Alexandra Psica
THE IDEAL ENTERPRISE RISK MANAGEMENT (ERM) FRAMEWORK is tailored to an organization's objectives, level of inherent risk, and risk tolerance--enough to maximize its opportunities, but not so much to put it out on a limb. Founded on an organization's risk management culture, ERM embodies all of the business practices an organization has in place to assess, communicate, and manage risk. A good ERM framework allows the organization to foresee potential consequences from future events, make necessary changes to minimize risk, manage the negative fallout if an event materializes, and capitalize on the opportunities that it presents for growth. It ensures that decision-makers have timely access to information that is crucial to making appropriate choices within set risk tolerance limits to move the organization toward its objectives. In so doing, ERM helps guide the allocation of resources and strengthen governance. [??] Moreover, ERM frameworks enable disclosure, giving management, the board, and shareholders assurance that risks are escalated in time to be mitigated. Not all risks can be avoided, but early disclosure allows time for appropriate actions to be taken and any potential advantages to be identified and maximized. ERM frameworks also enable organizations to converge information used by different functions in an organization, such as auditing, compliance, and management. [??] Audits play a key role in ensuring that an organization's ERM framework is strong enough to perform the intended function and efficient enough to ensure good value. Because ERM frameworks may vary depending on the organization's purpose, size, complexity, and maturity, auditors must rely on their judgment in drawing conclusions about the adequacy of the framework in the context of the organization.
AUDITING'S ROLE
An ERM framework is a set of business practices, supported by a risk management culture, that assesses, manages, and communicates risk at a level appropriate to the organization's objectives, operations, and risk profile (see "Guiding Principles for ERM Frameworks" on page 54). Typically, it includes easy-to-use policies and guidelines; practical, flexible, and self-directed processes and techniques; and tools that support the management of risk information for risk identification, assessment, management, reporting, and monitoring purposes. However, between organizations or even within an organization, the ERM framework may be very different, depending on the level of inherent risk associated with their business objectives as well as their risk tolerance. For example, the information technology department might require a framework with clear risk identification, assessment, and escalation procedures because of the nature of its work, while the human resources department might only need a clear policy and a review of procedures. It is also common to find that the part of an organization with transactional operations has a mature, compliance-oriented framework where risk indicators are clearly defined and may even be integrated into everyday processes, while the part of the organization dealing with strategic risks has a less formal framework that requires further development. [??] Because internal audit resources are usually targeted to the areas of highest risk, it is essential that the ERM framework is audited periodically to ensure that it has the capacity to identify the right risks to produce reliable information on which to base resource allocation, audit planning, and other decisions. Furthermore, as convergence drives organizations to find synergies among their audit, compliance, and risk management functions, it is important to provide assurance that the risk management function is sound so that the various parts of the organization can rely on the results of the function. Auditors must consider all of the objectives that the organization expects its ERM framework to fulfill when designing the audit and making a judgment about the adequacy of the framework.
The core of a successful ERM framework audit rests on the auditor's ability to make appropriate judgments about the optimal balance between the level of maturity of ERM practices and the level of risk the organization faces. As an emerging business practice, it is unrealistic to expect organizations to have fully developed their ERM capability. It is an auditor's responsibility to provide an opinion on the audit objective, such as the efficiency and effectiveness of the framework. However, auditors should also note the context of the organization, including any gaps in the framework that are a result of the time frame the organization has had to establish the framework and the budget it can realistically devote to ERM. In addition, audits must consider operational risk management (risks in day-to-day delivery) and corporate risk management (risks to achieving business objectives). The bottom line for an ERM framework audit is its usefulness in improving the management of the organization.
In auditing an ERM framework, it is important to distinguish between assessing the effectiveness of the framework for risk management within an organization and management's responsibility to make and monitor the effectiveness of individual risk mitigation decisions. An ERM framework audit will be concerned with the effectiveness of the framework itself in helping the organization manage risk and not whether management made the right risk decisions. Furthermore, in many organizations, internal auditors walk a fine line in maintaining the independence required to audit the framework. As risk experts, they are often called upon to provide their advice; however, it is essential that management owns the ERM framework and processes so that internal auditing can offer an objective opinion on their efficiency and effectiveness.
FRAMEWORK COMPONENTS
An ERM framework is not a single policy, but an array of components within an organization that work together to manage risk over time efficiently and effectively. The auditor's task is to assess whether the sum of these components constitutes a framework that is appropriate for the organization. Interis Consulting has developed a conceptual ERM model based on risk management practices from the public sector, the financial sector, and other industries as well as criteria found in risk management and control standards. The conceptual model deals with the main components of an effective and sustainable ERM framework: establishing the framework, implementing practices and processes to assess and treat risks, and monitoring the framework.
ESTABLISHING THE FRAMEWORK When auditing an ERM framework, auditors should be alert to the attitudes and values expressed around risk management in the organization's policies, governance framework, and suite of risk management processes and tools. Although auditors are not involved in establishing the framework--that should be done by the business itself--when they conduct an audit, they are evaluating the elements of the organization's framework. In some organizations, auditors will find elements of the framework that include explicit risk management values; rigorous, clear risk management guidelines for staff; and strong risk management training programs. In other organizations, it may be more difficult for staff to identify risk management practices, particularly if ERM is new to the organization. Auditors may need to adjust their vocabulary to ensure that staff understand what risk management means in their work. It is especially important in these instances to consider multiple sources of evidence to ensure that embedded ERM--risk management practices that are not identified as such within the organization--is not overlooked by management.
Once a framework is established, the organization implements the framework elements and conducts ongoing risk management activities--it assesses and addresses the risks on a regular basis. Auditors should look for evidence that the risk management practices defined in the framework are in use and operating as expected.
ASSESSING RISKS In auditing the continuous risk management processes, auditors should note whether business objectives are clearly documented; staff must know what the objectives are to manage risks to them. Auditors should check if the organization has a consistent risk identification process that addresses all categories of risk to which the organization is inherently exposed based on an understanding of the organization's business environment. As well, they should determine whether there is a formal risk assessment process, whether residual risk exposure is examined against established risk tolerances prescribed by management, and whether a formal response to the risk is documented and communicated.
TREATING RISKS When assessing whether the organization is addressing risk appropriately, auditors should look for action plans to manage unacceptable risks, including specific mitigation measures, time lines, and owners. These action plans should be reviewed regularly and monitored for their effectiveness in mitigating the risk. Key risk indicators should be identified and monitored on a regular basis by those in the organization responsible for managing the risks to provide early warning signs of the risks materializing. Finally, auditors should check for a standardized approach to managing risk information, with common terminology and data.
MONITORING THE FRAMEWORK An organization should have processes and practices that enable it to monitor the effectiveness of the ERM framework. Typically, an auditor should look for pre-established objectives and indicators that the ERM processes and framework are measured against. If the objective is full coverage of risks across the organization, then an indicator may be the number of divisions that have completed a risk profile. Auditors should assess whether there is management oversight of the framework to ensure that the processes are working as intended and independent oversight to monitor the quality of risk management and due diligence in risk decision-making.
THE AUDIT PROCESS
Although ERM framework audits resemble other audits in their basic process, they vary in content because of the unique nature of each framework. Auditors must assess whether their organization's framework meets its needs adequately.
SCOPE Although scoping is an important step in any audit, it is particularly critical with ERM frameworks because risk management activities form a pervasive function that is often not labeled as risk management. For example, an organization may have an operating procedure manual that serves to manage risk, but it isn't called a risk management manual. Each organization relies on different combinations of systems, people, and technology to identify and manage risk, all of which auditors must cover in their review. An ERM audit may need to include reviewing the operational training program if risk management is part of the training. Internal auditors can gain an understanding of the objectives, process, maturity, business conditions, and risk profile of an organization by examining key aspects that define the business, such as:
* The organization's purpose, mission, programs and services, objectives, and key results.
* Key stakeholders within and related to the organization, including resources, clients, and suppliers.
* Key work processes and control systems to deliver the organization's mission and objectives.
* Business cycles of the programs, services, and core activities and their interaction with other business cycles.
* Locations where the services and programs are delivered.
* Conditions under which the programs and services are delivered (e.g., economic, legislative, political, or legal).
* Trends or stability in the above factors.
It is crucial that the auditor understands the organization's exposure to risks and threats as well as its history in dealing with them. For example, in an audit of a large government department, Interis' auditors spent the first third of the assignment planning, scoping, understanding the environment, and gaining a sense of its philosophical approach to risk and the high-level risks that impacted its work. Once they had a grounding in the organization, they divided it into key areas, such as operational functions and human resources, and narrowed the audit to the three areas where risk management mattered most. Team members were assigned to each of these areas to learn as much as possible about the policies, processes, and tools that their area used in ERM, which provided the context for designing and conducting the audit program.
OBJECTIVES AND CRITERIA When reviewing an organization's ERM framework, the auditor aims to provide reasonable assurance that its business practices are sound and sustainable, informed by risk information that aids the organization in responding to risks effectively and efficiently. When developing the audit objectives and criteria, auditors should:
* Tailor the conceptual ERM framework model to match the organization's environment. For example, an organization that has just implemented a risk management program would not likely have results from a monitoring program.
* Align audit criteria with the four components of the ERM framework model. An audit of a new risk management program would likely specify monitoring criteria based on the existence of a monitoring strategy, rather than results from the monitoring program.
* Keep a broad perspective when prescribing the business practices they expect to find to ensure that the organization has the flexibility to adapt to its business conditions and that all practices designed to manage risk are considered.
In addition, auditors should obtain management buy-in for the audit criteria at the beginning of the audit. If management doesn't agree with the criteria against which the assessment is made, there will be resistance to the audit conclusions and recommendations.
EXECUTION Conducting interviews in an ERM framework audit requires experience and depth in general management practices, because ERM encompasses business practices that are associated with other fields such as finance, compliance, operations, and security. Although a variety of procedures can be used, most audits use interviews and document reviews. Determining who should be interviewed should be aligned with the organization's risk objectives. For example, if the ERM program is designed to be comprehensive, auditors should consider interviews with a broad list of representatives from across the organization. Auditors must adapt questions to tap into the interviewee's body of knowledge and to rephrase unfamiliar terminology. In judging the quality of the risk information in an organization, they should look for evidence that the uncertainty in decision-making is reduced because management has access to relevant and accurate facts about possible undesirable consequences from events that could affect the organization's objectives.
When conducting an ERM framework audit, auditors should:
* Listen to the clients. Auditors should take time to understand clients' business objectives, competitive environment, risk exposure, and risk tolerance. Auditing an ERM framework is not about comparing it to a checklist of features but ensuring that it will enable the organization to achieve its objectives. For example, Interis' auditors helped a software company's chief financial officer use ERM to ensure that she was notified as soon as any of the firm's project delivery schedules were delayed. When she received this risk information timely, she was able to take actions to offset the postponement of revenue from the client by foregoing expenditures or investigating whether other projects could be accelerated, allowing the company to meet quarterly revenue expectations.
* Recognize that ERM frameworks are works in progress. Frameworks change depending on the business context and the maturity of the organization. To determine relevant recommendations, it's important to understand where the organization was in the last audit period, where it is now, and where it's going. For example, a new government department had a high level of ERM maturity in operational areas that were core to the business but had very little maturity in corporate management areas. In making recommendations, Interis' auditors bore in mind that the department started with no ERM framework two years earlier; the important point to consider was how far the department had traveled on its path to a strong ERM framework and which recommendations would best enable it to accelerate progress in weaker areas.
* Acknowledge that ERM can look very different. Some organizations have ERM embedded in systems. For example, financial institutions typically have clear guidelines for staff regarding the benchmarks that must be achieved before a client qualifies for a particular product or service. Other organizations allow a great deal of leeway for managers to make judgment calls.
* Be on the lookout for hidden ERM practices. Risk management is not a new concept, but people within an organization may not label their risk management practices in those terms, especially in organizations where the ERM framework is in an ad-hoc or initial state. Experienced auditors examine policies, functional units such as human resources, and operational parameters for embedded ERM. If managers can answer the question, "How do you know when to ...?", then there is a policy or practice that supports ERM. In fact, risk management practices that are embedded in all aspects of an organization may even be a sign of an advanced ERM framework and capability, where ERM is so much a part of the work environment that employees don't consciously separate it based on risk terms.
When evaluating ERM frameworks, it is important for auditors to note that ERM should not be done for its own sake, as a simple compliance exercise. They should focus on ensuring that the true value of ERM--its ability to support enhanced decision-making across the organization--is realized.
REPORTING The most difficult task in an ERM framework audit is to reach conclusions and make recommendations. Once findings have been gathered and aggregated for each criterion, the auditor considers the extent to which the organization's ERM framework in that area meets its objectives. Audit recommendations should be reasonable and achievable, bearing in mind the organization's risk profile and objectives.
When drafting the audit report, auditors should explicitly and thoroughly describe what they found as the organization's context so that readers will have a foundation for interpreting the results. They should include a brief sketch of the relevant contextual information with each of the recommendations so that they are always tied back to the organization's risk profile and objectives. In this way, the report will serve as a benchmark of the current state of the organization's ERM framework, and provide a useful tool for implementing the recommendations.
FINDING THE BALANCE
A strong, audited ERM framework provides assurance that an organization is managing risk and can make the necessary and timely adjustments on the road to achieving its objectives. It can also provide a solid foundation for business decision-making. Because ERM audits must adapt to the different nature of ERM frameworks, a suite of best practices can be helpful for assessing ERM in action. Ultimately, the future of ERM is in integrating ERM frameworks into day-to-day functions. Along the way, auditors play a valuable role in helping their organization to evolve a framework that fits its needs.
To comment on this article, e-mail the author at alexandra.psica@theiia.org.
ALEXANDRA PSICA, CMC
MANAGING PRINCIPAL
INTERIS CONSULTING INC.
RELATED ARTICLE: Guiding principles for ERM Frameworks
Although they may take many forms, depending on the organization's objectives, three guiding principles are embodied in sound ERM frameworks:
* ERM practices have evolved in step with the organization's business objectives and environment, including its risk profile. The framework is thus well-adapted to the organization's distinctive business conditions, objectives, and risks.
* ERM practices are woven into all relevant areas of the organization, including policies and guidelines, and are supported by efficient tools for assessing, communicating, and monitoring risk.
* ERM practices across the organization are designed to augment each other, ensuring that groups involved in risk-related activities work toward common objectives. To achieve this level of integration, groups clearly understand each other's risk management processes, goals, and methods, as well as the accountabilities for managing risk. ERM draws on the organization's current systems and controls to support risk management.
Organizations are increasingly aware of the value that can be generated by practicing risk management. A sound risk management framework is essential to generate this value.
COPYRIGHT 2008 Institute of Internal Auditors, Inc.
COPYRIGHT 2008 Gale, Cengage Learning
No comments:
Post a Comment