There is much discussion and debate about how Internal Audit and Enterprise Risk Management (ERM) should be connected.
Some say ERM can be embedded within the internal audit group. I don’t fall in this group.
Internal audit standards say that internal auditors should be objective and not unduly influenced. In other words, independent. I have to ask myself, can internal auditors be objective and independent if the audit executive is responsible for both audit and ERM?
I don’t think so, which is one reason why I am a firm believer that ERM must be housed separately from Internal Audit within an organization.
The other reason? ERM is about managing risks (and opportunities), working closely with executives and management to identify and prioritize risks to allow the organization to focus resources where needed. And working closely means you can’t be independent.
To be clear, I am not against ERM and Internal Audit sharing information, especially when it comes to the biggest risks to the organization. Internal Audit should use risk information to develop and update their audit plans, to ensure audit resources are being focused appropriately.
After all, it’s not just about operational resources, it is about focusing all of the organization’s resources on the biggest risks.
Internal Audit is tasked with providing assurances that the ERM program is working effectively, that the governing documents are appropriate and current, and make recommendations for potential improvements. How can they fulfil this requirement if the audit executive (i.e., their boss) also oversees ERM? Talk about a conflict of interest!
Are there ways that ERM and Internal Audit can work together? YES!
- ERM can reach out to Internal Audit when designing the program, discuss what they plan to do, and request feedback. This way, Internal Audit is making recommendations and has a voice but isn’t responsible for implementing the ERM program.
- Before any risk workshops, ERM can ask Internal Audit if there are any outstanding concerns from previous audits for a specific area. ERM can bring up those concerns (without mentioning the source) during the workshop to solicit the business area’s thoughts.
- After the risk assessments and prioritization is completed, ERM can share the results with Internal Audit. These results can be used for input into Internal Audit’s upcoming audit plan or prompt the business area to solicit Internal Audit’s feedback on the planned action plan.
Some organizations have a hard time finding a risk-minded executive who isn’t the audit executive to oversee ERM. Here are some thoughts on where to turn for finding the right ERM executive:
- Chief Financial Officer: CFOs automatically think about risk due to their responsibilities for financial statements, budgeting, and Sarbanes-Oxley requirements. They tend to be conservative about risk or naturally focus on financial risks. Therefore, this is a good option for many organizations, especially those with a conservative board or a lot of financial risks.
- Strategy and planning: Many organizations will have an individual responsible for strategic planning and annual planning. Due to the strong linkages between ERM and Strategy, this person would provide valuable insights and perspective for ERM. However, be careful of a too-narrow focus for how ERM can be integrated throughout the organization.
- General counsel: Lawyers also automatically think about risk, being very compliance-minded, in all of the advice they provide to the organization. A benefit of having General Counsel as head of ERM is the possibility of protecting information under attorney-client privilege. However, be cautious about the extreme conservative risk behavior and how that may influence the risk prioritization for the organization.
Where is ERM within your organization? How is it working?
Tell me in the comments below or join the conversation on LinkedIn to share your thoughts.
If your organization needs someone to provide a new perspective on the effectiveness of your ERM program and what connection it should have with internal audit, complete the form below to be added to my consulting and coaching waitlist.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More