprehensiveness and flexibility of recent practice guidance on the role of internal auditing in enterprise risk management (ERM) that reasonable minds disagree so strongly on how that guidance should be put into practice. According to some experts, one thing is clear in the guidance: Chief audit executives (CAEs) should not helm their companies' ERM efforts. When they do, their line of thinking goes, both ERM and internal auditing suffer. On the other hand, some experts say that the bottom line is making sure both functions are carried out. If the CAE is the only one willing, able, and politically powerful enough to get the job done, then he or she should do it. In the middle, of course, are the experts who say "guidance" means just that: "guidance." Each company should have the freedom to implement the guidance however its specific culture requires.

At issue are the recommendations in two important documents: The Committee of Sponsoring Organizations of the Tread-way Commission's (COSO's) Enterprise Risk Management--Integrated Framework and "The Role of Internal Audit in Enterprise-wide Risk Management," a position paper issued by The IIA in coordination with the IIA UK and Ireland. A key element of the latter is "the fan"--a graphic that ranks ERM-related functions by appropriateness to the internal audit function (see "Internal Auditing's Role in ERM," this page).

Although the guidance these documents contain is specific enough to have meaning in any company in any country, it is also general enough that it can be applied--and the processes it recommends implemented--in a variety of ways. And that generality is from whence springs the debate over how rigid the documents' guidelines actually are. Is "always" appropriate in an increasingly complex global market? Is "never" appropriate when companies of vastly different sizes, corporate cultures, values, and missions are trying to accomplish basically the same goals by basically the same means? Does guidance on the role of internal auditing in ERM lose its muscle if it's not followed as close to the letter as possible? Views within the internal audit profession vary--and most experts' opinions, in fact, vary from one task to another. Not surprisingly, there are no black-and-white views on internal auditing's role in ERM any more than there are black-and-white situations in which to apply those views.

MAINTAINING INDEPENDENCE

At RadioShack Corp. in Ft. Worth, Texas, executives wanted to create a culture in which risk management was inherent in key business decisions. They established a team to manage the firm's move to ERM. Kenneth G. Barna, vice president for internal audit/controls, represented the internal audit department, and a colleague represented corporate compliance. The pair co-chaired the ERM-development committee. "We realized that ERM can't be looked at as a separate function," Barna says. "It has to be integrated into the organization's day-to-day operations. We worked with a representative from strategic planning and used a cross-functional team approach." In so doing, he says, he learned there are occasions when an internal audit department with the best of intentions must not get involved.

One of the trickiest situations, he says, is when a manager with legitimate responsibility for risk response says, in effect, "Tell me what I should be doing." It must be the responsibility of management, not internal auditing, Barna emphasizes, to put together a draft response to risk. "That," he stresses, "is absolutely critical." Similarly, he continues, the CAE must demur if management asks the internal audit department to determine the company's risk appetite. "One of the risks is when the internal audit department is highly regarded by the management team and managers want the auditors to transition from establishing an ERM framework to actually consulting on it. They'll say, 'Help us get it done.' But there are certain tasks internal auditing can't do--developing risk appetite is one of them. Management must understand the risk and decide on a response that makes sense."

Steve Jameson, formerly assistant vice president for technical services at The IIA, was directly responsible for drafting the initial IIA Practice Advisory on the Internal Auditor's Role in Risk Management and served as The Institute's representative to COSO for its ERM project. Jameson, who now serves as executive vice president and chief internal audit and risk officer at Community Trust Bank in Pikeville, Ky., agrees that the right executives--not the internal audit department--must own the risk. That can be facilitated, he says, by making sure the CAE is part of the thought process, but not part of the decision-making process. "I have internal auditing, loan review, compliance, and security reporting to me," he explains, "and I also coordinated the development of our ERM program. During the development process, regulators asked me how I segregate what I do as chief auditor and what I do as chief risk officer. And they wanted to make sure the board knew I had multiple roles. I said, 'I follow the guidance. I don't own the risk.'" Jameson does that, he says, by sitting on a lot of committees as a nonvoting member so that he doesn't impair his independence.

Dominique Vincenti, vice president of The IIA's Global Practices Center, agrees that independence is the issue. Until ERM is an ongoing reality at an organization, the CAE can play a developmental role--auditing the ERM process as it's developed and implemented to provide assessment and recommendations to make sure things happen the right way the first time. "That's what the middle portion of the fan is saying," Vincenti explains. "But once your organization is mature and has ERM in place, you go back to your traditional and pure internal audit role. You assess, give assurance, and evaluate the risk management process--the reporting of risks and the management thereof."

DEEPER PROBLEMS

Vincenti says that there is no time when it's acceptable for internal auditing to own the risk. "You have to resist that strongly," she says. "You have to go to the audit committee and tell them that you can't implement a program that should be implemented by management." Indeed, she says, "if a manager says, 'It's not my job,' you should challenge his or her continued employment. You cannot implement something that you have the responsibility to assess." Any conflict with management over ERM authority, she says, could indicate serious problems. "You can discuss with senior management alternatives to your heading ERM implementation that will still put the organization on the right track. But if you have to do that, it means that you, as CAE, or whoever else is trying to sell the concept of ERM to senior management, failed, because management doesn't understand that they are the only ones who can do it."

Don Espersen, an internal audit consultant and educator based in St. Paul, Minn., also sees deeper problems when there's disagreement over ERM program leadership. "If the real owners haven't recognized that they're the real owners, if the perception is that it's internal auditing's job, that's a huge corporate culture issue," he says.

Indeed, says Richard Chambers, director in the internal audit practice at PricewaterhouseCoopers LLP, Atlanta, there are risks even when CAEs perform functions permitted in the COSO and IIA guidance. "One area of concern is the IIA position that internal auditing can develop--with safeguards--a risk management strategy for board approval," he explains. "Management should be responsible for establishing the risk management strategy, not the CAE. Decisions made to manage risk are clearly a management function." It's understandable that management would look to internal auditing for assistance, he notes, because its risk expertise makes it a tempting repository for ERM responsibilities. "But it would be a significant mistake to shift those responsibilities exclusively to internal auditing," Chambers adds. "In addition, experience has shown that unless management takes ownership of ERM as part of its core business, it's not effective on a long-term basis."

Jackie P. Cain, technical development director of IIA UK and Ireland agrees. "Often, I hear that internal auditors get involved in implementing ERM because 'there was no one else to do it,'" she says. "Now, while I have sympathy with that view--after all, if you know everyone is starving and you know how to fish, it is tempting to do the fishing for them--that situation is where internal auditors need to be strong. If no one else will do it, the organization has not seen the benefit of ERM and will not be ready to embed the processes and get the most out of it. Internal auditing needs to undertake more consulting work to persuade people and to facilitate the introduction of ERM. If it does not, however hard the CAE works, ERM will not be successful. Internal auditing needs to teach people the benefit of fishing and then teach them how to fish."

PROVIDING ASSISTANCE

There are plenty of appropriate roles for CAEs in the ERM development and implementation process. In fact, the experts agree, there are some functions that internal auditing must carry out lest the firm waste what amounts to an irreplaceable well of risk management and program assessment expertise.