Because of recent corporate frauds and governance issues, investors are demanding more transparency about organizations’ risks. In order to meet these demands, organizations are implementing enterprise risk management (ERM). ERM is a systematic approach to identifying and managing risks throughout an organization. It enables an enterprise to develop steps and allocate resources to manage risks and increase the likelihood that the organization achieves its objectives. ERM helps organizations to understand the interdependencies between risks, improve the execution of their business plan, and understand the level of exposure for the organization. Also enterprises are able to set priorities, allocate resources to mitigate organization-wide risks, monitor risks, and gauge the effectiveness of their actions by using ERM. Internal auditors play a key role in designing and performing the risk assessment needed with ERM.
The first step in the enterprise risk management process is to evaluate the organization’s environment, strategic objectives, culture, and risk tolerance. Understanding the external environment and business strategies is important in determining the risks that the organization faces. Furthermore evaluating the organization’s internal environment is essential to risk management and internal controls. Even though maintaining an appropriate control environment is management’s responsibility, internal auditors can support management in assessing the control environment for any deficiencies or weaknesses that may create risk for the organization.
The next step in the ERM process is developing a comprehensive framework to identify risks and prioritize them. Internal audit assists with developing the framework through understanding the organizations’ objectives and talking with key shareholders. Continuously improving the risk framework is crucial in an ever-changing environment, and these changes need to be approved by management.
Typically, risk evaluation considers two dimensions of a risk: likelihood and impact. While an organization needs to prepare for risks with these two aspects in mind, many believe that potential relevant impacts should be more heavily weighted. A huge challenge to risk assessment is determining the relevant risks that should be constantly reevaluated and reviewed.
An organization must choose how it wants to mitigate risks. The options to mitigate risks are avoidance, transference, or retention. Risk is extremely important and should be considered in an organization’s decisions. An organization needs to determine its risk appetite and tolerance for different situations and look at the possible effect on the organization. By determining how prepared the organization is for high-impact and low-impact risks, audit resources can be deployed appropriately to the different areas to provide reasonable assurance.
Internal auditing plays a critical role in testing and confirming the organization’s assessment of its preparedness for relevant, high-impact risk events. Auditors should assess the organization’s preparedness as part of the audit planning process.
Risk Intelligence Systems
Lately, organizations are starting to understand the importance of gathering information about risk intelligence within the company. This process takes a lot of planning and maintenance to collect the information continuously. Therefore organizations have started building central risk nervous systems and maintaining them. By using ERM, companies can implement a central risk nervous system that can systematically identify risks and potential exposures, take counteractive actions earlier, and learn from those actions. Risk intelligence can benefit an organization by enabling the company to make better decisions by understanding the potential consequences of various choices and improve the company’s vigilance to identify and respond to risk events.
Besides evaluating the risk environment, organizations need to continuously monitor their risk tolerances and thresholds to successfully manage their risk. Monitoring can determine potential problematic situations before they reach a crisis threshold. Management and internal auditing should be monitoring essential performance measures to identify process and system unpredictability quickly and determine how to obtain reasonable assurance about the effectiveness of risk management. ERM can help in this capacity.
To maintain an effective ERM system, the risk infrastructure needs to include management’s policies and procedures and methods to communicate increasing risks and the effectiveness of risk management across the entire organization. The risk infrastructure should improve the organization’s preparedness to address risk by including the following:
- A risk management policy that defines risk, risk tolerances, corporate governance and oversight, responsibilities, and accountabilities.
- Risk-management methods for identifying risks, evaluating and prioritizing risks, mitigating and controlling risks, monitoring, and reporting.
- The risk organization structure including experts and leaders, oversight committees, how risk-management functions are integrated, and executive sponsorship and commitment.
- Methods on how to monitor and report risk, evaluate risk, control activities, and related assurance activities.
- Support capabilities including information tools, risk-event databases, risk analysis and modeling, training of management, and management change capabilities. In order for ERM to be successful a proper foundation is necessary.
This includes the development of risk-management policies and procedures, training, risk databases and knowledge, and continuous collection of information and communication concerning emerging risks. ERM needs to be built into the organization rather than just attached to the traditional risk management structure. ERM must be implemented as management’s way to manage risks and do business successfully.
Implementing an ERM system is definitely hard work but the benefits do pay off. With the increasing volatility and integration of risks from different areas, an organization-wide risk management structure is essential to achieving assurance concerning the reliability of risk management processes and systems. Internal auditing is crucial to providing such assurance and it should incorporate a risk-based approach to audit planning and assess impact and preparedness.