Over the years, we have written extensively on enterprise risk management (ERM) and stressed the importance of organizations establishing the oversight, control and discipline to drive continuous improvement of their risk management capabilities in a changing operating environment. These issues have always been on the minds of board members and management. However, at no time in recent memory has sound ERM guidance been more critical for business success. Amid perceived risk management failures in the wake of the recent global financial crisis and its lingering consequences, increasing regulatory scrutiny, and growing technology risks, boards are mandating that ERM be a high priority in their organizations. As a result, the internal audit functions at the 10 companies profiled in this year’s Internal Auditing Around the World are taking steps to integrate risk management into their processes for formulating and executing their audit plans.
The companies featured in this book – whether headquartered in Canada, China, France, Italy, Singapore or the United States – are truly international in the scope and size of their operations. They are among the industry leaders in e-commerce, financial services, hospitality, Internet, manufacturing and distribution, paper, retail, telecommunications, and utilities. As to be expected, the internal audit approach to ERM is often targeted to address the unique industry and geographical challenges each organization faces.
At Sequana, for instance, the need to be in compliance with French financial regulatory requirements caused the internal audit team to focus on updating and rebuilding its risk-mapping strategies. Not surprisingly, given the ever-multiplying risks in the internet industry, salesforce.com adopted ERM because it believes trust and security are paramount to its business. And at Visa, a global financial services company, product innovation must be on an accelerated timetable to stay competitive – but not at the expense of ERM, which needs to be effective and efficient to ensure risks are identified and managed.
A careful study of the profiles reveals certain common practices that these organizations employ to make ERM a strategic imperative. Above all, regular communication with senior management is considered pivotal to the success of any ERM initiative. Here are some examples of the key risk management areas these internal audit functions are addressing: regulatory compliance, managing financial risks, establishing specific risk programs, coordinating ERM with corporate strategies and redefining risk methodologies.
For the interviewees, their commitment to ERM in terms of time and resources is an investment that is already yielding dividends. One major benefit is being able to reassure both internal and external stakeholders that critical risk management concerns are being addressed. This, in turn, can help satisfy board mandates, possibly even allow the pursuit of opportunities that come with substantial risk, enhance an organization’s reputation (which may encourage analysts to recommend investing in the company), facilitate a favorable outcome to the rating process by financial agencies, and achieve greater customer satisfaction through increased confidence that key risks associated with the company’s products and services are reduced to an acceptable level, among other things.
Most important, though, we believe strongly that ERM has to “work” and not just be another “tick the box” exercise. This means fewer surprises and that when surprises do occur – as they certainly will – there is a plan or response already thought through for that particular event, increasing the company’s preparedness for the unexpected. A working program also means that everyone in an organization understands the concepts of risk, shares a common vocabulary and sees risk assessment, management and mitigation as a part of their job that allows them to perform better and achieve better results. ERM should also provide for consistent and bigger bonuses, as plans will be achieved and exceeded more frequently because of better risk knowledge and more robust plans and actions taken around those things that can get in the way of meeting the organization’s objectives. And finally, a working ERM program means that more “opportunities” are uncovered, discussed and acted on that will yield new products, markets, better profitability and a more satisfied workforce. Internal audit can, should and must play a role in getting ERM to work and evolve to higher levels of effectiveness over time.
Download the entire booklet:
ERM Integration Poll