Organizations of all types and sizes need to leverage their investment in financial controls and regulatory compliance to develop new strategies that manage the other risks that could affect strategic goals and objectives.
Most organizations already have some basic types of risk management activities in place. These may include activities such as risk assessments and compliance audits by internal audit or existing fraud detection programs. By aligning and enhancing existing activities, organizations can move to a cohesive enterprise risk management program. This article discusses how an organization can implement an effective ERM program and how internal audit can optimize its value by taking a major role in the ERM effort.
INTERNAL AUDIT'S ROLE IN ERM
Internal auditors have the training and experience to identify and assess risk, and they have a broad view of their organization. This group is in an ideal position to take a key role in the ERM process. What exactly is that role, and what ERM activities can internal audit undertake while maintaining its independence and objectivity?
To address these questions, the Institute of Internal Auditors issued a position paper, The Role of Internal Audit in Risk Management. According to the IIA, internal auditing's core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organization's risk management. The IIA emphasizes that the board and management are responsible for actual risk management, and that internal audit's role is to provide assurance on the process that management uses and to consult on ERM, provided the activity does not jeopardize internal audit's independence and objectivity. To further clarify, the IIA provided examples of various roles that internal audit may and may not undertake in ERM.
Implementing ERM is not a cookie-cutter approach, and specific steps will vary from organization to organization. The following are general steps to develop a broad ERM.
1. Enlist top-level support. The internal environment, or "tone at the top," sets the basis for how risk is viewed and addressed by the people in an organization. This includes the organization's risk philosophy, risk appetite, ethical values, integrity, and the environment in which they operate.
To successfully manage risk, the board and top-level management must foster an internal environment that sets the foundation for ERM activities, and then oversee ERM development and implementation. It is beneficial to form an ERM steering committee as part of this effort, and there should be a well-respected, top-level manager responsible for ongoing ERM leadership. In many instances, the chief audit executive will be on the steering committee and work closely with the group.
2. Communicate the objectives. One common factor among organizations with successful ERM programs is that risk management is viewed as a key business issue. As such, it is incorporated into strategic planning. To get organizational buy-in on risk management as a strategic initiative, management needs to ensure that ERM objectives are communicated throughout the organization and that key personnel understand the link between strategic goals and how managing risks can affect achieving those goals.
3. Establish an appropriate framework. A well-designed ERM program needs a conceptual framework that provides an overview of an organization's risk management principles. The framework should document risk management policies, attitudes toward risk, risk appetite, the types and levels of risk that are acceptable, responsibilities for risk management, reporting and monitoring timetables, and how communication within the organization will be handled.
Several models are available. Widely used models that are readily adaptable to an organization's specific needs are COSO's ERM Integrated Framework with Embracing Enterprise Risk Management: Practical Approaches for Getting Started, and the International Standards Organization's Risk Management - Principles and Guidelines. COSO is widely used because the Securities and Exchange Commission referenced it as a framework that can be used to report on internal control over financial reporting and can serve as an ERM framework. COSO outlines eight interrelated components of ERM. The ISO 31000 model is the first global standard for risk management, and it is becoming widely adopted internationally. ISO 31000 is intended to be generally applicable to a wide range of activities, decisions and operations. Like the COSO model, it provides a framework to evaluate the elements of ERM. When management is selecting or developing its ERM framework, internal audit can advance the effort by working with other risk groups in the organization to develop and promote a common risk management language.
4. Identify events and determine risk appetite. Once risk management policy issues are addressed, the board and senior management need to identify potential events that could affect the organization's ability to execute strategy.
Thoroughness in event identification is critical, and should include consideration of external sources such as economic, environmental, political, demographic and technological factors, as well as internal sources such as those associated with business processes, infrastructure, human capital, information technology, and legal risks. The relationship between varying risks across the organization should also be identified. It is then necessary to decide whether these events represent opportunities, which should be channeled back into the strategic setting, or whether they are risks that will require management assessment and responses. Next, the board and management need to set a risk appetite, the level of risk the organization is willing to accept in pursuit of its objectives. Risk appetite may be set in relation to the organization as a whole, a business unit, a line of business, a business process, a geographic area, or a combination of these.
5. Assess and measure. Management must develop a process to assess and measure previously identified risks in terms of severity and likelihood. There are both qualitative and quantitative approaches used for this process, and some consider risk assessment to be more of an art than a science.
Many organizations start by obtaining a top-down view of the most important risk exposures from board members and executive management across the organization. Quantitative assessment methods include benchmarking against others in the industry or using probabilistic models. Risk severity is typically measured as high, medium or low, and likelihood of occurrence is estimated as unlikely, possible or probable. In light of some of the catastrophic events of the past few years - such as 9/11, Hurricane Katrina, and the tsunami-induced nuclear disaster in Japan - some organizations now expand severity and likelihood of occurrence to include an assessment of vulnerability to risks and the level of preparedness.
Whatever method is selected, the assessment should be concise, use consistent terminology, have a rating system, and have clarity in message. While it is management's responsibility to conduct a risk assessment, internal audit can expedite this effort by expanding its annual risk assessment to develop an ERM assessment process that includes strategic risks embedded in the organization's strategies and risks related to governance.
RISK RESPONSE
Once the risk identification and assessment processes are complete, management must decide on risk responses that align with the organization's risk appetite and develop plans to address any gaps in the responses. Typical risk-response options include the following:
Accepting the risk and monitoring it on a regular basis;
Avoiding the risk by divesting, eliminating the process, or stopping the action causing the risk;
Reducing the risk by changing processes or controls; or,
Transferring the risk by insurance, hedging or outsourcing.
CONTROLS
Management will need to consider what control systems are in place to ensure that risk responses and other directives are carried out, and what controls will be needed, if they are not already in place. The controls selected will depend on the organization's risk appetite and an analysis of the amount of risk mitigated and the cost to achieve that level of mitigation.
MONITOR, ASSURE AND EVALUATE
An important element of a well-functioning ERM program is the monitoring of the risk management process to maintain confidence in its ability to provide relevant risk information. Individual ERM components should be monitored on an ongoing basis, by a separate evaluation, or a combination of both.
Ongoing ERM monitoring should occur in the normal course of management. The scope and frequency of separate evaluation of components will depend on the assessment of the effectiveness of risk management activities. Monitoring and review should be done by risk owners, management and the board. Since internal audit is typically part of the overall monitoring of control systems, it can expand this role to periodically provide an independent and objective review of risk management processes.
COMMUNICATE RESULTS
Boards and management require relevant and timely information concerning key risks. Thus, effective reporting and transparent communication of results is a necessity. An effective reporting system should provide feedback that summarizes each risk that was identified, the controls in place to mitigate the risk, a performance measure or language that indicates how the target is being met, if and when corrective action is needed, any corrective action that was taken, and identification of issues for management action.
Internal audit can customize its reporting to meet an organization's needs. For example, internal audit might issue more consultative types of reports for organizations just beginning an ERM program, or it might perform audits and issue assurance reports for organizations with more mature ERM processes.
CONCLUSION
An ERM process is critical for an organization to successfully assess, address and monitor risk. The steps presented above can help an organization implement a broad ERM program while, at the same time, leveraging its investment in, and the knowledge contained within, its internal audit function.
Margaret O’reilly-Allen, CPA, Ph.D, is accounting department chair at rider University in Lawrenceville, N.J. reach her at oreillyallen@rider.edu. Lawrence Mawn, CPA, CiA, is a director with Deloitte & Touche LLP. reach him at lmawn@deloitte. com. reprinted with permission from The Pennsylvania CPA Journal.
