Enterprise risk management is a valuable tool to assist institutions in dealing with the uncertainty in our banking environment. An ERM program can facilitate the identification of risk and opportunity while enhancing the capacity to build value. However, audit committees, boards of directors and management often have difficulty identifying a champion to lead and guide implementation and execution of an ERM program. An internal auditor is uniquely positioned to help those charged with governance lead the effort to successfully embrace ERM.
Internal auditors can have vitally important roles in the ERM function. The internal audit role is best-positioned to fully understand the scope of an institutionís business strategies and related strategic risks. Working closely with the audit committee, board of directors and management offers great insight into understanding the institutionís risk-management philosophy and overall risk appetite. Interaction with line management allows for great understanding of day-to-day operations and the risks associated with implementing strategic goals and objectives.
Stakeholders must understand and give appropriate attention to the business strategies and the risks related to implementing those strategies. Internal audit can facilitate discussions with stakeholders to identify areas of the risk-assessment process that present the most significant risks to shareholder value. Using internal audit to help stakeholders focus on the vital few risks rather than the trivial many risks allows for more efficient ERM implementation or execution. Continuously monitoring and assessing stakeholder expectations on risk appetite also is well-suited for internal audit.
If your institution is just starting an ERM journey, consider utilizing internal audit to create an inventory of your existing risk-management practices. A review of critical control systems and existing risk-management practices can create significant value in your institution by identifying areas where risk identification and mitigation already occurs. Reviewing business plans, budget-to-actual analysis and financial statements to assess risk in strategic objectives are crucial activities for an internal auditor.
Examples of other core roles an internal auditor could perform include:
Internal auditors also can expand their involvement in execution of an ERM program, with the caveat that the responsibility, accountability and authority over the ERM program resides with management.
Expanded roles could include:
Building stronger and less adversarial relationships with risk managers, line management and front-line employees is a byproduct of internal audit involvement in the ERM function. Interaction facilitated by internal audit with all parties will allow for the identification and sharing of best practices in risk management. The discussion between internal audit and management regarding the adequacy and effectiveness of risk treatment strategies adds value to the ERM process by identifying areas where resources should be devoted to test risks associated with following business strategies.
Education and training of ERM stakeholders also can be a value add for internal audit. The skills of an internal auditor are well-suited to assist all parties in understanding the implementation and execution of an ERM initiative. Internal audit can provide its own thoughts on particular business lines, products or services that might be more susceptible to risk and require more focused testing. The evaluation of strategic risks also can lead to more comprehensive identification of emerging risks and whether sufficient monitoring occurs. By educating boards of directors, audit committees and management, internal audit can assist in shaping leadershipís understanding of risk management strategies, leading to more informed, timely and proactive decision-making.
Adequate safeguards are a necessity to prevent the internal audit function from overstepping its role in implementing and executing an ERM program. The nature of internal auditís responsibilities for ERM should be documented in an audit charter and approved by the audit committee. Internal audit should not be responsible for managing risks or making decisions on behalf of management. However, internal audit can provide advice and input about decisions made under the ERM framework, though it should not have any responsibility in decision making.
Roles an internal auditor should not undertake in an ERM function include:
There are numerous benefits in implementing an ERM function in todayís volatile business environment. Many newly formed and existing ERM programs lack full transparency among all parties participating in risk management. However, internal auditors have an opportunity to be integral team members in the ERM function by obtaining and cultivating the necessary skills to educate stakeholders on the value of internal auditís participation in the ERM process.
Internal auditors can help stakeholders improve their understanding of key business risks while meeting an institutionís strategic goals and objectives. More informed risk-taking and decision-making can result from using the strengths and competencies of your internal audit function through its participation in implementation and execution of an ERM program.
Mike Ososki is a certified public accountant at BKD, LLP. Contact him at email@example.com.
Article reprinted with permission from BKD, LLP, bkd.com. All rights reserved.
BankNews. June 2014.