Building the Case for ERM

For a while, I have been thinking about the value of risk management (ERM) and why it is not embraced by every top executive. Last night, I was privileged to speak at the Institute of Risk Managers in London. I was asked for my views on this very subject. My answer to the risk officers that were present is along the lines of my latest post on my personal blog.

But, while most of the onus for changing the hearts and minds of top executives should be borne by chief risk officers, internal auditors should be helping to drive the message home.

This is what I suggest for internal auditors:

  1. Make sure, through your powers of advocacy and persuasion, that the risk management program becomes a department of "how" (as explained in the blog). The individual running ERM has to have an attitude of enabling optimized performance, instead of being the corporate Cassandra.
  2. Add your voice in support of the role of risk management as an essential contributor to corporate success, not just protection.
  3. Help the risk managers get involved with executives where they can help that individual succeed. Help them build a record of wins.
  4. Tell the stories of success. Nothing succeeds like success. Spread the news so people can believe in the power and potential of risk-based decisions.
  5. Be an advocate for the risk officer being present at the executive table, a contributor to the development and monitoring of strategy, etc.

As I have said before, I believe CAEs and other senior internal auditors should be the rock stars of change — driving initiatives such as ERM into the organization. But we should not be satisfied when the ERM program is in place. There is a lot we can and should do to make sure it succeeds.

Do you agree?

Posted on Oct 28, 2010 by Norman Marks

Share This Article:    

  1. Norman,

    In your blog you note the need to change the tone of risk and talk about opportunity. In my opinion talking about opportunity rather than threat will only get us half-way there. However it is a good step that many still need to take. Yet, the more pressing and perpetuating problem is a different perspective of risk and management. Most of us see RISK management, but most operational folks see MANAGEMENT of risk. So we present them with reporting focused on RISKS TO BE MANAGED and it doesn't fit within what they are managing, so they think we expect them to create a separate process which they resist. We get frustrated, but it is our own fault for not seeing it from their side. Risk is a sub-set of business objectives, as its meaning comes from its ability to impact them. Management manages business objectives not risk. So we must link to what is at risk (objectives) and describe in their language why. In this context risk has two sides. On one side it is vulnerability due to the strength of management’s response to their objectives and on the other it is threat (what we are more familiar with.) Vulnerability is measured by the maturity of the people; process and technology in place to achieve the objective. Threat is measured on the likelihood of its occurrence. Residual risk can only be found when defining the objective, its current state of vulnerability and threat. That information means something to management. Yes we need them to understand how we can help achieve objectives, but then we need to show it in our reporting of the current state of residual risk.
    My humble opinion,
  1. Norman:

    I agree with Dan.  In my experience a significant amount of work done by Internal audit is process or control-centric not objective centric.  This has been reinforced in many companies via their SOX 404 approach.

     I believe that if more internal auditors did their audits/assessments starting with one or more agreed end-result business objectives and they focused on seeking agreement with management on the current residual risk status, not their definition of how much control is enough or adequate, management would embrace risk management as a tool to help ensure achievement of objectives.

    Seeking consensus agreement on the acceptabiltiy of residual/retained risk up to and including the board of directors for significant risk acceptance decisions should be a major focus for IA.

    It isn't, at least in my opinion, IA's job to decide if controls are "effective" or "adequate" but it is IA's job to ensure the board of directors is aware of the significant risks being accepted across the enterprise.  This will require a major mind shift in many organizations and IA departments.

Leave a Reply