Assessing ERM Programs
In light of some of the recent failures of financial services and other companies around the globe, growing political unrest, and massive natural disasters, one of the greatest risks an organization faces is the lack of an effective ERM program. As boards continue to increase their expectations for management to design and implement effective enterprise-wide risk management programs, they have an increasing need for objective assessments of the effectiveness of those programs. The June 2011 cover story article in Internal Auditor, highlights the role of internal audit in providing those assessments for the board.
The article highlights a series of questions that internal audit may want to consider as they assess the effectiveness of management’s ERM processes. Here are examples of some of the issues to be considered:
1. Was an acceptable standard or framework followed?
2. What is the nature of risks that need to be managed to achieve objectives?
3. What do key external stakeholders expect?
4. How often do risks need to be identified and assessed?
5. Who needs risk information, in what form, and in what frequency?
6. How frequently do new risks emerge or levels of existing risks change?
7. How close are existing risks to the organization’s tolerance for accepting those risks?
The article points out that there are some existing risk management related maturity models that may be useful to the auditor’s evaluation of the strength of management’s processes. A maturity model can be a useful tool for measuring the organization’s progress from a non-existent program to a fully-developed and mature risk management program.
To participate in these assessments, internal auditors need to consider whether they are competent to perform an audit of risk management. There is a great deal of information on ERM that can provide a wealth of information that may be useful. Internal auditors, however, may determine they need to seek more formal training on ERM before they are prepared to provide the type of assessment needed by the board and senior management.
Visit the website of The Institute of Internal Auditors to purchase a copy of this article.
Source: Norman Marks, “Navigating Risk Management”, Internal Auditor, June 2011, pp. 26-33.