What is the relationship between Governance, ERM, and Internal Control?
I have a number of files available for download from my Profile and one is this diagram: https://www.box.net/shared/me48udpnxi. I worked on it with Professor Andrew Chambers.
I admit to being influenced by the South African King Code III of corporate governance. I see governance as broadly covering how the organization is directed and managed, and that includes the consideration and management of risk (ERM). Controls are used to ensure risk responses are as they should be. The second page shows the various types of risk, and how they act across governance, risk, and controls.
Some risk practitioners believe that ERM includes Governance. I am not in that number, because I believe that setting strategies, optimizing performance, and providing related oversight are in Governance and not in ERM. Some aspects of Governance can be considered part of ERM, but not all.
There are certain aspects of Governance that could be considered part of a system of internal control. COSO talks about the Control Environment later, which includes the operation of the board and internal audit. To the extent that they are required to ensure stuff happens the way it should (my lay definition of internal control), that’s OK.
So, everything inter-relates and the borders on the Venn diagram are fuzzy rather than precise. Nevertheless, I think this captures the broad sense of the relationship.
Agree? Comments?
I have a separate internal audit-focused discussion on this at http://www.theiia.org/blogs/marks// Please join us.
Norman, think of Governance as “external” control and ask the question, “if internal control is part of an ERM program, shouldn’t external control?” How the directors of the company govern, directly affects the owners interest in the organization and as such governance should be a part of the ERM effort.
Remember the leader of the ERM effort is a facilitator and not a manager of the underlying processes – finance, management, production, etc..
Hello Norman. I view governance as an aspect of risk management and of internal controls. They are inter-related, but, of course, not each aspect of each inter-relates. For example, tone at the top, the exercise of authority, inclusiveness, and the manner of exercising diligence are all important aspects of governance that also directly relate to ERM/risk management and internal controls. I believe it can also be argued that the manner of setting strategies including risk assessment and tolerance, optimizing performance, and providing related oversight are part of risk management and internal control.
David Tate, Esq. (San Francisco)
I am not familiar with the term ‘external control’. Can you share where this comes from and what it means?
Norman, internal controls provide a basis for Management’s operating the company in a sound and consistent manner as agreed to by the owners/owner’s representatives. Governance describes how the owners present their stewardship to the world (or externally). The two areas are different, but both should be a part of the ERM program.
Norman – My view is that you and Professor Chambers have drawn an abridged version of the COSO ERM framework. You have the four COSO ERM objective areas in slide 2/2 – strategy operations, reporting and compliance, and you’ve managed to compress the eight COSO ERM components into three – G, R and C.
Good from a less is more approach, but in substance ERM = GRC.
Keep up the good work.
Best,
Larry
I have been asked to explain why ERM is part of Governance. This is what I said:
The risks that need to be managed are those that might impact the organization’s strategies and objectives. These are not set as part of ERM. They are set as part of the governance activity.
When the board and management strive to set and achieve their objectives, they do so with risk-related information and they also adapt and respond to risk – as part of how they manage and direct the organization.
If you define Governance as how you manage and direct the organization to achieve its objectives, then ERM as part of that.
If you don’t like that simple definition of mine, here is what the OECD has (and I believe this is the most commonly used definition of Governance):
“A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”
This is what the Australian Stock Exchange says:
“The system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized.”
If that is how Governance is defined, how can there be any debate on the fact that ERM is included?
I have always believed that ERM was a subset of Governance. Governance includes strategy setting, performance management, risk management and effective internal control, among other things. Those who believe ERM encompasses governance are likely thinking that ERM cannot work if there is an unengaged board, a lack of transaparency, an unbalanced compensation structure, a CEO who ignores the warning signs, etc., i.e., tone at the top and other issues that effective governance overcomes. While they are right, that doesn’t mean ERM is intended to dictate how boards and CEOs behave, compensate people and decide what to measure and report. Good governance enables ERM to work. Without it, ERM cannot succeed. At the same time, an effective ERM process augments good governance.
I think we are getting tangled in terminology and differences in organizational management in different areas. Saying Governance is part of ERM isn’t saying ERM should run the organization. However, Governance is part of the ERM matrix and the Risk Manager has to take Governance, just like Customer Service, into consideration when preparing the organization’s risk profile.
I fully agree with Ck6. I remember this kind of discussion from my work in developing the ISO31000. Dependent from which kind of “Risk Mgmt area” people were acting (Finance, Banks, Insurance, Health & Safety, Space, Nuclear, Aerospace, Security, IT) they were using totally different terminology. It took by the way more than 2 years to agree that a risk can have bothg a negative and a positive impact! ;)))
According to my experience ERM is per definition for many (most?) Risk Mgmt practioners the “Entire Risk Mgmt Scope”, meanwhile G, R and C is different parts of it.
A similar sub-discussion is if BCM is a part of ERM, or ERM is a part of BCM? The most important thing is of course that the same kind of Risk Mgmt view, roles and terminology is used by everyone in the same/whole organization.
I have a metaphor I would like to share:
– Governance determines where the ship should go, then steers the ship based on all available information to optimize the journey, communicating with stakeholders, etc.
– Risk management advises the ship captain on potential dangers and opportunities. Risk management is the Navigator, the Radar/Sonar operator, and the watchman.
That is a good analogy Norman.
I like this analogy, particularly for getting the message across to middle management.Unless you know the purpose of the journey RM won’t be able to advise on the potential dangers and opportunities.
What would be your metaphor for Complinace management, Internal controls and BCM?
Hi Norman – i have used that diagram before but now i know how it had managed to embed itself into my subconcious (i must have seen it during our workshops last year).
Love the analogy btw.
@ David – how about the life rafts on the side of the ships allow the ship? The size and adequacy of the lift rafts depend upon how successful your BCM planning is. i.e. can you still continue to your destination OR was your planning just to save the ‘crew’ from the impending crisis?
@ David (2nd attempt)– how about the life rafts on the side of the ship? The size, adequacy and versitility of the lift rafts depend upon how thorough your BCM planning is. i.e. can you still continue to your destination on the life rafts OR was your planning just to save the ‘crew’ from the impending crisis?
David, there are compliance officers on ships. They will be concerned with discharges to the ocean, food safety, etc.
The internal controls officer might be the 1st officer, who monitors operations.
Business continuity management? I suspect either the Engineering or 1st officer, who is responsible for not only evacuation but also the emergency procedures in general.
Hi Norman
I’ve been following your blog with interest, and analogies here just made me smile. This reminds me of the time I used the Titanic as an ERM case study for a previous client. Whoever said “ERM is a Journey”, probably didn’t think it would take on a nautical nature! Great to see such a lively discussion.
Great to hear from you, Raymond. trust all is well in Singapore.
Thanks for the metafor examples.
Raymond, in your Titanic case study were the tragic outcomes a result of poor governance, poor ERM or a fuzzy combination?
Well thanks to all of you. I have learned alot from this discussion and it has cleaned the concepts and their interralated components up for me. As part of the crew, I salute you!
While the metaphor is a good way to get a message across be mindful that all crew members should manage risk within their realm of responsibility and comply with any regulations, policies and procedures etc. Its not just about the navigator or watchman.
Hi Norman,
Thank you for initiating such a thought provoking discussion which has triggered many good perspectives.
What is the relationship between corpirate governance and risk?
Hi Chikondi, as I see it corporate governance is how you direct and manage the organization. One of the essential elements to effective governance is an understanding of risk, so all the governance frameworks emphasize the importance of board oversight of the risk management process.
I don’t see governance as including management’s risk management, but providing oversight and approving the criteria used to determine how much risk to take.
what is the relationship between internal control and risk management?
evaluate the relationship between governance, risk and compliance in ERM