Question

Enterprise Risk Management (ERM) is an activity undertaken by many organizations. Jiffy Sportswear, Inc., is a fast growing privately owned company that will soon issue its shares to the public and be subject to SEC jurisdiction. Its CEO wants to implement a corporate wide ERM program and asks you, the CAE, to counsel him on the following:

1. Explain the purpose of ERM and how it may add value to the organization.
2. What is the role of internal auditing with respect to ERM? Moreover, what should internal auditing refrain from doing with respect to ERM?
3. Explain the concept of risk-based auditing and how it relates to ERM.

Answer 1

Answer to 1 : Enterprise risk management (ERM) is a process designed to anticipate and analyze potential opportunities and threats that could affect the achievement of the organization’s objectives and goal. This process is integral to the management and future direction of the organization, and should be structured, consistent, and continuous across the entire organization. ERM includes identifying, assessing, deciding on responses to, and reporting on strategic, human capital, compliance, operational, financial, and hazard-related exposures. These exposures include both ‘risks’ that might hinder an organization’s attainment of its strategic goals, and ‘opportunities’ that could help the organization to achieve its strategic goals.

Answer to 2 : As the organization’s risk maturity increases and risk management becomes more embedded in the operations of the business, internal auditing’s role in championing ERM may reduce. Similarly, if an organization employs the services of a risk management specialist or function, internal auditing is more likely to give value by concentrating on its assurance role than by undertaking consulting activities.

Internal audit “should perform at least some” of the seven risk consulting services as state below :

1. Facilitating identification and evaluation of risks,
2. Coaching Management in responding to risks
3. Coordinating ERM activities
4. Consolidated Reporting on Risks
5. Maintaining and Developing the ERP Framework
6. Champinioning establishment of ERM
7. Developing ERM strategy for board approval

Internal auditor can play a big role in the effective implementation of ERM in an organization. They can: • Develop a risk-based internal audit programme. • Audit the risk processes across the organization. • Give assurance that risks are correctly calculated. • Evaluate the risk management process. • Provide assurance on the management of risk. • Report on the efficiency and effectiveness of internal controls. ERM supports better structure, reporting, and analysis of risks. Standardized reports that track enterprise risks can improve the focus of directors and executives by providing data that enables better risk mitigation decisions. The variety of data helps leadership understand the most important risk areas. These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances. ERM helps management to recognize and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating them in a consolidated format.

As the organization’s risk maturity increases and risk management becomes more embedded in the operations of the business, internal auditing’s role in championing ERM may reduce. Similarly, if an organization employs the services of a risk management specialist or function, internal auditing is more likely to give value by concentrating on its assurance role than by undertaking consulting activities.

Answer to 3 :

Risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. It allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.

Advantages

By following RBIA internal audit should be able to conclude that:

1. Management has identified, assessed and responded to risks above and below the risk appetite

2. The responses to risks are effective but not excessive in managing inherent risks within the risk appetite

3. Where residual risks are not in line with the risk appetite, action is being taken to remedy that

4. Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively

5. Risks, responses and actions are being properly classified and reported.

This enables internal audit to provide the board with assurance that it needs on three areas:

1. Risk management processes, both their design and how well they are working

2. Management of those risks classified as 'key', including the effectiveness of the controls and other responses to them

3. Complete, accurate and appropriate reporting and classification of risks