Skip to main content
27 June 2016

4 things you need to know about Enterprise Risk Management and Internal Auditing

By Tom Ryan

Enterprise risk management (ERM) and internal auditing were in the spotlight at the recent “Who Owns Enterprise Risk?” webinar and in the latest white paper based around the same topic.

Ideagen’s Audit and Risk Management Team has addressed the issue surrounding the mainstreaming of ERM in 2016 and the concerns it raises in the audit profession about who owns risk in an organisation. The responsibility of this ownership, undoubtedly, lies in each and every person, from Management through to C-Suite and qualified executives, involved in ERM to support the vision of an organisation and its strategic objectives.

Our team has addressed the following 4 questions which came from our delegates, from internal audit and risk management professions. Take a look at the Q&As below:

  1. What line of defense is first at the implementation control of system? The line of defence at implementation stage has to be the 1st line, because Management is responsible for putting the primary controls in place. However, it is quite possible that they might be advised at this stage by the 2nd line (because the oversight functions are part of the overall control design), and they might also be advised by the 3rd line (auditors) who might have a view on what controls are needed.
  2. This presentation seems geared towards large enterprises. The things about which you are speaking are also very critical to smaller institutions; maybe especially financial institutions. Can you speak a little about this? The presentation wasn’t intended to be geared towards large enterprises. The principles apply to all sizes, but resources (supporting ERM / 3LOD) might be scaled up or down according to the size of organisation. The key point is that roles are clearly defined.
  3. You mentioned that if managers within the company are responsible for managing the risks which relate to the entity, the question would be why do you need a risk manager? From your experience, what is the value of having a dedicated risk? Although you may have “siloed” risk managers responsible for specific areas of entities, they can be inconsistent in their approach to risk management, and they will only focus on their own area. A dedicated risk manager can provide guidance to ensure consistency (and compliance with the framework) and also to take a wider view of risk (across all areas) to “add it all up” – risk aggregation. The CRO can then present an accurate overview of risk and relay key messages to senior management and the board.
  4. For a small company is it feasible for them to have a CCO, CRO and CAE or should it be combined? There is no problem combining roles in small organisations, providing there are checks and balances. For instance, a combined CRO / CAO can design and implement a risk framework, but clearly can't also audit its effectiveness. Therefore, this task would be carried out by an independent person.
To stay up-to-date, download our “Who Owns Enterprise Risk?” white paper and request a webinar recording today.

Back To Top