I suspect that as organizations institute more robust risk management practices within their organizations, they find themselves face to face with this very quandary. There has been considerable discussion about the relationship between internal audit and risk management over the years, but with no real clear decision on the issue.
I believe the answer lies within the basic philosophy and protocol of an ERM practice. ERM is a practice that tries to ensure a company's operating risk position as the organization tries to achieve its goals. This ERM practice follows a disciplined protocol that consists of a few steps, namely ensuring the clear articulation of goals and strategies of the company, then pre-emptively probing for all the possible events that may prevent the company from achieving its goals.
These events may include possible noncompliance with laws, potential fraud events and less sinister events such as potential process or human errors. Once evaluated, the company introduces pre-emptive solutions to curb the effects of the possible events and ensure that these solutions align with company values and policies.
Once these solutions are in place, the organization tries its best to ensure the goals remain on track by instituting a form of monitoring. This system may include tracking performance metrics via persons within the operations, testing and yes ... audit practices.
So, I believe that logically the ERM function encompasses the corporate audit function.
We can look to an audit as the final authority on validating the accuracy of an organization's reported performance results. It is the last line of defense and is essentially an endorsement function. By sheer virtue of the assurance role, audit has to look into the past in contrast to risk management, which looks into the future, capturing debate on risk and opportunities and influencing strategy.
Many businesses are now creating corporate risk offices headed by a chief risk officer to coordinate this full risk management protocol at all levels of an organization. The chief risk officer is charged with setting guidelines for risk management policy and corporate risk position (appetite and tolerance), establishing risk management processes, and implementing risk responses on management's behalf. Essentially the risk office notes the policies, and the audit office is left to report their accurate measurement of their execution.
Somewhere along the way audit began to shape policies by judging the depth and breadth of how policies should be executed. It could have in the early years of the Sarbanes-Oxley Act where audit often was left with the responsibility for the "risk" function in the absence of these newly created risk offices.
This could become a conflict of interest if audit or the enforcement area starts dictating how the company should execute its policies. Audit's job is to spot check results, then assure the board and the executive team that the results reported by the organization are accurate and according to policy.
JOANNA MAKOMASKI, the former risk manager for an energy delivery company, is a specialist in innovative enterprise risk management methods and implementation techniques with V3 Advisory Group.
September 1, 2010
Copyright 2010© LRP Publications