Enterprise Risk Management: Role play: internal auditors differ in their opinions...

Role play: internal auditors differ in their opinions on just what part they should play in the implementation of their organization's enterprise risk management

Russell A. Jackson

IT IS, PERHAPS, A TESTAMENT to the comprehensiveness and flexibility of recent practice guidance on the role of internal auditing in enterprise risk management (ERM) that reasonable minds disagree so strongly on how that guidance should be put into practice. According to some experts, one thing is clear in the guidance: Chief audit executives (CAEs) should not helm their companies' ERM efforts. When they do, their line of thinking goes, both ERM and internal auditing suffer. On the other hand, some experts say that the bottom line is making sure both functions are carried out. If the CAE is the only one willing, able, and politically powerful enough to get the job done, then he or she should do it. In the middle, of course, are the experts who say "guidance" means just that: "guidance." Each company should have the freedom to implement the guidance however its specific culture requires.

At issue are the recommendations in two important documents: The Committee of Sponsoring Organizations of the Tread-way Commission's (COSO's) Enterprise Risk Management--Integrated Framework and "The Role of Internal Audit in Enterprise-wide Risk Management," a position paper issued by The IIA in coordination with the IIA UK and Ireland. A key element of the latter is "the fan"--a graphic that ranks ERM-related functions by appropriateness to the internal audit function (see "Internal Auditing's Role in ERM," this page).

Although the guidance these documents contain is specific enough to have meaning in any company in any country, it is also general enough that it can be applied--and the processes it recommends implemented--in a variety of ways. And that generality is from whence springs the debate over how rigid the documents' guidelines actually are. Is "always" appropriate in an increasingly complex global market? Is "never" appropriate when companies of vastly different sizes, corporate cultures, values, and missions are trying to accomplish basically the same goals by basically the same means? Does guidance on the role of internal auditing in ERM lose its muscle if it's not followed as close to the letter as possible? Views within the internal audit profession vary--and most experts' opinions, in fact, vary from one task to another. Not surprisingly, there are no black-and-white views on internal auditing's role in ERM any more than there are black-and-white situations in which to apply those views.

MAINTAINING INDEPENDENCE

At RadioShack Corp. in Ft. Worth, Texas, executives wanted to create a culture in which risk management was inherent in key business decisions. They established a team to manage the firm's move to ERM. Kenneth G. Barna, vice president for internal audit/controls, represented the internal audit department, and a colleague represented corporate compliance. The pair co-chaired the ERM-development committee. "We realized that ERM can't be looked at as a separate function," Barna says. "It has to be integrated into the organization's day-to-day operations. We worked with a representative from strategic planning and used a cross-functional team approach." In so doing, he says, he learned there are occasions when an internal audit department with the best of intentions must not get involved.

One of the trickiest situations, he says, is when a manager with legitimate responsibility for risk response says, in effect, "Tell me what I should be doing." It must be the responsibility of management, not internal auditing, Barna emphasizes, to put together a draft response to risk. "That," he stresses, "is absolutely critical." Similarly, he continues, the CAE must demur if management asks the internal audit department to determine the company's risk appetite. "One of the risks is when the internal audit department is highly regarded by the management team and managers want the auditors to transition from establishing an ERM framework to actually consulting on it. They'll say, 'Help us get it done.' But there are certain tasks internal auditing can't do--developing risk appetite is one of them. Management must understand the risk and decide on a response that makes sense."

Steve Jameson, formerly assistant vice president for technical services at The IIA, was directly responsible for drafting the initial IIA Practice Advisory on the Internal Auditor's Role in Risk Management and served as The Institute's representative to COSO for its ERM project. Jameson, who now serves as executive vice president and chief internal audit and risk officer at Community Trust Bank in Pikeville, Ky., agrees that the right executives--not the internal audit department--must own the risk. That can be facilitated, he says, by making sure the CAE is part of the thought process, but not part of the decision-making process. "I have internal auditing, loan review, compliance, and security reporting to me," he explains, "and I also coordinated the development of our ERM program. During the development process, regulators asked me how I segregate what I do as chief auditor and what I do as chief risk officer. And they wanted to make sure the board knew I had multiple roles. I said, 'I follow the guidance. I don't own the risk.'" Jameson does that, he says, by sitting on a lot of committees as a nonvoting member so that he doesn't impair his independence.

Dominique Vincenti, vice president of The IIA's Global Practices Center, agrees that independence is the issue. Until ERM is an ongoing reality at an organization, the CAE can play a developmental role--auditing the ERM process as it's developed and implemented to provide assessment and recommendations to make sure things happen the right way the first time. "That's what the middle portion of the fan is saying," Vincenti explains. "But once your organization is mature and has ERM in place, you go back to your traditional and pure internal audit role. You assess, give assurance, and evaluate the risk management process--the reporting of risks and the management thereof."

DEEPER PROBLEMS

Vincenti says that there is no time when it's acceptable for internal auditing to own the risk. "You have to resist that strongly," she says. "You have to go to the audit committee and tell them that you can't implement a program that should be implemented by management." Indeed, she says, "if a manager says, 'It's not my job,' you should challenge his or her continued employment. You cannot implement something that you have the responsibility to assess." Any conflict with management over ERM authority, she says, could indicate serious problems. "You can discuss with senior management alternatives to your heading ERM implementation that will still put the organization on the right track. But if you have to do that, it means that you, as CAE, or whoever else is trying to sell the concept of ERM to senior management, failed, because management doesn't understand that they are the only ones who can do it."

Don Espersen, an internal audit consultant and educator based in St. Paul, Minn., also sees deeper problems when there's disagreement over ERM program leadership. "If the real owners haven't recognized that they're the real owners, if the perception is that it's internal auditing's job, that's a huge corporate culture issue," he says.

Indeed, says Richard Chambers, director in the internal audit practice at PricewaterhouseCoopers LLP, Atlanta, there are risks even when CAEs perform functions permitted in the COSO and IIA guidance. "One area of concern is the IIA position that internal auditing can develop--with safeguards--a risk management strategy for board approval," he explains. "Management should be responsible for establishing the risk management strategy, not the CAE. Decisions made to manage risk are clearly a management function." It's understandable that management would look to internal auditing for assistance, he notes, because its risk expertise makes it a tempting repository for ERM responsibilities. "But it would be a significant mistake to shift those responsibilities exclusively to internal auditing," Chambers adds. "In addition, experience has shown that unless management takes ownership of ERM as part of its core business, it's not effective on a long-term basis."

Jackie P. Cain, technical development director of IIA UK and Ireland agrees. "Often, I hear that internal auditors get involved in implementing ERM because 'there was no one else to do it,'" she says. "Now, while I have sympathy with that view--after all, if you know everyone is starving and you know how to fish, it is tempting to do the fishing for them--that situation is where internal auditors need to be strong. If no one else will do it, the organization has not seen the benefit of ERM and will not be ready to embed the processes and get the most out of it. Internal auditing needs to undertake more consulting work to persuade people and to facilitate the introduction of ERM. If it does not, however hard the CAE works, ERM will not be successful. Internal auditing needs to teach people the benefit of fishing and then teach them how to fish."

PROVIDING ASSISTANCE

There are plenty of appropriate roles for CAEs in the ERM development and implementation process. In fact, the experts agree, there are some functions that internal auditing must carry out lest the firm waste what amounts to an irreplaceable well of risk management and program assessment expertise.

"I believe COSO says it best," Chambers comments. "It says that 'internal audit can provide valuable assistance to management and the board of directors by evaluating the ongoing effectiveness of ERM and recommending improvements when warranted.' That view complements IIA Standard 2110.A.1, which states that an 'internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.' Consistent with additional IIA standards, internal auditors should already be conducting a comprehensive annual risk assessment as a basis for planning and allocating their own resources. The knowledge gained from that process, as well as from risk assessments undertaken at the outset of every internal audit engagement, should be leveraged on behalf of the enterprise and shared with management and the board."

That's not just a good idea, he continues, it's a necessity. "CAEs must become advocates for ERM within their organizations," he stresses. "Much as we did for strong and effective systems of internal control in the past, we must champion the value of ERM to our boards and senior management. Where ERM has not been implemented, we must share the results of our annual internal audit risk assessments as further evidence of the potential value of ERM."

Roger W. Raber, chief executive officer (CEO) and president of the Washington, D.C.-based National Association of Corporate Directors, says boards feel the same way about the contributions internal auditing should be making to ERM. "The best way to ensure that internal auditing plays the most useful role possible in risk management is to involve the appropriate committees of the board of directors," Raber says. "At a minimum, that would be the audit committee. Internal auditing can assist the committee in the governance process by coordinating with management the identification of key risks, controls, and processes, as well as monitoring mechanisms. Internal auditors also can be helpful by conducting and reporting on the results of continuous risk assessment, the status of the organization's system of internal control, special studies and investigations, and other matters of interest to the committee."

ASSURANCE IS KEY

Cain agrees that a key role for CAEs in ERM is making sure the right information gets to the audit committee. "The most important part of internal auditing's fundamental role is providing the organization with assurance on governance, risk management, and internal control processes," she stresses. "Therefore, one core role for CAEs is providing objective assurance to the board and the audit committee that ERM processes are working effectively--that risks are being identified and dealt with properly." In the United Kingdom and Ireland, she adds, the ERM framework is fundamental to audit work on internal controls as well because it defines what is meant by effective control: Control is effective if it manages risks to the level approved by the board. "Therefore, to do its work on internal control, internal auditing needs to understand the ERM framework so it can be sure risks are being identified and so it understands the organization's risk appetite and tolerance," she says.

There are ways to carry out those important tasks without risking internal auditing's independence, Barna adds. "In the beginning, we were heavily involved in setting the ERM program's objectives," he reports. "One thing we did was facilitate a dialogue between management and the board. We also conducted a high-level risk assessment. We looked at how we could engage management as much as possible in it, starting with the CEO and president. We gave them tools--but we didn't make the assessment ourselves. One of the things we were careful of was that management owned the risk. As we went through the risk assessment and discussion with management and later went into facilitative workshops to prioritize risk, we assigned all the ownership components to other parts of the company, but not to internal auditing or compliance."

It's important to go to the trouble of contributing without owning, he emphasizes, so as to fully use the corporation's already-owned internal risk management expertise. "To me," Barna comments, "it seems that if the board and executive management look at internal auditing as functional experts in the area of risk, for us to not be active participants in championing ERM, we're selling ourselves short in helping the company. Establishing goals and objectives is a critical phase of ERM implementation, and it's where internal auditing can contribute the most."

THE GRAY AREAS

Indeed, the problem with melding ERM and internal auditing isn't generally finding areas where CAEs can contribute; it's making sure they don't contribute too much. And therein, of course, lies the rub. It's easy to say that internal auditing must offer advice and monitoring. And it's easy to say that internal auditing must not own risk or make risk management decisions on management's behalf. But how do those obligations and proscriptions play out in the real world? The view on the ground is far, far less clear.

For example, Jameson points out that there are companies that don't have risk managers, let alone risk management departments. Can internal auditing step up to the plate and take on the ERM process? Yes, he says. "You still want to try to avoid internal auditing being the owner of the risk and making the ultimate decisions," he points out, "but CAEs might be tapped to do more things to get ERM started with the long-term goal of turning over parts or pieces to other risk owners or champions. It's probably better if internal auditing steps up and does more than if nobody does anything."

Barna sees a specific gray area in the fan. "To me, the initial high-level business risk assessment is something where, if there are reasonable safeguards, internal auditing can play an appropriate role," he says. "However, once the risks are identified, there is often pressure to be part of the solution. That's where CAEs have to be very careful about balancing management's risk appetite and the appropriate role of internal auditing.

"When management starts to pressure internal auditing for greater involvement, it can beg off but still provide support," he continues. "If you're doing a one-time business risk assessment, you probably can fudge the rules. But that's not ERM. It's not ERM until you embed the process into how the company does business. We used the COSO and IIA documents as guidance, but we tweaked and customized them as we went. There is no one solution that fits every organization."

But CAEs need to be careful in those situations, he stresses. "The handoff becomes extremely difficult if you wait until ERM is implemented. That's why I wanted a three-person team. That way we could start to have the logical risk owners involved in the process early on."

Even Vincenti, a relative hardliner on internal auditing's role in ERM, sees some gray in the landscape. "The guidance is premised on organizations having a risk management process," she says. "The situation in real life is that many don't. That's where the role of internal auditing can change and evolve with the maturity of the organization."

Espersen agrees. "How ERM is implemented depends on what's best for the organization," he says. "It's going to depend on the capabilities within the organization and of the people running the audit department. A large organization might be able to integrate ERM into the governance process, meaning internal auditing could stay back independently. But small companies probably will not have as many resources, and it's thus more likely that the internal auditor would take a more active role in ERM."

In those cases, he adds, the CAE needs to appreciate that others in the organization might actually be better equipped to manage the job. "Internal auditing needs to look for other people in the organization who have a legitimate claim to risk ownership and who have as much ability as they do to run the ERM process," he comments. "If they don't, if they instead take on the risk and burn bridges and usurp the ERM function, there's going to be hell to pay."

"The important thing is that ERM is implemented, not who implements it," stresses Terry Cunnington, director of risk management at a firm in London that owns stock and derivatives exchanges and immediate past president of The IIA UK and Ireland. "A lot of organizations don't have risk management departments, so internal auditing can expand its role by facilitating risk workshops, maintaining and evaluating the company's risk management framework, acting as a coordinating point for ERM, and championing it.

"Some companies figure, 'We've been so successful at integrating ERM with internal auditing, what's the point of handing it over if it works?'" Cunnington continues. "I've seen companies do that very successfully without compromising the CAE's independence. It can work with the necessary safeguards and can increase the profile and effectiveness of the internal audit group." The issue, he stresses, is "what works best in your own organization."

PLAYING THE RIGHT ROLE

The bottom line, the experts agree, is making sure one fundamental safeguard is in place: CAEs should never own risk. Apart from that essential protection, however, there is in the guidance considerable room for flexibility regarding how ERM is implemented and by whom, provided CAEs pay due attention to the recommendations in the fan and use common sense in integrating the many hats they may be asked to wear. The key is making sure management plays its appropriate role, allowing internal auditing to focus on its own.


Internal Auditing's Role in ERM

Core internal audit roles in regard to ERM

Giving assurance on the risk management processes
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks

Legitimate internal auditor roles with safeguards

Facilitating identification & evaluation of risks
Coaching management in responding to risks
Co-ordinating ERM activities
Consolidated reporting on risks
Maintaining & developing the ERM framework
Championing establishment of ERM
Developing RM strategy for board approval

Roles internal audit should not undertake

Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses on management's behalf
Accountability for risk management

To comment on this article, e-mail the author at rjackson@theiia.org.

RELATED ARTICLE: The Best Fit

It is not news that an organization's culture plays a crucial role in the implementation of ERM. Dysfunctional cultures have been blamed for everything from catastrophes, such as space shuttle disasters, to corporate scandals. Multiple studies have identified organizational culture as a top barrier to ERM implementation. The question is, "What is it about the culture that gives it such sway over managing risk organizationwide?"

It is almost redundant to say an organization needs a strong "ethical climate," a "mature risk culture," or a "culture of compliance" for successful ERM deployment. To understand the relationship between culture and ERM, one must characterize an organization's culture at a more fundamental level.

Over the years, management theorists have devised a variety of models for describing organizational culture. One model that appears to address issues of interest to ERM deployments was developed by Dr. Ronda Reigle in 2003. This model assesses an organization's culture based on a continuum ranging from "mechanistic" to "organic."

MECHANISTIC VS. ORGANIC

A mechanistic culture is highly formalized, controlled, and structured, with personnel assigned to precisely defined jobs in a rigid hierarchy. By contrast, organic cultures lack strong formality and standardization. Workers have jobs that are loosely defined, and they perform ever-changing tasks using whatever methods meet the needs of the endeavor. There are high levels of interaction, collaboration, and open communication across a pliable organizational hierarchy.

So which of these culture types is more conducive to effective ERM? It could be argued that it would be easier to implement ERM in a mechanistic environment. With its emphasis on strict procedures, detailed direction, segregation of duties, and watchful supervision of employees, the mechanistic system appears to mesh nicely with the types of control activities auditors have traditionally advocated. In such an environment, the recipe for ERM deployment appears straightforward; simply establish the new policies and job duties, outline the revised hierarchical structure, and have ERM mandated from the top. If the planning is done well, the ERM deployment should occur smoothly.

Unfortunately, ERM deployments may not go as planned. When problems occur, more than just the compliance of employees will be needed, and ERM by its nature is broader than conformity. Employee involvement is needed to identify risks, communicate them, assess them, and determine how to deal with them. While industries face increasing complexity and rapid change, organizations may not be able to wait for risks to be processed through a mechanistic culture before a decision is made.

ERM requires open and effective communication across the organization and a culture in which employees and their managers do not feel threatened by internal disclosure of risks. Thus, an organic culture appears to be better suited for handling these basic aspects of ERM, as it emphasizes lateral communication, collaboration, and employee commitment to the organization coming from within, rather than being coerced from without.

LINKING CULTURE TO ERM

To test the theory that an organic culture would provide better support for an ERM deployment than a mechanistic culture, we developed a survey using Reigle's "Organizational Culture Assessment" (OCA) instrument in conjunction with several questions regarding progress and success in implementing ERM. The OCA portion provides a score that ranges from a minimum of one, signifying a fully mechanistic culture, to a maximum of five for a wholly organic culture. Participants' OCA scores were statistically analyzed in relation to each of the possible responses to the ERM questions. The survey was deployed online using The IIA's Global Auditing Information Network Web site in late 2004. There were 116 respondents.

AGE AND MATURITY OF ERM PROGRAM The average OCAs generally trended upward with the length of time an organization had been implementing ERM and the amount of progress made. Statistically significant differences in average OCA scores were found at the extremes. For example, OCA scores were significantly lower for those who had not begun their ERM implementation when compared to those who were 100 percent complete. Similarly, respondents from organizations actively implementing a risk management process had higher OCA scores than those where ERM implementation was deemed unlikely.

APPOINTMENT OF A CHIEF RISK OFFICER (CRO) The survey asked participants whether their organizations had appointed a CRO, and if so, how long that position had been in place. Results for this section were inconclusive, as no significant differences or patterns were found.

ERM PROGRESS IN TERMS OF COSO'S ERM FRAMEWORK A positive relationship between average OCA scores and progress in implementing the eight COSO ERM components was observed. In other words, those who estimated their organizations were further along in implementing the COSO components had, on average, higher OCA scores. Regression analysis indicated a degree of statistical predictability between OCA scores and ERM implementation measured in this way.

SATISFACTION WITH ERM PROGRESS Participants were asked whether they were satisfied with the speed and effectiveness of their organizations' ERM programs. Although those who answered "no" had OCA scores ranging widely from mechanistic to organic, the "yes" respondents overwhelmingly represented organic cultures.

OPINIONS OF CULTURE'S IMPACT ON ERM Similarly, when asked about how the culture of their organizations impacted ERM implementation speed and effectiveness, those who said the culture helped mostly were from more organic entities.

WILLINGNESS TO CHANGE TO CULTURE When asked whether or not the organization had taken steps to alter its culture to support implementation of ERM, those who said "yes" were from more organic cultures.

IMPLICATIONS FOR ERM

If it is indeed true, as the survey results indicate, that ERM deployment is influenced by organizational culture, what does this mean for implementers and auditors? For ERM implementers:

* Managers might consider measuring how mechanistic or organic their organizations are, before plunging into ERM, and use this knowledge as input to implementation planning.

* A robust change-management plan may be beneficial to deal with undesirable culture tendencies, one which regularly assesses organizational culture.

* Implementers should practice what they preach during planning and implementation. If the goal is a more organic culture, they should demonstrate collaboration, employee involvement, open communication among departments, and other organic attributes as ERM is rolled out.

* The culture itself may be considered a risk worthy of ERM identification, assessment, response, and reporting to senior management and the board.

If it is decided that a more organic culture is desirable, internal auditors may wish to evaluate whether their activities support or inhibit that objective. The following questions may help internal auditors to make this determination:

* Does the language in audit reports convey a mechanistic or organic mindset about the organization?

* Are audit recommendations mechanistic-based, such as more stringent policies, closer supervision of employees, or strictly defined job tasks? Or, is there an emphasis on organic approaches like improved communication among departments, collaboration, and innovation involving all employees?

* Which culture type better describes the typical relationship between auditors and their customers?

* What are the audit department's instinctive assumptions about the nature of the organization? Are they trying to control people or processes to manage risk?

* Does internal auditing promote collaboration among functional units for the good of the whole enterprise or adversarial relationships between organizational silos?

These questions hint at an apparent fundamental paradox: Internal auditors may be prone to manage risk through traditional controls that seem perfectly logical and prudent in a mechanistic culture, yet we are learning that managing risk may be more organic. This is not to promote the abandonment of a heritage of control theory and practice for a sweeping swing of the pendulum to the opposite extreme. Can a pragmatic balance be achieved?

Concepts for dealing with similar ambiguity have been proposed in the past. In the 1980s, management consultants Tom Peters and Robert Waterman Jr. put forth the idea of "Simultaneous Loose--Tight Properties," which describes how excellent companies are able to nullify several supposed paradoxes through a corporate culture that embraces organic qualities while exercising rigid control. And in the 1990s, Peter M. Senge, author of The Fifth Discipline--The Art & Practice of the Learning Organization, asserted that learning organizations "achieve control without controlling" through applying "localness," which involves cultural elements consistent with organic cultures.

Perhaps the time has come for the internal audit and ERM communities to evaluate their cultures and consider how they influence the management of risk throughout the organization.

BY LANE KIMBROUGH, CIA, CCSA, AND PAUL COMPONATION, PHD

RUSSELL A. JACKSON

FREELANCE FINANCIAL WRITER

ILLUSTRATION BY TIMOTHY COOK