Create Communication between Risk Management and Internal Audit

Leveraging All Your Resources to Get Ahead

Over the last decade or more, a number of companies have succumbed to what now seems to have been avoidable catastrophes, such as the BP Deepwater Horizon, 2008 financial crisis, or the Enron collapse. Each event has given birth to a growing attention to risk management by creditors, regulators, and the public as a whole. Stakeholders expect companies to not only avoid these types of events, but to overcome and succeed even when the economy is down.
As risk oversight continues to evolve, organizations are seeking ways to strengthen those efforts to minimize the impact of emerging risk events that might be on the horizon.  The Risk Management Society (“RIMS”) and The Institute of Internal Auditors (“IIA”) believe that the next phase is for the risk management and internal audit functions to collaborate. To understand why they believe collaboration is necessary, the roles of each need to be understood.

• Risk Management – The area of risk management has evolved in three stages that include traditional, integrated, and ERM. Each stage builds on the next. Many companies implement some form of ERM using one of several frameworks to include COSO’s ERM Framework or ISO 31000. Regardless of the framework, the goal is to identify risks for the purpose of either identifying areas they need to protect or areas where they can pursue an opportunity. 
• Internal Audit – Whether external or internal, both types of auditors serve the purpose of providing independent, objective assurances designed to give more credibility to a report or activity done by others. The idea behind the assurance is to give the data more value and make it more reliable for use by management. However, the role of internal audit does not simply end with providing assurances. The white paper provides a clear distinction in the roles of internal audit to include roles they should not perform. 

Why Bring Them Together?

When it comes to ERM, risk managers tend to be responsible for leading ERM within the organization, whereas internal audit’s role is to assess the ERM process led by the risk managers. The decision makers or users of information to drive strategy within the company need reliable data. Assurance provided by internal audit regarding ERM in terms of evaluating risk reporting and management processes, lead to a greater confidence in information. As such overlapping of roles exist, it is only logical that they can make each other better by collaboration.

Where is the communication?

Unfortunately for many organizations the overlap between the roles and responsibilities of risk management and internal audit lead to duplication of much of the work. However, each function has a particular set of skills and responsibilities that may make them better in particular areas. The RIMS/IIA white paper presents several potential areas that can be exploited to develop a synergy between the two functions, including the following areas where the path to success has been paved with proven results by proven companies.

• Enterprise risk assessment and the audit plan – Using the COSO ERM framework as a point of reference, after the first step of setting a company’s objectives, a risk management function identifies, assesses, and develops responses to enterprise risks. The risk assessment should identify the most critical risks to the company and what function is best served to understand how well that risk is controlled. Not only can internal audit’s input help assess the level of control over the risk, but the risks raised during the assessments by risk management can be used to drive the audit plan for the next operating cycle, leading to a better understanding of the risk. 
• Share resources when feasible – Many risk management departments in a company have a limited staff. As needed, risk management should draw on the resources of other departments, particularly internal audit because there are no other departments that have exposure to every facet of an enterprise.  That means, internal audit is often in the best position to contribute to risk management. 
• Most companies possess a risk management and internal audit function in some form or another. The mere description of their roles within the company makes it easy to understand why it is only logical that they collaborate to create synergies that are not just theoretical.