RISK:
What is Enterprise Risk Management (ERM) and what role in it does internal auditing play?

The practice of managing risk, which is a key element of governance, traditionally has been within individual business units and/or parts of business units; and to a lesser extent across the organization. Enterprise risk management (ERM) takes a broader portfolio approach and deals with risks and opportunities affecting the creation or preservation of organizational value.

Enterprise risk management is defined as a process, effected by an entity s board of directors, management, and other personnel; applied in a strategy setting and across the enterprise; designed to identify potential events that may affect the entity; and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives.

Everyone in the organization plays a role in ensuring successful enterprise-wide risk management but management bears the primary responsibility for identifying and managing risk and for implementing ERM in a structured, consistent, and coordinated approach. The board, or its equivalent, has an overall responsibility for monitoring the risks and for gaining assurance that they are managed at an acceptable level. Internal auditors, in both their assurance and consulting roles, contribute to the management of risk in a variety of ways. They play a key role in evaluating the effectiveness of -- and recommending improvements to -- ERM. IIA Standards specify that the scope of internal auditing should encompass risk management and control systems.

The internal auditors varied roles in and emphasis on ERM are dependent on the maturity of the ERM process in the organization. The safeguard that should be put in place before the internal auditors carry out their ERM-related roles is to ensure that the entire organization fully understands management's responsibility for risk management.

The internal auditors' core ERM role is to provide objective assurance to the board and senior management on the effectiveness of the ERM activities in helping ensure key business risks are managed appropriately and the system of internal control is operating effectively.

Internal auditing's key ERM-related roles and assurance activities include:

• Providing assurance on the design and effectiveness of risk management processes.
• Providing assurance that risks are correctly evaluated.
• Evaluating risk management processes.
• Evaluating the reporting on the status of key risks and controls.
• Reviewing the management of key risks, including the effectiveness of the controls and other responses to them.

Additional legitimate internal audit roles and consulting activities may help to protect the internal auditors independence and objectivity when accompanied by adequate safeguards. They include:

• Championing the establishment of ERM within the organization.
• Developing risk management strategy for board approval.
• Facilitating the identification and evaluation of risks.
• Coaching management on responding to risks.
• Coordinating ERM activities.
• Consolidating the reporting on risks.
• Maintaining and developing the ERM framework.

The roles the internal auditors should NOT undertake are:

• Setting the risk appetite.
• Imposing risk management processes.
• Providing assurance to the board and management
• Making decisions on risk responses. This is management's responsibility.
• Implementing risk responses on management s behalf.
• Accountability for risk management.

References:
Executive Summary of ERM Integrated Framework, issued by COSO - Sept 2004
Position paper by IIA -- The Role of Internal Audit in Enterprise-wide Risk Management - Sept 2004.
IIA UK: "Position Statement on Risk-Based Internal Auditing"

Back to FAQs list