One size fits all for ERM?
This week, I wrote about how to audit risk management on my IIA blog. Not everybody, either in comments on the blog or elsewhere on LinkedIn, understood my point.
The risk management program has to be sized and oriented to meet the needs of the organization.
Some organizations need a deeply resourced ERM program, because they face risks of immense proportions every day, the potential for adverse events (or opportunities) arise quickly and have fast clockspeed (i.e., come at you fast), and they need to react fast. Other organizations have far fewer risks, of far less significance, and can afford a less intense risk management program.
It’s like the contrast between the care and attention you pay to your driving on an empty road and the care and attention when the road is full of fast-moving trucks and motorbikes.
When you consider, as management, how large and well-resourced your cash management function is, you base it on the value it represents, the risks you are managing, etc. It’s not one-size-fits-all. The same applies to risk management.
My point is that before an auditor assesses the adequacy of ERM, he/she needs to understand the needs of the organization. The auditor should assess whether the risk management program meets those needs. A framework can help, but judgment is needed to assess whether too much or too little is being done.
Do you agree?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Everyone is different, we have different needs and wants, different taste, different objectives, different value and culture, and different places and environment. These factors affect and lead us to act and behave in different ways. A simple example would be if a person objective is to be a millionaire in five years time as compare to a person who wish to achieve the same within a year, the efforts, methods, attitude, time spent etc would be very different and his actions and decision would also depend on the environment factors such as economic conditions. I agree that no one side fits all. Organisation needs to assess its objectives, current status and manpower, cost and benefits in its ERM program.
I agree with your statement that “before an auditor assesses the adequacy of ERM, he/she needs to understand the needs of the organization.” But isn’t that true of any area that we audit? There are differences in how a large organization implements a process and how a small organization does it. Take a simple control like segregation of duties. In a smaller organization, there are simply not enough people to fully segregate duties among the employees. A large organization is not so constrained. The needs of the smaller organization may be met by permitting low-risk duty combinations, adding some mitigating oversight reviews, rotating assignments, etc. So of course the same will be true of ERM when we audit it, and of course we’ll have to understand how ERM fits into the needs of the organization. Risk appetite (or aversion) will vary even among similar companies. So I have to wonder — who would think that one size fits all??
Rick, I agree 100%. This is true, or should be true, of every audit. But many of the people I talk to about auditing risk management go straight for the framework, policy document, etc. without thinking about that first requirement.
The question for me is whether auditors have a perspective that is sufficiently strategic to be able to conduct an assessment that truly takes into account organization-wide needs. Years of training in conformance to standards and regulations contraindicate that and lead to a dependence on frameworks and policy documents.