Many Organizations Unprepared to Manage Risk, Says New Survey

February 16, 2009

Opportunities arise for internal auditors

ALTAMONTE SPRINGS, Fla. - In the wake of a recession brought on by poor risk management at leading banks and financial institutions, a new report indicates just how few organizations are formally prepared to manage their risk. Of 240 organizations polled in a recent survey, only 40 percent have implemented a formal Enterprise Risk Management (ERM) program. In fact, 14 percent of chief audit executives (CAEs) who responded to the survey said they've actually recommended to their management that a risk management process be implemented and yet they still lack a program. The 2008 ERM Benchmarking Survey conducted by The Institute of Internal Auditors Research Foundation (IIARF) provides recommendations to those looking to establish a risk management program or to enhance the effectiveness of their current efforts.

"There's such an opportunity for internal auditing in this post-financial meltdown environment. Having a bird's eye view of the organization, internal auditors should be involved in assessing operational and strategic risk - even helping drive the risk management process," said IIA President Richard Chambers, CIA. "The good news coming out of this survey is that some are already playing an active role in helping improve their organization's risk management. They're providing services like evaluating the risk management process or even coordinating the risk management program. And this is right in line with the International Standards for the Professional Practice of Internal Auditing."

Of the organizations with a formal or informal risk management processes, the number one guiding framework is The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management - Integrated Framework. In addition, approximately 68 percent of these organizations have a risk management philosophy in place. Key risk management elements identified include the presence of a program or process owner, support staff for the program, a sustaining maturity level, and the integration of risk management efforts into the organization. Furthermore, a chief risk officer or equivalent is the person most likely to be in charge of risk management, followed by the internal audit department or CAE.

The survey also found that documentation and communication of the organization's risk management efforts are an essential aspect of a risk management program's success. The majority of organizations represented in the survey actively document and communicate the board's and management's risk management roles and responsibilities, as well as the organization's risk appetite or tolerance level. Additionally, top internal sources of information include data collected from various internal, IT, or external sources; discussions with senior management, the board, or audit committee; and data collected from programs or staff. On the other hand, top external sources of information include industry publications and information from industry groups; benchmarking data from other organizations; and external audit reports. And despite the benefits of using technology to monitor risk and the effectiveness of internal controls, 68 percent of the companies represented in the survey do not use technology to monitor risks.

Key risk management practices identified to maximize the use of internal resources and ensure the program's success include: developing a risk management process that fits the organization's needs; defining and using the same risk management language throughout the entire organization; incorporating risk monitoring activities into all business action plans; selecting a tool or automated process that meets the organization's risk management needs; and using a formalized and standardized risk mitigation process. Overall, the number one obstacle to achieving success in risk management is lack of support at the senior management, board, and staff levels for the risk management program or process.

"Internal auditors should encourage senior management to support the efforts of the organization's designated risk manager," added Chambers. "Senior management needs to understand the added value of the program and how it will impact each business area. This will ensure the right tone at the top is established, which will then create a business culture where risk management is valued and understood by all levels of the organization."

The 2008 ERM Benchmarking Survey was conducted through the IIARF's Global Auditing Information Network (GAIN), a trusted name for benchmarking services in the internal audit profession. To learn more about Gain, or to download a copy of the ERM survey results (available free only for a limited time), please visit: http://www.theiia.org/research/benchmarking/gain/2008-erm-benchmarking-survey/.

###

About The IIA and IIARF

The Institute of Internal Auditors (IIA) is internationally recognized as a trustworthy guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, acknowledged leader, and principal educator. The Institute of Internal Auditors Research Foundation (IIARF) was founded in 1976 by The IIA. The IIARF expands knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession globally.

Media Contact:

Scott McCallum

scott.mccallum@theiia.org

O: +1-407-937-1247

M: +1-321-246-7649