Norman Marks on Governance, Risk Management, and Internal Audit

Earlier this year, IIA Norway shared Good Practice Guidelines for the Enterprise Risk Management Function. It’s an update of their 2020 document.

They explain:

The target group for these guidelines is organisations that would like to either establish an Enterprise Risk Management function or develop their existing risk management function further. The principles in this guidance may also be useful for organisations without a discrete Enterprise Risk Management function, but where responsibility for Enterprise Risk Management is assigned to another function with enterprise-wide responsibility.

The main motivation for internal auditors’ involvement in defining what is good practice for Risk Management is that Enterprise Risk Management has developed over the last 15 to 20 years to become a vital element in good corporate governance. Unlike the profession of internal auditing which has had a unifying global body defining principles and standards the Institute of Internal Auditors (founded in 1941) there is currently no equivalent worldwide body representing the profession of Enterprise Risk Management.

In the Nordic and Baltic countries the profession is characterised by a number of formal and informal associations, some of which are members of a European representative body FERMA. The primary aim therefore of this good practice guideline is twofold, firstly to set a common benchmark which it is believed may strengthen the development of the risk management profession in the Nordic and Baltic countries and second, to facilitate the internal audit function to discharge more effectively its responsibility according to the professional standard requirement that “the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes”.

The “Good Practice Guidelines for the Enterprise Risk Management function” has been developed by a steering group drawn from the institutes of internal auditors for the Nordic and Baltic countries.

While the Institute of Risk Management[1] (IRM), the Risk & Insurance Management Society (RIMS), the Global Association of Risk Professionals (GARP), the Professional Risk Managers’ International Association (PRMIA), and others might disagree with the statement “there is currently no equivalent worldwide body representing the profession of Enterprise Risk Management,” it is true that the IIA is  dominant when it comes to internal auditing.

By the way, I have provided links to the websites of these associations as they have published their own guidance for risk professionals, as well as providing training and certifications.

Still, I congratulate IIA Nordics for collaborating, not only as a group of IIA affiliates in the region, but with the Risk managers’ club, Latvia; Risk management association, Lithuania; and FinnRima (Finnish Risk Managers’ Association), Finland.

While this is clearly not authoritative guidance or an IIA “position” (unlike some of the recent risk management related publications from IIA Global[2]), the intent is excellent and the content provides food for thought.

The Executive Summary highlights eight “core criteria that will guide the establishment of this function”. They could have used the eight principles in the ISO 31000 global risk management standard[3][4], but these are not at all bad and might be considered by the teams working on an update of ISO 31000 (with my highlights):

1. Risk management is a line management responsibility, however the ERM function contributes to the identification, evaluation and treatment of risks (uncertainty of future outcomes).
2. The ERM function ensures the integration of risk management into decision-making at all levels.
3. The ERM function maintains clear and open communication with executive management and the Board as well as with other control and assurance functions.
4. The ERM function has a clearly defined mandate.
5. The employees in the ERM function should be organised independently of operational responsibilities and demonstrate professional integrity.
6. The ERM function should have access to all information relevant to the performance of its activities.
7. The ERM function’s remuneration should not contain significant financial performance-based components that could lead to conflicts of interest and influence the objectivity of the staff working in the function.
8. Remuneration in the ERM function should be sufficient to attract and retain staff of sufficient seniority and professional and business knowledge.

The Nordic document makes some excellent points, including (with my highlights):

• The taking of risk is a natural part of running any enterprise, however it is often not explicitly stated in the formulation of business decisions. The expression «risk» has often been exclusively associated with unwanted events, and risk management has been defined as analysing and restricting the probability and impact of undesirable events. This is only one dimension of the total picture. Evaluating positive outcomes is just as important a part of ERM as is evaluating negative outcomes because ERM is concerned with the whole picture and evaluating risk strategy in relation to a portfolio of risks.
• The tasks of ERM and strategy are integrated and iterative processes. The objective of ERM is to ensure the correct amount of risk exposure, as evaluated against both the expected and desired level of achievement of the organisation’s objectives and in line with the risk appetite and business strategy of the Board and Executive Management. It is concerned with ensuring both the achievement of objectives as the enterprise develops and the appropriate management of the organisation ́s assets, including human resources, reputation as well as the avoidance of losses or waste as a result of undesired events. This will include matters occurring at all levels of the organisation. ERM must therefore be an integrated part of strategic activities.
• In practice, this means that using ERM will ensure the best possible basis for arriving at decisions at the various levels of the organisation, so that the decisions made will support the overall objectives.
• In essence, risk management is concerned with obtaining the best possible basis for decisions and facilitating the efficient and effective performance and monitoring of decisions made.
• Risk management is more than the analysis and reporting of downside risk.
• ERM means taking a holistic perspective; not just of the enterprise ́s status at a given moment, but also probable positive and negative developments in the future. In this way it becomes a tool for the balanced prioritisation of resource utilisation.
• Executive management will take decisions in respect of the organisation’s future. Very few decisions can be made which do not include a degree of uncertainty. Risk management’s field of expertise is in evaluating and communicating the uncertain elements so that there is a fully informed basis for taking a decision.
• Risk management through its area of expertise will be rightly involved and contribute to decision-making at many levels in the organisation. Risk management in an ERM framework will bring a holistic version of risk taking account of the consequences and impact for the organisation taken as a whole and the CRO should be an important advisor to the organisation at all levels as well as to the Board.

I do have some serious issues with the document, especially:

1. Their portrayal of heat maps and traffic light reports for risk reporting. The profession is moving on from these discredited techniques. I have advocated that reports should be designed to provide decision-makers with the information they need, when they need it, to make those decisions. Further, risk reporting should be fully integrated with strategy and performance management so leaders can see the projected level of achievement of enterprise objectives. Remember that risk is defined as “the effect of uncertainty on objectives”, so why not report what will happen to those objectives?
2. A focus on risk appetite, which is a concept I find difficult to justify and use in practice. I much prefer talking about the ability of decision-makers to understand the effects of potential events and situations, weighing the pros and cons (or “risks and rewards”) of each option. There is a need in some areas for risk limits or criteria to direct daily activities, but an overall level of risk appetite makes little sense to me.
3. Insufficient discussion of understanding the current and future needs for risk management within the organization. As ISO 31000’s 3^rd principles states, “Risk management is customized to your organization”[5].
4. A missed opportunity to explain the role of internal audit when it comes to risk management. I suggest assessing whether “the management of risk meets the needs of the organization”. The document references the RIMS maturity model and one developed locally, but I prefer the one in Risk Management for Success.

Overall, IIA Nordics have made a serious contribution and I applaud them for it. Yes, there is more (as Alexei Sidorenko and others will point out for us), but this is the best publication on risk management from the IIA or its affiliates I have seen in a long time.

What do you think?

=================================================================

[1] Of which I am an Honorary Fellow

[2] While the IIA probably does not intend their recent risk management publications to be official IIA positions and guidance, they have not clearly marked it as such. They have assured me they will do so in future.

[3] These are better than the principles in the COSO ERM Framework.

[4] They are:

1. Risk management is integrated into the organization’s processes.
2. Risk management is structured and comprehensive.
3. Risk management is customized to your organization.
4. Risk management is inclusive and transparent.
5. Risk management is dynamic, fluid, and responsive to change.
6. Risk management takes into consideration the best available information.
7. Risk management takes into account human factors and the company culture.
8. Risk management encourages and drives continual improvement.

[5] I prefer the language in the earlier version, which uses the word tailored instead of customized.