The right fit: auditing ERM frameworks; Enterprise risk management reviews provide assurance that the organization has a sound basis for assessing and mitigating risks.

THE IDEAL ENTERPRISE RISK MANAGEMENT (ERM) FRAMEWORK is tailored to an organization's objectives, level of inherent risk, and risk tolerance--enough to maximize its opportunities, but not so much to put it out on a limb. Founded on an organization's risk management culture, ERM embodies all of the business practices an organization has in place to assess, communicate, and manage risk. A good ERM framework allows the organization to foresee potential consequences from future events, make necessary changes to minimize risk, manage the negative fallout if an event materializes, and capitalize on the opportunities that it presents for growth. It ensures that decision-makers have timely access to information that is crucial to making appropriate choices within set risk tolerance limits to move the organization toward its objectives. In so doing, ERM helps guide the allocation of resources and strengthen governance. [??] Moreover, ERM frameworks enable disclosure, giving management, the board, and shareholders assurance that risks are escalated in time to be mitigated. Not all risks can be avoided, but early disclosure allows time for appropriate actions to be taken and any potential advantages to be identified and maximized. ERM frameworks also enable organizations to converge information used by different functions in an organization, such as auditing, compliance, and management. [??] Audits play a key role in ensuring that an organization's ERM framework is strong enough to perform the intended function and efficient enough to ensure good value. Because ERM frameworks may vary depending on the organization's purpose, size, complexity, and maturity, auditors must rely on their judgment in drawing conclusions about the adequacy of the framework in the context of the organization.

AUDITING'S ROLE

An ERM framework is a set of business practices, supported by a risk management culture, that assesses, manages, and communicates risk at a level appropriate to the organization's objectives, operations, and risk profile (see "Guiding Principles for ERM Frameworks" on page 54). Typically, it includes easy-to-use policies and guidelines; practical, flexible, and self-directed processes and techniques; and tools that support the management of risk information for risk identification, assessment, management, reporting, and monitoring purposes. However, between organizations or even within an organization, the ERM framework may be very different, depending on the level of inherent risk associated with their business objectives as well as their risk tolerance. For example, the information technology department might require a framework with clear risk identification, assessment, and escalation procedures because of the nature of its work, while the human resources department might only need a clear policy and a review of procedures. It is also common to find that the part of an organization with transactional operations has a mature, compliance-oriented framework where risk indicators are clearly defined and may even be integrated into everyday processes, while the part of the organization dealing with strategic risks has a less formal framework that requires further development. [??] Because internal audit resources are usually targeted to the areas of highest risk, it is essential that the ERM framework is audited periodically to ensure that it has the capacity to identify the right risks to produce reliable information on which to base resource allocation, audit planning, and other decisions. Furthermore, as convergence drives organizations to find synergies among their audit, compliance, and risk management functions, it is important to provide assurance that the risk management function is sound so that the various parts of the organization can rely on the results of the function. Auditors must consider all of the objectives that the organization expects its ERM framework to fulfill when designing the audit and making a judgment about the adequacy of the framework.

The core of a successful ERM framework audit rests on the auditor's ability to make appropriate judgments about the optimal balance between the level of maturity of ERM practices and the level of risk the organization faces. As an emerging business practice, it is unrealistic to expect organizations to have fully developed their ERM capability. It is an auditor's responsibility to provide an opinion on the audit objective, such as the efficiency and effectiveness of the framework. However, auditors should also note the context of the organization, including any gaps in the framework that are a result of the time frame the organization has had to establish the framework and the budget it can realistically devote to ERM. In addition, audits must consider operational risk management (risks in day-to-day delivery) and corporate risk management (risks to achieving business objectives). The bottom line for an ERM framework audit is its usefulness in improving the management of the organization.

In auditing an ERM framework, it is important to distinguish between assessing the effectiveness of the framework for risk management within an organization and management's responsibility to make and monitor the effectiveness of individual risk mitigation decisions. An ERM framework audit will be concerned with the effectiveness of the framework itself in helping the organization manage risk and not whether management made the right risk decisions. Furthermore, in many organizations, internal auditors walk a fine line in maintaining the independence required to audit the framework. As risk experts, they are often called upon to provide their advice; however, it is essential that management owns the ERM framework and processes so that internal auditing can offer an objective opinion on their efficiency and effectiveness.

FRAMEWORK COMPONENTS

An ERM framework is not a single policy, but an array of components within an organization that work together to manage risk over time efficiently and effectively. The auditor's task is to assess whether the sum of these components constitutes a framework that is appropriate for the organization. Interis Consulting has developed a conceptual ERM model based on risk management practices from the public sector, the financial sector, and other industries as well as criteria found in risk management and control standards. The conceptual model deals with the main components of an effective and sustainable ERM framework: establishing the framework, implementing practices and processes to assess and treat risks, and monitoring the framework.

ESTABLISHING THE FRAMEWORK When auditing an ERM framework, auditors should be alert to the attitudes and values expressed around risk management in the organization's policies, governance framework, and suite of risk management processes and tools. Although auditors are not involved in establishing the framework--that should be done by the business itself--when they conduct an audit, they are evaluating the elements of the organization's framework. In some organizations, auditors will find elements of the framework that include explicit risk management values; rigorous, clear risk management guidelines for staff; and strong risk management training programs. In other organizations, it may be more difficult for staff to identify risk management practices, particularly if ERM is new to the organization. Auditors may need to adjust their vocabulary to ensure that staff understand what risk management means in their work. It is especially important in these instances to consider multiple sources of evidence to ensure that embedded ERM--risk management practices that are not identified as such within the organization--is not overlooked by management.

Once a framework is established, the organization implements the framework elements and conducts ongoing risk management activities--it assesses and addresses the risks on a regular basis. Auditors should look for evidence that the risk management practices defined in the framework are in use and operating as expected.

ASSESSING RISKS In auditing the continuous risk management processes, auditors should note whether business objectives are clearly documented; staff must know what the objectives are to manage risks to them. Auditors should check if the organization has a consistent risk identification process that addresses all categories of risk to which the organization is inherently exposed based on an understanding of the organization's business environment. As well, they should determine whether there is a formal risk assessment process, whether residual risk exposure is examined against established risk tolerances prescribed by management, and whether a formal response to the risk is documented and communicated.

TREATING RISKS When assessing whether the organization is addressing risk appropriately, auditors should look for action plans to manage unacceptable risks, including specific mitigation measures, time lines, and owners. These action plans should be reviewed regularly and monitored for their effectiveness in mitigating the risk. Key risk indicators should be identified and monitored on a regular basis by those in the organization responsible for managing the risks to provide early warning signs of the risks materializing. Finally, auditors should check for a standardized approach to managing risk information, with common terminology and data.