4 ways to improve the relationship between enterprise risk management and audit
Both audit and enterprise risk management (ERM) functions focus on an organization’s risk profile and areas of great risk importance and exposure, but the two often take different approaches.
Audit serves as the assurance arm of risk management, answering the question: Are you doing what you said you were going to do to manage risk? This function maintains independence to be objective in review and analysis of risk.
ERM proactively works with the business to understand, assess, and report on risk. This function seeks to understand potential areas of risk focus and work with the business to develop and implement an adequate risk response, if needed.
In order to create stronger risk practices and build a strategic relationship between ERM and audit, it's crucial to increase collaboration between the two. Ongoing monitoring of risks and related controls is especially important to ensuring there is a constant feedback loop between risk management and audit.
If approaches between ERM and audit teams are not coordinated, there will be issues. It can lead to inconsistent priorities and strategic messaging, greater burdens on all stakeholders, and increased reporting needs and documentation requests.
Areas in need of alignment
|ERM team||Audit team|
|Develop and implement the risk management framework||Develop an independent evaluation of risk management framework design and effectiveness|
|Advise management on open remediations and note unmitigated risks||Provide assurance on management's capability to identify and remediate open and unmitigated risks|
|Provide statuses on risk priorities and audit coverage of risk priorities||Provide assurance on the scope and prioritization of risks|
|Advise the audit committee and board of directors on risk reporting and internal audit reporting||Prepare independent assessment of risk information reported to the audit committee and board of directors|
A combined report from the Institute of Internal Auditors and the Risk and Insurance Management Society, reveals that alliances between these two functions help many companies increase efficiencies, sharpen decision-making processes, and improve overall results.
Here are four ways organizations can increase collaboration between these two risk functions:
- Map ERM risks to the audit universe
This helps provide the business with a view of the consolidated effort to manage risk from both ERM and audit perspectives. Mapping also ensures that there is adequate ERM and audit coverage in areas of key focus.
- Conduct co-risk assessments (or at least share results of independent risk assessments)
Partnering on risk assessments ensures an effective flow of risk information between the functions and helps identify discrepancies that may exist within their respective assessment processes.
- Share results
To keep knowledge of the risk environment current, audit reports should be sent to the ERM team, and risk deep dives and root cause analyses should be sent to the audit team.
- Coordinate board and executive committee reporting
A consistent message to the executive committee and board is essential in delivering the maximum value proposition. Simple reviews of these reports prior to delivery will help identify and remediate inconsistencies.
Ensuring collaboration between enterprise risk management and audit benefits both functions. Download the white paper, Harnessing the Power of Technology in ERM, to find out how to simplify the process as complexity increases.
About the Author
As vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.
With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.
Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.