What is the relationship between Governance, ERM, and Internal Control?
I have a number of files available for download from my Profile and one is this diagram: https://www.box.net/shared/me48udpnxi. I worked on it with Professor Andrew Chambers.
I admit to being influenced by the South African King Code III of corporate governance. I see governance as broadly covering how the organization is directed and managed, and that includes the consideration and management of risk (ERM). Controls are used to ensure risk responses are as they should be. The second page shows the various types of risk, and how they act across governance, risk, and controls.
Some risk practitioners believe that ERM includes Governance. I am not in that number, because I believe that setting strategies, optimizing performance, and providing related oversight are in Governance and not in ERM. Some aspects of Governance can be considered part of ERM, but not all.
There are certain aspects of Governance that could be considered part of a system of internal control. COSO talks about the Control Environment later, which includes the operation of the board and internal audit. To the extent that they are required to ensure stuff happens the way it should (my lay definition of internal control), that’s OK.
So, everything inter-relates and the borders on the Venn diagram are fuzzy rather than precise. Nevertheless, I think this captures the broad sense of the relationship.