I always struggle when I review enterprise risk management (ERM) information that seems to stop at the risk assessment activity. Isn’t it time we stop just merely assessing risk and start addressing risk?
Is it really possible (or necessary) to do a quarterly update of the top 10 risks of an organization? And, if there is a wholesale change of the list of risks every 90 days, doesn’t it imply that the process might not be as good as originally thought?
Don’t get me wrong. I think risk assessments have their place. But then, isn’t it imperative to move on to the next logical step in the process — that of determining how strong the activities are to prevent, deter, transfer, exploit, accept, or address the risk?
I think internal audit can play a role in making the next step in the ERM evolution a reality — much as we did when the Sarbanes-Oxley Act was in its infancy. “Operationalizing” ERM seems the way to go to me. If we haven’t already done so, let’s replace our “audit universe” with a “risk universe” — then audit against that broader, and more interesting, set of risks — while the risk owners continue to establish the right monitoring processes to make sure their risk mitigation activities operate as designed.
There will be many great audit minds who will chime in and say that internal audit can’t play in this sandbox — that this will ruin the objectivity of the internal auditor in being able to evaluate management’s ERM activities. I disagree. If necessary, why wouldn’t the internal audit function just find an independent party to make the assessment if they became too close to the process? I think sometimes we over-think things and get all bunched up over the wrong issues.
My thoughts — what are yours?
Posted on Sep 22, 2010 by Kiko Harvey
Share This Article: