The right relationship between Enterprise Risk Management (ERM) and Internal Audit

There is much discussion and debate about how Internal Audit and Enterprise Risk Management (ERM) should be connected.

Some say ERM can be embedded within the internal audit group but is this correct?

Internal audit standards say that internal auditors should be objective and not unduly influenced. In other words, independent. We have to ask ourselves, can internal auditors be objective and independent if the audit executive is responsible for both audit and ERM?

We don’t think so, which is one reason why we are firm believers that ERM must be housed separately from Internal Audit within an organization.

The other reason? ERM is about managing risks (and opportunities), working closely with executives and management to identify and prioritize risks to allow the organization to focus resources where needed. And working closely means you can’t be independent.

To be clear, We are not against ERM and Internal Audit sharing information, especially when it comes to the biggest risks to the organization. Internal Audit should use risk information to develop and update their audit plans, to ensure audit resources are being focused appropriately.

After all, it’s not just about operational resources, it is about focusing all of the organization’s resources on the biggest risks.

Internal Audit is tasked with providing assurances that the ERM program is working effectively, that the corporate governance structure in place is appropriate and current, and make recommendations for potential improvements. By corporate governance, we are talking about mission, vision, values, strategic plan, board oversight, internal management oversight committees, escalation process, corporate policies (even just the basics like HR and information security), and so on. How can they fulfil this requirement if the audit executive (i.e., their boss) also oversees ERM? Talk about a conflict of interest!

Are there ways that ERM and Internal Audit can work together? YES!

• ERM can reach out to Internal Audit when designing the program, discuss what they plan to do, and request feedback. This way, Internal Audit is making recommendations and has a voice but isn’t responsible for implementing the ERM program.

• Before any risk workshops, ERM can ask Internal Audit if there are any outstanding concerns from previous audits for a specific area. ERM can bring up those concerns (without mentioning the source) during the workshop to solicit the business area’s thoughts.

• After the risk assessments and prioritization is completed, ERM can share the results with Internal Audit. These results can be used for input into Internal Audit’s upcoming audit plan or prompt the business area to solicit Internal Audit’s feedback on the planned action plan.

Some organizations have a hard time finding a risk-minded executive who isn’t the audit executive to oversee ERM. Here are some thoughts on where to turn for finding the right ERM executive:

• Chief Financial Officer: CFOs automatically think about risk due to their responsibilities for financial statements, budgeting, and the Finance Act. They tend to be conservative about risk or naturally focus on financial risks. Therefore, this is a good option for many organizations, especially those with a conservative board or a lot of financial risks.

• Strategy and planning: Many organizations will have an individual responsible for strategic planning and annual planning. Due to the strong linkages between ERM and Strategy, this person would provide valuable insights and perspective for ERM. However, be careful of a too-narrow focus for how ERM can be integrated throughout the organization.

• General counsel: Lawyers also automatically think about risk, being very compliance-minded, in all of the advice they provide to the organization. A benefit of having General Counsel as head of ERM is the possibility of protecting information under attorney-client privilege. However, be cautious about the extreme conservative risk behavior and how that may influence the risk prioritization for the organization.

The key is to make it work for your organization, its executives, and the culture, because every organization is different. The ERM Program must be tailored to fit its needs.

Watch this space for more insights on ERM