Businesses must operate in a landscape of increasing complexity and ever-changing risk and regulatory environments. The speed of change - both internal and external - to organizations continues to quicken in this digital era. Because of this, Internal Audit (IA) and Enterprise Risk Management (ERM) teams need to work together in order to effectively support the organization and its Board of Directors in fulfilling their risk management responsibilities. This includes timely identification of emerging risks and development of risk mitigation strategies.
First, it is helpful to understand what the roles of IA and ERM are and are not. This clarification is important to building a mutually beneficial working relationship, minimizing duplicity, and maximizing impact:
- Internal Audit is an independent, objective assurance and consulting activity. Its core role is to provide objective assurance to the Board on the effectiveness of risk management.1 Therefore, while IA cannot own or manage risks, it can provide input and collaborate with risk management functions.
- Enterprise Risk Management is a structured, consistent, and continuous process across the entire organization that identifies, assesses, and decides on responses to and reporting for opportunities and threats that affect the achievement of its objectives.1
- Note: In some organizations, ERM is not a separate, stand-alone function or team, but rather, it is a mindset and approach embedded into the fabric of how the organization sets and monitors its strategies and helps enhance the overall performance of the organization.2 This is important because if your organization does not have a formal ERM function, it certainly has aspects of ERM ingrained into other functions, such as compliance, legal, or quality control.
Optimizing an Organization’s Risk Intelligence
The focus of IA and ERM is similar, yet many organizations execute these roles in a siloed fashion. This hinders their ability to identify and respond to changing risks. If you find yourself in this position, below are four simple, yet high-impact ways to maximize your collective efforts:
1. Speak the Same Language
A common risk universe and risk taxonomy are the building blocks for establishing a strong and uniform risk culture. From a strategic viewpoint, it is hard for the executive team and Board to engage in an effective risk dialogue if they do not speak the same language. Imagine facilitating a conversation with a team of executives regarding an issue, with everyone using words that mean different things to different people; it is likely that people are talking about completely different things! A uniform risk language is essential for executive sponsorship and engagement. IA and ERM are in the perfect position to help develop risk language that will become part of the fabric of the organization, ultimately creating a risk-savvy culture.2. Share Risk Intelligence
IA and ERM have unique access to management’s decision-making process and are privy to early information around strategic changes or future direction; be it introducing a new product to the market, implementing new technology, or considering a change in strategic direction. Given their distinct roles in the organization, the timing and nature of involvement may be different. Appropriately sharing information between teams that may change the organization’s risk landscape will ensure that IA and ERM priorities and efforts are spent in the most critical risk areas.3. Leverage Data Analytics
As IA and ERM coordinate to create a uniform risk language and share risk intelligence, data analytics should be leveraged to first define, and then monitor key risk indicators (KRIs). A data-driven approach supports the monitoring of KRIs, which identify emerging risks of strategic business objectives and enables management to deliver a timely response, thus mitigating risk. Streamlining the data analytics program (e.g., approach and technology) and tracking KRIs will maximize cost efficiencies and increase collaboration among IA and ERM.4. One Source of Truth
While it seems intuitive, often organizations do not invest or upgrade to an enterprise GRC (Governance Risk and Compliance) platform. In fact, various tools are often purchased by separate buyers, creating siloes within the organization. However, using a GRC platform for IA and ERM provides greater efficiency and a single source of truth. This enables IA and ERM collaboration and communication on an ongoing basis, resulting in further efficiencies in testing and providing impactful reporting. The right GRC Platform will benefit the entire organization – not just IA and ERM.
As IA and ERM embark on this collaborative journey together, they will be instrumental in changing how they have been traditionally viewed – from a risk reducer that slows down process, to a prudent risk enabler. The right perspective is the beginning of a collaborative risk culture.
- Excerpt from – “IIA Position Paper: The role of Internal Audit In Enterprise Wide Risk Management.”
- Excerpt from – “COSO ERM Creating and Protecting Value”