Operationalizing ERM

I always struggle when I review enterprise risk management (ERM) information that seems to stop at the risk assessment activity. Isn’t it time we stop just merely assessing risk and start addressing risk?

Is it really possible (or necessary) to do a quarterly update of the top 10 risks of an organization? And, if there is a wholesale change of the list of risks every 90 days, doesn’t it imply that the process might not be as good as originally thought?

Don’t get me wrong. I think risk assessments have their place. But then, isn’t it imperative to move on to the next logical step in the process — that of determining how strong the activities are to prevent, deter, transfer, exploit, accept, or address the risk?

I think internal audit can play a role in making the next step in the ERM evolution a reality — much as we did when the Sarbanes-Oxley Act was in its infancy. “Operationalizing” ERM seems the way to go to me. If we haven’t already done so, let’s replace our “audit universe” with a “risk universe” — then audit against that broader, and more interesting, set of risks — while the risk owners continue to establish the right monitoring processes to make sure their risk mitigation activities operate as designed.

There will be many great audit minds who will chime in and say that internal audit can’t play in this sandbox — that this will ruin the objectivity of the internal auditor in being able to evaluate management’s ERM activities. I disagree. If necessary, why wouldn’t the internal audit function just find an independent party to make the assessment if they became too close to the process? I think sometimes we over-think things and get all bunched up over the wrong issues.

My thoughts — what are yours?

 

Posted on Sep 22, 2010 by Kiko Harvey

Share This Article:    

  Comments (19) un-categorized
  1. Comment by: Larry Herzog Butler, CPA   (9/22/10 06:04 PM)   http://PharosDelivers.com

    I just returned home from the 2010 IIA Western Regional Conference; and ERM was at the heart of our discussions. 

     I agree with you Kiko that Internal Audti (IA) must take the lead in fully implementing ERM.  At the same time, IA  must be cognizant of actions that may impair objectivity and independence. 

    Bottom line...companies should ultimately err on the side of ensuring that their signnificant strategic, operational, financial and compliance risks are appropriately assessed and mitigated.

  1. Comment by: montaser   (9/23/10 05:52 PM)   

     

     If I agree with you what's the role of risk management department in fully implementing ERM
  1. Comment by: Arnold Schanfield   (9/25/10 08:15 PM)   

    Kiko:

    Internal audit can and should definitely be looking to play in this sandbox. They should familiarize with The Fan of those responsibilities they they should do, those they should not do and those they should do with adequate supervision

    Does it currently have the skills to do so? - I doubt it

    How do I know this?- Because the IIA until now has put out  very little practical/usable material in the field of risk management whether it be how to conduct a proper risk assessment, how to assess the adequacy of a company's risk management system, steps in conducting a facilitated workshop, different event identification techniques and when to use each, what to train a board in, in risk management. In addition, the 300 page COSO ERM guides are pretty much useless, being rejected ever more so by companies day by day. Also I know this from the quality of my contact with many internal audit departments and from review of the various articles in IIA magazine on this subject matter. True it also has some practice guides out there but these are inadequate.

    Why are we in this position?- because we were erroneously focused for too long on just Sarbanes Oxley and as well were completely oblivious to risk management guidance from other countries in the world especially Canada and Australia.

     

    Continued below

  1. Comment by: Arnold Schanfield   (9/25/10 08:16 PM)   

    Continued from above

    Can we do something about this now? Yes we can. The IIA should play a strong leadership role this year. Properly fund the search activities from either increasing the dues or corporate support and reducing support from the vendors. Analyze the gaps in risk management and develop  the necessary materials in house. Stock the book store with leading risk management guidance such as AS/NZS 4360:2004, HB 436, HB 254, ISO 31000, ISO 31010, Rule 73, HB 158 for ISO 31000, CoCO together with several leading books from highly qualified risk management professionals. Develop alliances with leading schools of risk management and retire the COSO books which can be used for research purposes. Develop further implementation guidance.

    These are my thoughts.

    Regards,

    Arnold Schanfield

  1. Comment by: Kiko Harvey   (9/29/10 09:24 PM)   

    Great thoughts, Arnold.....although I'm not sure a dues increase is necessary.  The thought leadership is present within the IIA.  My friend, Paul Sobel, is someone I rely on for guidance.  Another great source of materials are the colleges and universities.  I downloaded a risk management toolkit from the University of Washington that was very insightful.   - Kiko

  1. Comment by: arnold schanfield   (10/4/10 10:51 AM)   

    Thanks Kiko. I was thinking dues increase because more internal research needs to be done with RFPs etc. on key risk management areas. The existing guidance is poor and is primary reason todays internal auditors are not equipped to make the leaps you suggest. Paul Sobel is indeed a great thought leader and there are others. But much more action is needed.

    The best materials so far available that I know of include the book by John Fraser which the IIA just made a decision on to carry in their bookstore- ERM- Today's leading Research  and Best Practices For Tomorrow's Executives- John Wiley is Publisher. Also case published by Harvard Business School on ERM at Hydro One- also company where John is Head of IA and Risk.

    There are few excellent ERM academic programs in the US. In fact I know of not one single one by  the standards of above although there are several excellent ones in Canada and Australia and other parts of the globe already

    Best regards,

    Arnold

     

     

     

  1. Comment by: Kiko Harvey   (10/6/10 09:25 AM)   

    Great thoughts, Arnold.  Thanks!

  1. Comment by: Leonard Moody   (10/7/10 01:00 PM)   

    As an organization, we are trying to evolve into a more risk savy organization.  Can anyone here speak to the evolution of their organization into ERM.  How did it start?  What materials did you use to communicate the value of ERM?  In a time of reduced resources, how do I get executive management to focus on the need to formally manage our risks?

  1. Comment by: Sean Chari   (10/7/10 02:11 PM)   www.marcumrachlin.com

    It is simply sufficient for a doctor to diagnose that a patient has an illness and tell the patient to come back in 90 days. 

    It is a clear imperative that, upon completing a risk assessment, that the organization properly prioritizes and develops an action plan to remediate the issues.  The 90 updated review is to act as a scorecard to evaluate the remediation, re-prioritize risks, and evaluate the ROI of the remediation.

    And as you correctly stated, the reality is that Sarbanes-Oxley changed the internal audit landscape.  Internal audit demonstrated that  it could be leveraged to not only identify but provide guidance in the remediation.  

    And now, with so many tools to automate compliance monitoring, effectively enabling internal audit to disseminate compliance/controls while empowering business owners to real-time manage compliance, tomorrow's internal audit department is going to be expected to "help" the organization more than before versus performing the standard audit schedule.

    Implementation is never an option as IA needs its independence.  But guidance is not an issue.  Oversight is not an issue.  Remediation roadmap/monitoring is not an issue, etc.

    In effect, IA has turned to a new chapter while no one was watching, and it is imperative that today's IA professionals pay attention and move to the next page or they will be left behind in a few years.

    You are 100% correct. 

  1. Comment by: Sean Chari   (10/7/10 02:13 PM)   www.marcumrachlin.com

    Is it simply sufficient for a doctor to diagnose that a patient has an illness and tell the patient to come back in 90 days. 

    It is a clear imperative that, upon completing a risk assessment, that the organization properly prioritizes and develops an action plan to remediate the issues.  The 90 updated review is to act as a scorecard to evaluate the remediation, re-prioritize risks, and evaluate the ROI of the remediation.

    And as you correctly stated, the reality is that Sarbanes-Oxley changed the internal audit landscape.  Internal audit demonstrated that  it could be leveraged to not only identify but provide guidance in the remediation.  

    And now, with so many tools to automate compliance monitoring, effectively enabling internal audit to disseminate compliance/controls while empowering business owners to real-time manage compliance, tomorrow's internal audit department is going to be expected to "help" the organization more than before versus performing the standard audit schedule.

    Implementation is never an option as IA needs its independence.  But guidance is not an issue.  Oversight is not an issue.  Remediation roadmap/monitoring is not an issue, etc.

    In effect, IA has turned to a new chapter while no one was watching, and it is imperative that today's IA professionals pay attention and move to the next page or they will be left behind in a few years.

    You are 100% correct. 

  1. Comment by: arnold schanfield   (10/8/10 12:08 PM)   

    Leonard,

    If you get in touch with me at aschanfield@verizon.net, I'll be pleased to discuss/communicate those types of things, that you can use to become a more risk savvy organization.

     

    Arnold

  1. Comment by: Dan Clayton   (10/12/10 07:40 AM)   

    Kiko and Arnold,

    I love the comments. In my mind you are both on target. It is difficult to operationalize risk management because "risk" has yet to be defined universally outside ISO 31000. We all seem willing to skip this step creating serious gaps and communication problems. That is why I am a total advocate of Arnolds post. We need IIA direction. We (our organization) have now spent 5 years defining risk for our 250 internal auditors.  Here are a few interesting observations in our evolution of trying to change our audit process to incorporate and contribute to effective ERM or risk oversight regardless of it actually existing at the organizations we audit:

    1. Failures in ERM operationalizition always come from two elements: a) lack of common definition for risk resulting in b) a clash of perspectives. Management sees the world through people, processes, and technology maturity while auditors and consultants see it through potential events to be managed... The reporting of risk events does not fit management’s perspective complicating their ability to make true operational change... 

    2. Risks that impact business objectives emanate from and are defined by the strategic plans and business objectives making risk only relevant when placed in business context. This is in stark contrast to actuarial risk management where the result is derived by probability and impact alone.

     

     

     

     

  1. Comment by: Dan Clayton   (10/12/10 07:41 AM)   

    In short, I have found no bridge yet built between evolving philosophy of good business management and ERM. In my mind the IIA is the only organization that can build this bridge effectively. It is a bridge requiring an operational definition of risk and an ability to set risk management standards within the people, process and technology perspective of management. ISO 31000 should be formally adopted by the IIA. CoCo's COBIT's operational perspectives can also help significantly.

    Finally, I would define risk management as having two key parts; vulnerability identification and threat awareness. Vulnerability is the state of the people, process and technology in place to accomplish objectives and threats are largely external events that could impact progress towards objectives.

    My thoughts

     

  1. Comment by: Sajid    (10/12/10 09:11 AM)   

    I posted a couple of responses, Havent shown up yet?

  1. Comment by: Sajid   (10/12/10 09:12 AM)   

    I don't claim to be a great audit mind, but I do chime.  Here is some of my click clack.

    As an auditor, I feel that unlike traditional internal auditing (under IIA Standards), ERM is a complex arena.  Instead of a clear set of standards, there are many sources of information, guidance and knowledge.  No one entity regulates (so to speak) at the top.  No best practices established yet.  It is a maturing field. That is the biggest challenge.  Any one can assume leadership.  Risk Management groups have been taking some initiative.  IA should get involved too, but, with all due respect, not to the point of replacing audit universe with risk universe.  A more effective way maybe to keep evaluate the evolution and keep pace with it.  Is Risk Management going the right way? Is it doing enough? All are appropriate stakeholders involved? so on and so forth.

     

  1. Comment by: arnold schanfield   (10/14/10 12:35 PM)   

    Dan:

    I agree with much of what you are saying and some additional thoughts to your remarks. Yes- risk needs to be formally defined by the IIA as well as risk management and several other terms. I think that the IIA will be focused on this as risk management is viewed as a strategic priority of it. Here are slightly upgraded versions of definitions of risk and risk management from ISO 31000 with as few words as possible yet right on the mark.

    Risk is the effect of uncertainty on accomplishing your business objectives. (10 words). Risk Management is a discipline for managing uncertainty. (6 words)

    To your point of failure in ERM- there are many reasons for failures but certain absence of common definitions etc. is right up at the top of the list. Other reasons are cultural issues, inadequate/incapable  personnel and inadequate support from the top. Other things as well.

    Re your point on actuarial risk management, it is a piece of the bigger picture. It is an important piece but certainly not the entire picture. Unfortunately the perspective portrayed perhaps by the actuarial profession may be different from reality. (eg Society of Actuaries and other such organizations). This is why the many different professional organizations need to be talking/communicating with each other.

    Internal auditors are indeed well poised but we need to take control of our future which means being proactive in this area with much haste.

    Regards,

    Arnold

     

     

  1. Comment by: Dan Clayton   (10/14/10 03:33 PM)   

    Absolutely Arnold! Haste is needed. IIA fortitude is also a requirement. We need the vision and belief that we as an industry can solve Risk Management woes and bridge gaps with our own unique solution independent of our financial audit roots or regulatory wind. The solution is closer to sourcing the value we provide into accepted business managment professional practices... What is good management and how does Risk Management plug in... Our ability to plug into their processes that already exist and report our information in their format and language will define the scope of our future influence.

     

  1. Comment by: Lesly   (10/19/10 02:30 PM)   

    The term ERM has lost enough meaning for me that I would like to see some discussion of what difference the approach has made to actual business practices.  In other words, what did management do before the buzzword/term was born and what specifically has "ERM" changed? 

    We have all been managing risk since we were old enough to perceive it, quite young actually.  Perhaps we are just recognizing that the number of variables influencing risk are increasing and change is occurring at a faster rate.   Hence the need to bring  the management of risk to the forefront.

  1. Comment by: cees klumper   (10/31/10 04:08 PM)   

    To Lesly's question: what ERM should do is make management's risk management considerations and decisions explicit rather than leaving them unspoken. In other words, yes, management and everyone else in the organisation for that matter manage risk on a contrinuous basis. The only difficulty is that the thinking about uncertainties that surround the realisation of objectives (risk and its management) typically remain invisible, and only the final outcome (strategy, plans, activities, processes, structures, communication, systems, human resources etc etc) is made explicit and is documented. So what ERM should do is make the risk part visible, get it documents, so that managers can better discuss it among themselves, and have a dialogue with superiors and, ultimately, the Board, about it. That's all it is - yet this represents such a change that that accounts for a lot of the hesitation and confusion. We're scratching the surface of a nice treasure, so we'd better stay at itm even though we as internal auditors aren't quite sure how to get there either.

Leave a Reply