Mobile Edition
Print
Get the Mag
Weekly UpdatesThat's not just a good idea, he continues, it's a necessity. "CAEs must become advocates for ERM within their organizations," he stresses. "Much as we did for strong and effective systems of internal control in the past, we must champion the value of ERM to our boards and senior management. Where ERM has not been implemented, we must share the results of our annual internal audit risk assessments as further evidence of the potential value of ERM."
Roger W. Raber, chief executive officer (CEO) and president of the Washington, D.C.-based National Association of Corporate Directors, says boards feel the same way about the contributions internal auditing should be making to ERM. "The best way to ensure that internal auditing plays the most useful role possible in risk management is to involve the appropriate committees of the board of directors," Raber says. "At a minimum, that would be the audit committee. Internal auditing can assist the committee in the governance process by coordinating with management the identification of key risks, controls, and processes, as well as monitoring mechanisms. Internal auditors also can be helpful by conducting and reporting on the results of continuous risk assessment, the status of the organization's system of internal control, special studies and investigations, and other matters of interest to the committee."
ASSURANCE IS KEY
Cain agrees that a key role for CAEs in ERM is making sure the right information gets to the audit committee. "The most important part of internal auditing's fundamental role is providing the organization with assurance on governance, risk management, and internal control processes," she stresses. "Therefore, one core role for CAEs is providing objective assurance to the board and the audit committee that ERM processes are working effectively--that risks are being identified and dealt with properly." In the United Kingdom and Ireland, she adds, the ERM framework is fundamental to audit work on internal controls as well because it defines what is meant by effective control: Control is effective if it manages risks to the level approved by the board. "Therefore, to do its work on internal control, internal auditing needs to understand the ERM framework so it can be sure risks are being identified and so it understands the organization's risk appetite and tolerance," she says.
There are ways to carry out those important tasks without risking internal auditing's independence, Barna adds. "In the beginning, we were heavily involved in setting the ERM program's objectives," he reports. "One thing we did was facilitate a dialogue between management and the board. We also conducted a high-level risk assessment. We looked at how we could engage management as much as possible in it, starting with the CEO and president. We gave them tools--but we didn't make the assessment ourselves. One of the things we were careful of was that management owned the risk. As we went through the risk assessment and discussion with management and later went into facilitative workshops to prioritize risk, we assigned all the ownership components to other parts of the company, but not to internal auditing or compliance."
It's important to go to the trouble of contributing without owning, he emphasizes, so as to fully use the corporation's already-owned internal risk management expertise. "To me," Barna comments, "it seems that if the board and executive management look at internal auditing as functional experts in the area of risk, for us to not be active participants in championing ERM, we're selling ourselves short in helping the company. Establishing goals and objectives is a critical phase of ERM implementation, and it's where internal auditing can contribute the most."
THE GRAY AREAS
Indeed, the problem with melding ERM and internal auditing isn't generally finding areas where CAEs can contribute; it's making sure they don't contribute too much. And therein, of course, lies the rub. It's easy to say that internal auditing must offer advice and monitoring. And it's easy to say that internal auditing must not own risk or make risk management decisions on management's behalf. But how do those obligations and proscriptions play out in the real world? The view on the ground is far, far less clear.
For example, Jameson points out that there are companies that don't have risk managers, let alone risk management departments. Can internal auditing step up to the plate and take on the ERM process? Yes, he says. "You still want to try to avoid internal auditing being the owner of the risk and making the ultimate decisions," he points out, "but CAEs might be tapped to do more things to get ERM started with the long-term goal of turning over parts or pieces to other risk owners or champions. It's probably better if internal auditing steps up and does more than if nobody does anything."
Barna sees a specific gray area in the fan. "To me, the initial high-level business risk assessment is something where, if there are reasonable safeguards, internal auditing can play an appropriate role," he says. "However, once the risks are identified, there is often pressure to be part of the solution. That's where CAEs have to be very careful about balancing management's risk appetite and the appropriate role of internal auditing.
"When management starts to pressure internal auditing for greater involvement, it can beg off but still provide support," he continues. "If you're doing a one-time business risk assessment, you probably can fudge the rules. But that's not ERM. It's not ERM until you embed the process into how the company does business. We used the COSO and IIA documents as guidance, but we tweaked and customized them as we went. There is no one solution that fits every organization."
But CAEs need to be careful in those situations, he stresses. "The handoff becomes extremely difficult if you wait until ERM is implemented. That's why I wanted a three-person team. That way we could start to have the logical risk owners involved in the process early on."
Even Vincenti, a relative hardliner on internal auditing's role in ERM, sees some gray in the landscape. "The guidance is premised on organizations having a risk management process," she says. "The situation in real life is that many don't. That's where the role of internal auditing can change and evolve with the maturity of the organization."
Espersen agrees. "How ERM is implemented depends on what's best for the organization," he says. "It's going to depend on the capabilities within the organization and of the people running the audit department. A large organization might be able to integrate ERM into the governance process, meaning internal auditing could stay back independently. But small companies probably will not have as many resources, and it's thus more likely that the internal auditor would take a more active role in ERM."
In those cases, he adds, the CAE needs to appreciate that others in the organization might actually be better equipped to manage the job. "Internal auditing needs to look for other people in the organization who have a legitimate claim to risk ownership and who have as much ability as they do to run the ERM process," he comments. "If they don't, if they instead take on the risk and burn bridges and usurp the ERM function, there's going to be hell to pay."
"The important thing is that ERM is implemented, not who implements it," stresses Terry Cunnington, director of risk management at a firm in London that owns stock and derivatives exchanges and immediate past president of The IIA UK and Ireland. "A lot of organizations don't have risk management departments, so internal auditing can expand its role by facilitating risk workshops, maintaining and evaluating the company's risk management framework, acting as a coordinating point for ERM, and championing it.
"Some companies figure, 'We've been so successful at integrating ERM with internal auditing, what's the point of handing it over if it works?'" Cunnington continues. "I've seen companies do that very successfully without compromising the CAE's independence. It can work with the necessary safeguards and can increase the profile and effectiveness of the internal audit group." The issue, he stresses, is "what works best in your own organization."
PLAYING THE RIGHT ROLE
The bottom line, the experts agree, is making sure one fundamental safeguard is in place: CAEs should never own risk. Apart from that essential protection, however, there is in the guidance considerable room for flexibility regarding how ERM is implemented and by whom, provided CAEs pay due attention to the recommendations in the fan and use common sense in integrating the many hats they may be asked to wear. The key is making sure management plays its appropriate role, allowing internal auditing to focus on its own.
To comment on this article, e-mail the author at rjackson@theiia.org.
RELATED ARTICLE: The Best Fit
It is not news that an organization's culture plays a crucial role in the implementation of ERM. Dysfunctional cultures have been blamed for everything from catastrophes, such as space shuttle disasters, to corporate scandals. Multiple studies have identified organizational culture as a top barrier to ERM implementation. The question is, "What is it about the culture that gives it such sway over managing risk organizationwide?"
It is almost redundant to say an organization needs a strong "ethical climate," a "mature risk culture," or a "culture of compliance" for successful ERM deployment. To understand the relationship between culture and ERM, one must characterize an organization's culture at a more fundamental level.
Over the years, management theorists have devised a variety of models for describing organizational culture. One model that appears to address issues of interest to ERM deployments was developed by Dr. Ronda Reigle in 2003. This model assesses an organization's culture based on a continuum ranging from "mechanistic" to "organic."
FEED