Understanding the Changing Dynamics between ERM & Audit

As is often repeated here and elsewhere, the world is changing at an incredibly fast pace. Even without this year’s coronavirus pandemic, this pace will only accelerate in the years and decades ahead as automation, AI, machine learning, and other technologies continue to develop.

ERM and audit are not immune to this change…

Internal auditors from even 10 years ago, and certainly from before the year 2000, may not recognize where this vital function stands today…ERM was just a fledgling field in the first decade of the 2000s.

While ERM has always taken a holistic view of risks and how they affect different parts of the organization (…as opposed to just considering risk within a single department or business unit), preventing failure has traditionally been its main goal.

In past times, internal audit had a similar purpose by providing assurances to the organization’s governing body that management was properly handling risks, usually in the form of compliance and financial reporting. Auditors would look at processes or certain topics and ask:

  • What risks exist?
  • What controls are in place?
  • Are the controls management says are in place actually there?
  • Are these controls actually being used?
  • Are these controls actually effective?

Like ERM, the traditional focus of internal audit has been on preventing failure rather than ensuring success. Under old ways of thinking, the job of risk managers and internal auditors was to prevent management from taking too much risk.

But in order to remain relevant to the organization’s needs, the focus of ERM and audit must change from a strict value protection role to one of value creation.

The recognition that ERM & audit must change has been around for several years, but change can be hard. As Ray Stasieczko explains:

A company becomes obsolete when they focus on bringing the past to the future instead of bringing the future to the present.

Many recognize the need for this change and have been shifting their thinking about ERM & audit. Several posts on this blog (see here, here, and here) from over the last year or more explore this change in terms of ERM.

For audit, this change in thinking can be traced back to fallout from the 2008 financial crisis where auditors were expected to understand more about risks. The Financial Stability Board issued guidance for internal auditors in 2013 urging a transition from “point-in-time” reporting on controls for a small percentage of risks to reporting on the reliability and effectiveness of the organization’s entire risk appetite framework.

While this represented some progress, it was still “risk-focused” or defensive.

To better serve the organization’s needs, ERM & audit have to think offensively by focusing on objectives and intelligent risk taking.

Rather than preventing failure, consultant Tim Leech explains that the goal of “objective-centric” ERM and audit (Tim’s label) is to:

…generate better information on the true state of retained risk to help senior management and the Board make better resource allocation decisions and drive long-term value creation and preservation.

The Institute of Internal Auditors (IIA) also recently released an updated version of its risk management and control model originally known as the “Three Lines of Defense.” One of the first significant changes with the new model is that it drops “defense” from its title.

Released in 2003, the old model explained that the job of both risk managers and internal auditors was to stop operating managers from taking too much risk.

In a post announcing the new model, IIA President and CEO Richard Chambers explains:

…the increased focus on governance supports both the value creation and protection and deals with both the offensive and defensive aspects of managing risk. This addresses one of the principal criticisms of the Three Lines of Defense model, which is its primary focus on defense.

While the new model retains the “lines” concept because of familiarity, the areas of responsibility are more about what each area does and how they collaborate. These areas include:

  • The Board – Accountability to stakeholders for oversight.
  • Management – Actions, including risk management, for achieving objectives.
  • Audit – Assurance and advice for continuous improvement.

Please note that I am only mentioning this model to illustrate changes in ERM and audit and not to introduce a new process to your organization.

What should the relationship between ERM and audit look like?

In a previous article from nearly three years ago, I discuss the proper relationship between ERM and audit mainly in the context of where the ERM function should reside in the organization’s structure. Many organizations, including ones I was quite familiar with at the time, would house the ERM function within the internal audit group, which was a mistake in my opinion.

In addition to this commentary, the article also dives into ways ERM and audit can work together in developing the risk processes and understanding any concerns audit has about a business unit and ERM’s risk assessments.

The spirit of this arrangement was one of cooperation to ensure an organization’s success.

IIA’s new model formalizes and expands somewhat on this topic when describing what the proper relationship between ERM and audit should look like. From the new Three Lines Standard:

Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable to the governing body. However, independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.

The sentence “…independence does not imply isolation” is very instructive. While audit must remain independent in order fulfill its core role, it must also actively engage with ERM and other areas of the organization.

What is one way to include audit while maintaining their independence?

If your organization has a group (or more than one group) making decisions on strategy or operational matters, internal audit can sit in on these conversations and provide advice and recommendations but not be a ‘voting’ member. What the group decides to do is ultimately up to them, but at least audit’s perspective will have been heard and hopefully factored into the decision(s).

This is just one idea of course.

Based on IIA’s new standard and commentary from thought leaders like Tim Leech and Norman Marks, the need for collaboration between ERM and audit for ensuring the company’s success has never been greater.

In order to play a significant role in the organization going forward, both ERM and audit must expand beyond their “traditional” roles of exclusively averting failure to one of informed risk taking.

With the pace of change happening in today’s world, simply focusing on minimizing and avoiding risks will eventually lead to a company’s downfall – be that within the ERM function or the audit function.

Is your organization’s audit function expanding its focus to include risk taking and not just avoidance?

What other ways can ERM and audit collaborate together to ensure the organization’s success?

Part of the purpose behind articles like this is to prompt discussion to help risk professionals learn methods and ideas they can use in their organization, so please don’t be shy. Share your perspective by leaving a comment below or joining the conversation on LinkedIn.

And if your organization’s ERM and audit functions are struggling to collaborate or shift from a strict risk avoidance mindset, reach out to me to discuss your specific situation today.

Featured image courtesy of Mediensturmer via Unsplash.com

The IIA’s Three Lines Model. Copyright © 2020 by The Institute of Internal Auditors, Inc. (“The IIA”). Used with permission. All rights reserved.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More