What Is the Relationship Between Governance, ERM, and Internal Controls?

This question comes up quite a lot in discussions. Are they separate, or are they somehow inter-related with fuzzy borders?

I discuss my views here, including my belief that there are what I call fuzzy borders between the three. For example, there are aspects of board operations that are part of the system of internal control (look at the COSO Control Environment layer). There are parts of governance that are part of ERM (such as board approval of risk appetite). Internal control is defined by the IIA as how you manage risk, so its part of ERM. But risk assessment is one of the layers in the COSO Internal Control Framework.

My view is that Governance is the "boss." It includes ERM and internal control, both of which are required to enable effective governance by the board and top management.

What does this mean for internal auditors?

I believe we should continue to focus on providing assurance on the holistic whole rather than bits and pieces. If not, we are going to point out how individual trees are diseased when the whole forest is dying.

I would appreciate your views (and let's leave "GRC" out of the discussion for the moment — that is a different concept).

Posted on Jun 12, 2011 by Norman Marks

Share This Article:    

  1.  I have been asked to explain why ERM is part of Governance. This is what I said:

    The risks that need to be managed are those that might impact the organization's strategies and objectives. These are not set as part of ERM. They are set as part of the governance activity. 

    When the board and management strive to set and achieve their objectives, they do so with risk-related information and they also adapt and respond to risk - as part of how they manage and direct the organization. 

    If you define Governance as how you manage and direct the organization to achieve its objectives, then ERM as part of that. 

    If you don't like that simple definition of mine, here is what the OECD has (and I believe this is the most commonly used definition of Governance): 
    “A set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” 

    This is what the Australian Stock Exchange says: 
    “The system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized.” 

    If that is how Governance is defined, how can there be any debate on the fact that ERM is included?

  1. This leads to another aspect of management accountability and Governance. The Governance structure is supported by a mechanism in place. What is the role of and "Advisory Board"? Is it part of support mechanism or Advisory board is an integral part of Governance structure?


  1. I agree with the approach that governance has an overarching approach while ERM and internal controls are part of this equation.  However, while reviewing the definition of internal audit, something that caught my attention was that the IIA definition of internal audit is not aligned to this subject.  In the definition : "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." 

    In my view, this definition should be tweaked a bit and move governance before risk management and controls to reflect that without governance i.e., tone a the top adequate risk management and controls cannot be achieved.


  1.  I agree with Norman Marks in the point that Corporate Governance is the "boss". And I believe that Internal control is the "Auditor".

    The Governance issues policies ad procedures of a company, it also makes decisions on critical issues at the right times. It may include the Management board, Chairman, Director and/or Manager. However, Management board does not always right in making decisions, it sometimes makes mistake, too. Therefore, we do need Internal Control (I.C), to "observe" the Management. It (the I.C) cannot make decision but it would introduce solution, it points out any weakness of any activity or decision made by the "boss".

Leave a Reply