What is ERM anyway? And why is it important to anyone besides us auditors? ERM is enterprise risk management. It means that an organization accepts, manages, and mitigates its risk organization wide rather than through one process or department. ERM should drive high-level decisions down to each process. ERM is the overarching framework each organization uses to outline the risk it is willing to accept, manage risks it cannot mitigate, and mitigate the risks it can.
Auditors know that internal controls mitigate risks. The new COSO standards provide an integrated approach to evaluating, assessing, and implementing effective internal controls. We auditors use COSO and the other tools in our toolboxes to help our organizations be successful in these endeavors. So why, I ask myself, do so many ERM implementations fail? What makes the successful ones, well … successful? Moreover, why is ERM especially important in the public sector?
In my experience, ERM implementations have failed for a couple of reasons. First, key stakeholders don’t have a place at the table. For ERM to be successful, key staff with the ability to influence must be involved or you cannot garner the support needed to sustain ERM after implementation.
Influential key staff does not necessarily mean the department manager. Rather, they are trusted advisers with in-depth knowledge of the organization’s processes and how those processes interact across departments. Teams across multiple departments will rely on those staff to lead the way, whether or not they are on the implementation team. Having influential staff on the implementation team can garner buy-in at all levels of the organization, speed the implementation time, and reduce the chance of identifying problems after the implementation of ERM. By the way, this is also true of most software implementations and business process redesigns.
The second and maybe most important reason ERM fails is culture. If your organization has a culture of fear, then implementing a successful ERM on the first go around is nearly impossible. There are tons of reasons to fear ERM, especially in the public sector. For example, what if the public finds out we have this problem, or worse, Congress or some other legislative body? We might be sued, our funding could be reduced, or we may let hackers or fraudsters know exactly where we are vulnerable.
Then there are fears around letting others — including our bosses, not to mention the boss’s boss — know that we have a systematic failure or huge risk. If your organization’s culture is characterized by punishing those who bring risk to the forefront, your ERM implementation is doomed. The program may look pretty on paper, but it is not going to be effective. No one will address serious organizational risks in that type of organizational culture.
So as auditors, how do we prime our organization for ERM? We talk about risk in a positive manner. It also helps to change the perception that auditors are “out to get you.” Auditors should promote our profession and what we do as positive activities that help audit clients be more successful at what they do best. We, as auditors, need to lead the way in openly talking about risk, what it is, what it’s not, how we tell the difference, and how to mitigate it. The more we talk about risk, the easier it becomes for the whole organization.
A good way to start the conversation is to talk about risk within our own department, such as lack of specialized expertise, lack of experience, or lack of standard operating procedures for some of our activities. Once we have led the way by example, it is easier for other departments and influencers to get onboard.
What about management? Senior management has an entirely different perspective on ERM and what it means. Senior management knows risk is bad and that it should be avoided — that’s not the question. As auditors, we need to inform senior management of
how ERM positively affects overall operations and can drive decision-making across the organization. Tone at the top is critical in ERM implementations, and senior management must be vocal supporters of the effort. Our job is to help management find their voice and message to the organization. Senior management’s vocal commitment to ERM can go a long way to improve the chances of a successful ERM implementation.
For more insight and considerations for ERM implementation, join The IIA’s
American Center for Government Auditing’s Virtual Symposium:
ERM in the Public Sector, Thursday, Nov. 5 from 12:00–4:00 p.m. ET.
About the Author
Mara Ash, CIA, CGAP, CGFM, CMRA, is a federal compliance specialist whose career has spanned federal, state, and local governments as well as private industry. Her goal is to help organizations improve service delivery, ensure compliance, and enhance transparency.
She is an active member of The IIA and the Association of Government Accountants, where she has held various leadership positions.