Many Organizations Unprepared to Manage Risk


	Advertise with Sarbanes Oxley Compliance Journal

News

< Back

Sarbanes Oxley : Auditing : Survey

Many Organizations Unprepared to Manage Risk

Richard Chambers
President and CEO
Institute of Internal Auditors

In the wake of a recession brought on by poor risk management at leading banks and financial institutions, a recent report indicates just how few organizations are formally prepared to manage their risk. Of 240 organizations polled in a recent survey, only 40 percent have implemented a formal enterprise risk management (ERM) program. In fact, 14 percent of chief audit executives (CAEs) who responded to the survey said they’ve actually recommended to their top management implementation of a risk management process and yet, they still lack a program. The 2008 ERM Benchmarking Survey conducted by The Institute of Internal Auditors Research Foundation (IIARF) provides recommendations to those looking to establish a risk management program or to enhance the effectiveness of their current efforts.

“There’s a tremendous opportunity for internal auditing in this post-risk management meltdown environment. Having a enterprise-wide view of the organization, internal auditors should be involved in assessing operational and strategic risks – even helping champion the risk management process,” said IIA President Richard Chambers, CIA. “The good news coming out of this survey is that some internal auditors already are playing an active role in helping improve their organizations’ risk management. They’re performing activities such as providing assurance on the risk management process, and this is right in line with the International Standards for the Professional Practice of Internal Auditing.”

As indicated by the survey results, the number-one guiding framework for formal and informal risk management processes is The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management — Integrated Framework. In addition, approximately 68 percent of organizations report that they have a risk management philosophy in place. Key risk management elements identified include the presence of a program or process owner, support staff for the program, a sustaining maturity level, and the integration of risk management efforts within the organization. Furthermore, a chief risk officer or equivalent is the person most likely to be in charge of implementing a risk management program.

The survey also found that documentation and communication of the organization’s risk management efforts are essential aspects of a risk management program’s success. The majority of organizations represented in the survey actively document and communicate the board’s and management’s risk management roles and responsibilities, as well as the organization’s risk appetite or tolerance level. Additionally, top internal sources of information include data collected from various internal, IT, or external sources; discussions with senior management, the board, or audit committee members; and data collected from programs or staff. On the other hand, top external sources of information include industry publications and industry groups; benchmarking data from other organizations; and external audit reports. And despite the benefits of using technology to monitor risks and the effectiveness of internal controls, 68 percent of the companies represented in the survey do not use risk-monitoring technology.

Key risk management practices identified to maximize the use of internal resources and ensure the program’s success include:

Developing a risk management process that fits the organization’s needs;
Defining and using the same risk management language throughout the entire organization;
Incorporating risk monitoring activities into all business action plans;
Selecting a tool or automated process that meets the organization’s risk management needs; and
Using a formalized and standardized risk mitigation process.

Overall, the number-one obstacle to achieving success in risk management is a lack of support at the senior management, board, and staff levels for the risk management program or process. “Internal auditors should encourage senior management to support the efforts of the organization’s designated risk manager,” added Chambers. “Senior management needs to understand the value of effective risk management and how it will impact each business area. This will ensure the right tone at the top is established, which will then create a business culture in which risk management is valued and practiced by all levels of the organization.”
The 2008 ERM Benchmarking Survey was conducted through The IIARF’s Global Audit Information Network (GAIN), a trusted name for benchmarking services in the internal audit profession.

The Institute of Internal Auditors (IIA) is internationally recognized as a trustworthy guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, acknowledged leader, and principal educator. The IIA Research Foundation (IIARF) was founded in 1976 by The IIA The IIARF expands knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession globally.

About Us

Editorial