The first shoe to drop was government regulations holding the Board of Directors personally responsible for the effectiveness of enterprise risk management programs at their organizations. Boards are given a choice between proving their risk management programs are effective or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud, as not knowing about a risk is no longer a defense.
What does enterprise risk management effectiveness mean?
Not being involved in the day-to-day running of the company where most operational risks actually occur means Boards of Directors must, through their risk oversight role, satisfy themselves that the risk management policies and procedures designed and implemented by the company’s senior executives and risk managers are effective at identifying all risks and demonstrating assurance over the most material ones.
Risk is viewed at its highest level by the board. Some people make the mistake of inferring that this risk information should then also be collected at only this high level, but this is ineffective because of the gap between senior management and the front line activity level where risks first arise. The key to determining the effectiveness of a risk management program is the ability to collect risk information from the business process-level and aggregate this information, while preserving the effects of related upstream and downstream dependencies.
Since the liability for error is so high, Internal Audit has now been tasked to do the fact-checking on the risk management information being presented to the board to ensure its integrity at the front line business process level. The Institute of Internal Auditors (IIA) announced this week it has revised its International Professional Practices Framework (IPPF), effective Jan. 1, 2013. These mandated changes require auditors to validate the most timely and most significant risks, especially those that impact the achieving of the organization’s strategic objectives.
The role of the enterprise risk manager has now finally become clear to close the gap between strategic level risk and all the operational risks at the activity level at the front line of organizations. The risk manager is responsible for setting the standards, practices and procedures for effective risk management and embedding them in all existing business processes. The risk manager is now accountable risk metrics. This requires putting a mechanism in place to collect this risk information at level where most operational risks materialize and aggregate this risk information to a level the Board cares about, while preserving the links to the front line and the resources involved and then tie together the risks in related business processes—all at the activity level so an audit trail is clear for internal audit to follow.
Organizations have realized that their board level attestations on the effectiveness of risk identification and assessment can no longer just be a facilitated interview at the senior management level; instead, there needs to be a rigorous process at the activity level through the lens of what is material, not just in isolation of a single business silo, but overall as all the pieces come together at the top. The goal is to identify and objectively assess operational risks and ensure risk mitigation is in place at the activity level independently and then collectively. This integrity of this risk information needs to be preserved when aggregating and summarizing by the strategic goals of the organization.
A ERM software or GRC software with a risk based approach is the only way this process will work effectively and the RIMS Risk Maturity Model spells out each of the 25 requirements that must be met to put a risk taxonomy in place for an effective and efficient enterprise risk management program that meets the rigor of compliance and now internal auditors review.