Insights

Internal Audit & Enterprise Risk Management: Stronger Together

 

Because of ever-changing risk and regulatory environments, Internal Audit (IA) and Enterprise Risk Management (ERM) teams must work together to effectively support the organization and its Board of Directors in fulfilling their risk management responsibilities. This includes, among other things, the timely identification of emerging risks and the development of risk-mitigation strategies.

Clarifying Roles of Internal Audit and Risk Management Teams

First, it's helpful to between IA and ERM roles. This clarification is important to building a mutually beneficial working relationship, minimizing duplicity, and maximizing impact:

  • "Internal Audit is an independent, objective assurance and consulting activity." Its core role is to provide objective assurance to the Board on the effectiveness of risk management. While IA cannot own or manage risks, it can provide input and collaborate with risk management functions.
  • "Enterprise Risk Management is a structured, consistent, and continuous process across the entire organization that identifies, assesses, and decides on responses to and reporting for opportunities and threats that affect the achievement of its objectives."
    • Note: In some organizations, ERM isn't a separate, standalone function or team but rather a mindset and approach embedded into the fabric of how the organization sets and monitors its strategies and helps enhance the overall performance of the organization. This is important because if your organization doesn't have a formal ERM function, it certainly has aspects of ERM ingrained into other functions, such as compliance, legal, or quality control.

How to Optimize an Organization’s Risk Intelligence

The focus of IA and ERM is similar, yet many organizations execute these roles in a siloed fashion, impacting firmwide risk assessment. This hinders their ability to identify and respond to changing risks. If you find yourself in this position, below are four simple, yet high-impact ways to maximize your collective efforts:

1. Speak the Same Language

A common risk universe and risk taxonomy are the building blocks for establishing a strong and uniform risk culture. From a strategic viewpoint, it's hard for the executive team and the Board to engage in an effective risk dialogue if they don't speak the same language. Imagine facilitating a conversation with a team of executives regarding an issue, with everyone using words that mean different things to different people; it is likely that people are talking about completely different things!

A uniform risk language is essential for executive sponsorship, engagement, and control. IA and ERM are in the perfect position to help develop risk language that will become part of the fabric of the organization, ultimately creating a risk-savvy culture.

2. Share Risk Intelligence

IA and ERM have unique access to management’s decision-making process and are privy to early information around strategic changes or future direction, be it introducing a new product to the market, implementing new technology, or considering a change in strategic direction.

Given their distinct roles in the organization, the timing and nature of involvement may be different. Appropriately sharing information between teams that may change the organization’s risk landscape will ensure that IA and ERM priorities and efforts are spent in the most critical risk areas. Collectively, information-sharing can lead to stronger governance, collaborative risk identification, and aligned business objectives.

3. Leverage Data Analytics

As IA and ERM coordinate to create a uniform risk language and share risk intelligence, data analytics should be leveraged to first define, and then monitor key risk indicators (KRIs). A data-driven approach supports the monitoring of KRIs, which identify emerging risks of strategic business objectives and enables management to deliver a timely response, thus mitigating risk. Streamlining the data analytics program (e.g., approach and technology) and tracking KRIs will maximize cost efficiencies and increase collaboration among IA and ERM.

4. Use One Source of Truth

While it seems intuitive, organizations don't always invest or upgrade to an enterprise Governance, Risk, and Compliance (GRC) platform. In fact, they often purchase various tools by separate buyers, creating siloes within the organization. However, using a GRC platform for IA and ERM provides greater efficiency and a single source of truth. This enables continuous IA and ERM collaboration, resulting in further testing and reporting efficiencies into new realms of business operations, such as environmental, social, and governance goals. The right GRC Platform will benefit the entire organization – not just IA and ERM.

A single source of truth is the foundation for the creation of a risk management framework that can:

  • Strengthen the internal control system.
  • Communicate risk procedures internally and externally.
  • Root out residual risk in various areas of the business.
  • Establish organizational risk oversight, including the appointment of risk managers and a risk owner.
  • Define the parameters of the Internal Audit function and the Risk Management function.

As IA and ERM embark on this collaborative journey together, they are instrumental in changing how they have been traditionally viewed – from a risk reducer that slows down process to a prudent risk enabler. The right perspective is the beginning of a collaborative risk culture.

For more information on defining a risk management program in your organization, contact CrossCountry Consulting today.

 

Editor's note: Updated January 2022

Understanding The Agile Audit: Processes, Principles, and People
Credit Unions (and Other Non-Public Entities): CECL is Coming
Related Posts
Audit, Cyber, and Operational Readiness for a Public Digital Payments and Exchange Firm
Audit, Cyber, and Operational Readiness for a Public Digital Payments and Exchange Firm
Internal Audit Is More Than SOX: How IA Can Expand Risk Coverage
Internal Audit Is More Than SOX: How IA Can Expand Risk Coverage
A Look Back (and Forward) at SOX, 20 Years On
A Look Back (and Forward) at SOX, 20 Years On

Comment