Enterprise Risk Management
Time for a collaborative effort?
Auditors and risk managers have different perspectives, similar goals
By Michael J. Moody, MBA, ARM
The financial shortcomings of the world economy have been on display for a number of years now, as one crisis follows another. A frequently cited reason for many of these catastrophes has been the failure of corporations to address the myriad challenges of managing business and financial risk. Shareholders, debt holders, employees, regulators, rating agencies and other stakeholders increasingly are expressing concern about these financial disruptions and are demanding that corporations find ways to prevent or mitigate the impact of these financial crises. As a result, corporate boards of directors are under intense pressure to address and resolve these critical issues.
In response to the pressure, many boards are exhibiting heightened interest in enterprise risk management (ERM). The need for a holistic approach to risk management via ERM has motivated organizations such as the Risk and Insurance Management Society (RIMS) to expand their focus and modify their mission in response to the concerns expressed by upper management and boards of directors. However, corporate risk managers are not the only financial professionals who have a vital interest in an expanded view of risk management.
Another corporate function that has become increasingly involved in the expanded role of risk management is internal auditing. According to The Institute of Internal Auditors (IIA), this function plays a critical role in ERM. The IIA defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations." IIA adds that the internal auditor's role includes "a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."
In fact, it was the various accounting functions, including internal auditors, who first attempted to articulate the principles of ERM by working directly with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to develop the original ERM Framework in 2004. Subsequent updates to the COSO Framework also involved the IIA, as well as other professional accounting associations.
As ERM standards emerged from both IIA and RIMS, it appeared that the two organizations differed significantly in their views of ERM.
Historically, risk managers have focused on protecting the organization's assets and balance sheet. In contrast, internal auditors typically are concerned with ensuring the efficiency and effectiveness of internal controls. It might seem as if the two organizations have little common ground, but this is not the case.
At its 2012 annual conference in April, RIMS presented an executive report titled "Risk Management and Internal Audit: Forging a Collaborative Alliance." Co-written by RIMS and IIA, the report outlines the reasons for corporate risk managers and internal auditors to work together. According to the report, although the two functions have "different perspectives and terminology," a more detailed analysis shows that the two groups are in fact much closer than was originally believed. The report helps clarify the issue by defining the roles and responsibilities of the internal audit and risk management functions in identifying and managing risks.
To illustrate the advantages of collaboration, the report presents case studies of four major U.S. corporations, each of which takes a different approach to promoting alliances between risk managers and internal auditors. The companies studied were Cisco Systems, Hospital Corporation of America, TD Ameritrade and Whirlpool Corporation.
Each company focused on the following objectives:
• "Link the audit plan and enterprise risk assessment, and share other work product." This provides "assurance that critical risks are being identified effectively."
• "Share available resources wherever and whenever possible." This allows "for efficient use of scare resources, such as financial, staff and time."
• "Cross-leverage each function's respective competencies, roles and responsibilities" by providing "communication depth and consistency, especially at the board and management levels."
• "Assess and monitor strategic risks" to allow for "deeper understanding and focused action on the most significant risks."
Today, the report points out, all parties agree that "how risks are assessed and managed can materially affect how an organization is positioned to achieve its objectives."
Collaboration between internal auditors and risk managers, the report notes, allows organizations to build a stronger risk practice that will meet stakeholders' expectations. "An effective collaboration and open dialogue results in a more robust view of the entire risk portfolio." All forms of communication, including phone and e-mail, are to be encouraged, the report says, but in-person meetings are strongly preferred.
The report continues: "An overarching common goal of both functions is to position organizations for successful achievement of their respective missions and business objectives." In this regard, the report points out, "the risk management and internal audit roles are complementary."
The report further notes that risk management and internal audit have many of the same stakeholders with the same goal: "maximizing resources while effectively managing risks."
All things being equal, the report says, stronger alliances should provide "efficiencies, better decision-making and improved results." Together, internal auditors and risk managers can build a robust risk capability across the entire organization.
The scope of corporate risk continues to evolve and expand. To assure stakeholders that an organization is maximizing its efforts in risk management, it is essential to enlist all disciplines that can bring value to the process. As we have seen, an excellent example is collaboration between internal audit and risk management.
As an IIA spokesperson points out: "Having these vital risk management and assessment functions collaborate, speak the same language, and leverage one another's perspectives on the business is crucial. The sum is truly greater than their parts."
Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.