Accounting and Auditing
Today’s article comes from my twin brother, Harry Hall. He is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).
Many organizations do not have an enterprise risk management (ERM) program. Therefore, these entities lack the policies and procedures to manage enterprise risks (i.e., threats and opportunities) and achieve their objectives. In this article, we’ll look at how CPAs can suggest an ERM program to their clients.
Imagine that you’ve completed an audit of an organization. One way you can help your client is to provide a management letter that provides ideas to make the organization better. And one of the suggestions you can make is for them to implement an ERM program, or you can provide ways to improve the existing program. (Of course, as the auditor, you can’t make management decisions, but you can make suggestions.)
Think about it. Has one of your clients encountered a surprise event or condition in the last few years? Imagine if the client had identified and managed the risk better. That single failure may have caused your client to miss their annual objectives, resulting in weaker financial and operating positions. It’s even possible they no longer exist.
A sound ERM program can improve–and even save–your client.
What is ERM?
First, let’s define ERM. It is a program whereby an organization identifies and manages all of its risks in order to achieve its objectives.
How does ERM differ from traditional risk management? Well, traditional risk management focuses on pure risks. These are risks where there is the possibility of loss or no loss, but no chance of gain. Hazard or insurable risks are pure risks.
ERM includes pure risks, but also includes speculative risks. Speculative risks are risks where there is a chance of loss, no loss, or gain. So, speculative risks have the potential for gain. Examples of speculative risks include financial risks, strategic risks, and some operational risks.
So, let’s see how ERM helps businesses.
Four Benefits of ERM
There are several ways that an organization may benefit from ERM. The benefits include, but are not limited to, the following:
First, an ERM Champion can help their organization implement strategic risk management, a component of ERM. Here, we can clarify enterprise objectives and improve strategic planning, analysis, and alignment.
Second, ERM helps organizations identify risks between departments. Many departments live in siloes. And most people think solely about their department’s risk. But the actions taken by one department may impact other parts of the organization.
Third, ERM can boost collaboration. As risk owners from different departments focus on enterprise objectives together, these individuals begin to better understand other departmental processes. And these can be analyzed and improved to realize greater enterprise benefits.
Fourth, organizations with ERM programs are in a better position to meet the demands from external parties such as investors, rating agencies, and regulators.
To make this work, your client needs to leverage an ERM framework.
ERM programs include risk management processes that are used throughout the enterprise. Some organizations use a framework like COSO or the ISO 31000. Others develop their own framework. In general, here are the ERM processes, regardless of the framework.
- Plan risk management. Define an ERM policy that guides the behavior of individuals in the organization. The ERM policy includes elements such as the risk governance structure, risk categories, ERM methodology, roles and responsibilities, risk appetite, risk tolerance, risk limits, ERM activities, ERM reports, and a glossary. This policy should be reviewed and updated each year. And the Board should approve the revisions.
- Identify risks. Determine the risk identification tools and techniques that will be used. For example, these could include brainstorming, interviews, checklists, and cause-and-effect diagrams.
- Evaluate risks. Once risks are identified, ERM stakeholders should assess the risks. Risk owners may perform qualitative and quantitative risk assessments. The risk assessments result in a prioritized risk list. The benefit: you know which risks matter most.
- Respond to risks. Next, risk owners develop and implement risk response plans to lessen these risks.
- Monitor risks. Of course, risks change over time. Threats and opportunities may (and probably will) increase or decrease. Therefore, client’s must monitor risks. Are the risks managed according to the risk appetite and risk tolerance? Are the ERM processes providing value? Are the processes economical and efficient?
As a CPA, have you ever wondered how ERM and Internal Audit differ?
ERM vs. Internal Audit
Organizations may have an ERM department or group led by an ERM Champion or Chief Risk Officer (CRO). This group facilitates the development of an ERM policy, trains employees on ERM processes, and facilitates periodic risk reviews.
Internal Audit ensures that the risk controls are working as designed within the organization and makes recommendations for improvement where there are internal control deficiencies. (Traditionally, internal auditors have focused on accounting processes. Their role is expanding into other areas such as ERM.)
So, how does ERM and Internal Audit work together? First, the ERM Champion engages Internal Audit when developing the ERM policy. Second, Internal Audit uses the ERM risk register as input into the annual audit plan. Think about it – wouldn’t it be great to see the most significant enterprise threats and opportunities as Internal Audit develops the audit plan? Third, Internal Audit inspects the ERM processes, in addition to other organizational processes, to ensure they are efficient and economical.
Audit Management Letter Suggestion: ERM Program
In your next audit, think about the risk management practices in the organization.
Does your client have a written ERM policy? Are the risk processes being performed consistently throughout the enterprise? How are risks being identified and assessed? Does the enterprise risk register include financial risks, strategic risks, operational risks, and other risks? Has the risk appetite and risk tolerance been defined and communicated to the Board, management, and risk owners?
At the conclusion of your audit, consider including ERM recommendations in your management letter. Doing so might save your client a great deal of pain–and you’ll add value to your audit.
Harry Hall, the Project Risk Coach, is a speaker, teacher, author, and blogger. He has implemented project management offices (PMOs) and enterprise risk management (ERM) programs in the financial, healthcare, and agricultural industries. Harry is a graduate of the University of Georgia and is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).