As the saying goes, a chain is only as strong as its weakest link. This adage rings true in many situations. In regard to risk, for example, there are countless points at which various individuals might contribute to the overall strength of an organization’s management of risk. The antithesis of the “it’s-not-my-job” mentality, this mindset is all about a corporate consciousness of risk, people stepping up and assuming responsibility, and those at the top doing everything possible to ensure personal and collective accountability throughout the enterprise.
Who’s responsible for risk?
Through the years, guidance on risk management has been issued by a variety of organizations around the world such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO); the International Organization for Standardization (ISO); the Information Systems Audit and Control Association (ISACA); the Risk Management Society (RIMS); and the Federation of European Risk Management Associations (FERMA).
Risk management principles have evolved to help organizations build strong risk management programs. For example, in 2004 COSO published Enterprise Risk Management–Integrated Framework. This well known framework established common definitions, provided direction for enhancing risk management, and set criteria for evaluating whether a risk management program is effective.
In addition to building a risk management program around a framework like COSO’s, many thought leaders believe that risk management, at its best, is a shared philosophy with shared responsibility. Over the years, Tone at the Top frequently has pointed out that controls are everybody’s business. Likewise, risk management is everybody’s responsibility.
As line management considers the various decisions they face daily, risk should be on their radar…and the controls, policies, and procedures that would minimize the likelihood of those risks materializing. Likewise at the top of the organization, boards and executive management must collaborate for risk management as they develop strategies. There is an opportunity for organizations to embed this process into their management culture. At the end of the day, the board and CEO are ultimately responsible for risk management. But it’s only truly possible through a collective effort.
So if, ideally, risk management is everybody’s responsibility at every level of the organization and if all functions are attuned to its importance and its mandate, how can they work together for the greater good? What can specific areas do to coordinate their work with the efforts of others from a risk perspective?
Recently, The Institute of Internal Auditors (IIA) and RIMS released a joint report on the value garnered when the internal auditors and risk managers collaborate on risk management efforts. The report reflects the view of The IIA and RIMS that effective collaboration and open dialogue result in a more robust view of the entire risk portfolio.
“Risk managers and internal auditors have many of the same stakeholders — boards and executive management — and these stakeholders want to maximize resources while effectively managing risk,” IIA Vice President of North American Services Hal Garyn, CIA, says in the report. “Having these vital risk management and assessment functions collaborate, speak the same language, and leverage one another’s perspectives on the business is crucial.”
Carol Fox, RIMS director of strategic and enterprise risk practice, agrees. “Risk management and internal audit roles are complementary. An overarching common goal is to position organizations for successful achievement of their respective missions and business objectives,” Fox says in the report. “The two disciplines are more effective working together than separately, especially when there is a common understanding of each other’s roles. For example, as the internal auditors offer assurance as to management’s effectiveness regarding strategic risks, the risk management function provides the techniques and methods for management to be most effective.”
The report, “Risk Management and Internal Audit: Forging a Collaborative Alliance,” includes case studies of differing approaches at four risk-savvy organizations: Cisco Systems, Hospital Corporation of America (HCA), TD Ameritrade, and Whirlpool Corporation.
Common and effective collaborative practices that emerged during the case studies include:
- Linking the audit plan and the enterprise risk assessment, and sharing other work products to provide assurance that critical risks are being effectively identified.
- Sharing available resources wherever and whenever possible to allow for efficient use of scarce resources, such as finances, staffing, and time.
- Cross leveraging each function’s respective competencies, roles, and responsibilities to provide communication depth and consistency, especially at the board and management levels.
- Assessing and monitoring strategic risks to allow for deeper understanding and focused action on the most significant risks.
According to the study, ERM results shared with internal audit can be factored into the audit plan. Also, when the internal auditors discuss their risk-based audit plan with the risk management team, valuable insights from different perspectives on organizational governance and enterprise oversight occur. These approaches help eliminate redundancies in identifying critical risks to the organization, produce a common and aligned view of the organization’s risk profile, and help instill a consistent risk management vocabulary.
“In addition to integrating ERM risk considerations into our annual risk assessment process, an improvement we’ve introduced over the last few years is to show the linkage between the audits on our audit plan to the related primary ERM category. This linkage highlights in a tangible way the integration between the audit and risk management functions,” Whirlpool’s Irene Corbe says in the report. Corbe serves as vice president of internal audit at Whirlpool.
Open communication, even though the channels may vary, is a valuable component of all of the case studies. Some of the organizations studied conduct regularly scheduled in-person meetings. Others correspond in writing, some communicate by telephone, and most use multiple methods to exchange ideas and information.
Effective risk management requires accountability, as Cisco Systems Vice President of Governance, Risk, and Controls Philip Roush points out in the report. “If the responsible risk owner has not taken action on risks that need addressing,” Roush says, “the ERM and internal audit teams inquire why this is the case and highlight the status to senior management and the audit committee as appropriate.”
Achieving optimal risk management is not an overnight occurrence, as HCA Senior Vice President, Internal Audit and Risk Management Services Joe Steakley explains. His team surveys CEOs, COOs, CFOs, and chief nursing officers at approximately 170 hospitals to determine the top-ranked risks. All participants are asked identical questions. The first few years HCA conducted its risk-ranking exercise, it was clear that there wasn’t a common understanding of the risks. Hospital personnel were not ranking or identifying the risks the same as corporate management and the board.
Now — a decade into the process — there is a deeper understanding, a broader awareness, and the same risks rise to the surface in most interviews. “The last several years the responses have been very well aligned,” Steakley says. “Last year, in fact, the board was even aligned with what the hospital staffs were saying. I believe this is a real testament to the maturity of our process.”
This article originally appeared in The Institute of Internal Auditors’ Tone at the Top June 2012 newsletter. With more than 170,000 members in 165 countries, The Institute of Internal Auditors is internationally recognized as the global voice and standard-setting body for the internal audit profession.