In light of some of the recent failures of financial services and other companies around the globe, growing political unrest, and massive natural disasters, one of the greatest risks an organization faces is the lack of an effective ERM program. As boards continue to increase their expectations for management to design and implement effective enterprise-wide risk management programs, they have an increasing need for objective assessments of the effectiveness of those programs. The June 2011 cover story article in Internal Auditor authored by Norman Marks, highlights the role of internal audit in providing those assessments for the board.
The article highlights a series of questions that internal audit may want to consider as they assess the effectiveness of management’s ERM processes. Here are examples of some of the issues to be considered:
1. Was an acceptable standard or framework followed?
2. What is the nature of risks that need to be managed to achieve objectives?
3. What do key external stakeholders expect?
4. How often do risks need to be identified and assessed?
5. Who needs risk information, in what form, and in what frequency?
6. How frequently do new risks emerge or levels of existing risks change?
7. How close are existing risks to the organization’s tolerance for accepting those risks?
The article points out that there are some existing risk management related maturity models that may be useful to the auditor’s evaluation of the strength of management’s processes. A maturity model can be a useful tool for measuring the organization’s progress from a non-existent program to a fully-developed and mature risk management program.
To participate in these assessments, internal auditors need to consider whether they are competent to perform an audit of risk management. There is a great deal of information on ERM that can provide a wealth of information that may be useful. Internal auditors, however, may determine they need to seek more formal training on ERM before they are prepared to provide the type of assessment needed by the board and senior management.
Visit the website of The Institute of Internal Auditors to purchase a copy of this article.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.
- Overview of World Economic Forum’s Recent Worldwide Risk Assessment
- Assessing and Managing Risks Related to Intangible Assets
- Roadmap for Compensation Risk Assessment: Consequences – Unintended or Not
- Six Sigma and Risk Assessments
- Seven Question Guide to Assessing Your Enterprise Risk Management Practices
- Financial Industry Assesses Role of Risk in Credit Crisis
- Assess the Risks – Key Strategies for Overseeing Derivatives
- Assessing ERM Practices
- Integrating Compliance and Ethics in Risk Assessment Agenda
- Assessing Risks Before Outsourcing