Who Owns Enterprise Risk? Internal Audit Management & Risk Management

The mainstreaming of ERM (Enterprise Risk Management) in 2016 is raising concerns in the audit profession about who owns risk across the organisation. This white paper examines this anxiety and the circumstances and trends that are causing it. We share insights and experiences from our customer interactions and make recommendations for good practice for auditors and risk managers.

ERM means taking a holistic approach to managing the array of operational risks the organisation faces. Features include a risk management framework, a risk register and comprehensive system of internal controls. ERM drives system and processes changes because it requires a risk-based approach across a range of activities such as internal audit and quality management. ERM also requires real cultural change because it cannot work without a pervasive understanding of risk-based operations, an emphasis on all three lines of defence – of which more below – and lived values of transparency, accountability and shared learning. For this reason it takes time and this is why we often talk about the ERM journey or the maturity journey.

The answer to this scenario of terrible risk, blind hope and inefficiency is to professionalise the management of quality and business change.

Data integrity demands that systems be in place that are validated, with processes that guarantee data quality, and wherein the data is trustworthy and reliable. This can be achieved using a paper-based quality management system but an integrated electronic systems is more effective and efficient.