Who Owns Enterprise Risk? Internal Audit Management & Risk Management
The mainstreaming of ERM (Enterprise Risk Management) in 2016 is raising concerns in the audit profession about who owns risk across the organisation. This white paper examines this anxiety and the circumstances and trends that are causing it. We share insights and experiences from our customer interactions and make recommendations for good practice for auditors and risk managers.
ERM means taking a holistic approach to managing the array of operational risks the organisation faces. Features include a risk management framework, a risk register and comprehensive system of internal controls. ERM drives system and processes changes because it requires a risk-based approach across a range of activities such as internal audit and quality management. ERM also requires real cultural change because it cannot work without a pervasive understanding of risk-based operations, an emphasis on all three lines of defence – of which more below – and lived values of transparency, accountability and shared learning. For this reason it takes time and this is why we often talk about the ERM journey or the maturity journey.
Download your free copy
I confirm that I have read and understood the Ideagen Privacy Policy. I consent to the personal data that I submit being processed by Ideagen, including consent to receive emails regarding Ideagen’s products and services. I understand that I may unsubscribe at any time.
The move towards greater ERM maturity
The answer to the scenario of terrible risk, blind hope and inefficiency is to professionalise the management of quality and business change.
Data integrity demands that systems be in place that are validated, with processes that guarantee data quality, and wherein the data is trustworthy and reliable. This can be achieved using a paper-based quality management system, but an integrated electronic system is more effective and efficient.
Key takeaways:
The role of audit in risk management
Auditing is key when it comes to preventative measures for your business to mitigate risk and improving efficiency across teams.
The ERM maturity journey
Understanding where your business is in the ERM (Enterprise Risk Management) maturity journey offers vital insight into potential risks and key responsibilities.
Who owns risk?
The key roles and responsibilities surrounding risk vary from business to business, so understanding the core boundaries between roles from the beginning will set your business up for success from day one.

Running a business has always been a matter of risk-taking. […] Senior management is expected to be involved in risk management and risk-taking. Directors have to give direction depending on the risk appetite of shareholders. A good risk management system is like management systems on a racing car - they help it to go faster, further and more safe
Peter den Dekker, President of FERMA

[…] the audit committee shall, inter alia: monitor the effectiveness of the company’s internal control, internal audit where applicable, and risk management systems […].
8th European Company Law Directive on Statutory Audit, DIRECTIVE 2006/43/EC – Art. 41-2b

The benefits of Pentana Risk were apparent almost immediately. With Pentana Risk, we're able to create unique portals for stakeholders across the business to let them identify key risks quickly. We can compare risks across the globe, and it allows users to update in real time so we can get an accurate and up-to-date picture of the risks facing Admiral Group
Huw Thomas - Enterprise Risk Manager, Admiral Group Plc