ERM: a status report; A study funded by The IIA Research Foundation reveals how far organizations have come in developing enterprise risk management and internal auditing's role in the process

Internal Auditor, Feb, 2005 by Mark S. Beasley, Richard Clune, Dana R. Hermanson

ENTERPRISE RISK MANAGEMENT (ERM) IS DEMANDING its share of attention from management and internal auditing, but it still has a respectable distance to go before receiving its due. In September, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the final version of its ERM framework, Enterprise Risk Management--Integrated Framework, which outlines internal auditing's role in supporting ERM. An exposure draft of the framework had been issued more than a year before the final release, and many organizations have embraced ERM. Still, fewer than half the organizations responding to an IIA Research Foundation survey have an ERM framework--full or partial--in place. Those organizations that do not have an ERM framework are evenly divided as to their plans: one-third plan to implement ERM in the future; one-third have no plans to implement ERM, and one-third have yet to make a decision regarding ERM.

Thus, it appears that adoption of ERM is still evolving. In light of the increasing interest in the topic of risk management, as well as internal control reporting, it would seem that most organizations ultimately will implement ERM, and the survey results support this. But ERM adoption may not occur immediately. As one respondent commented, "Internal auditing believes this is an important issue and needs greater support for the idea of ERM. Funding seems to be the biggest stumbling block at the moment, and no one area wants to be responsible for this function."

The COSO framework lays out key elements of a process for managing all types of risk (see "Bringing ERM into Focus," Internal Auditor, June 2003). It calls for internal audit functions to "assist management and the board of directors or audit committee by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of the entity's enterprise risk management processes." This call from COSO is consistent with the IIA's definition of internal auditing, which specifically mentions "risk management, control, and governance processes" as elements of internal auditing's responsibilities.

Given the rising interest in ERM and the existing focus of many internal auditors on risk management, a study funded by the IIA Research Foundation was conducted to examine internal auditing's involvement in ERM and to extend two previous IIA Research Foundation studies--Enterprise Risk Management: Trends and Emerging Practices (2001) and Enterprise Risk Management: Putting It All Together (2002). The specific objectives of the new study were to: (1) gather information on organizations' stage of ERM development and specific risks addressed and (2) assess the role of the internal audit function in organizations' ERM processes, including the impact of ERM on internal auditing.

RESEARCH METHOD AND RESPONDENTS

In spring 2004, an electronic communication from The IIA directed more than 1,700 IIA Global Auditing Information Network (GAIN) members to an online survey, The Role of the Internal Audit Function in Enterprise Risk Management. The findings discussed here are based on 175 survey responses received after two invitations to complete the online survey. Approximately 90 percent of respondents identified themselves as chief audit executives (CAEs), the primary intended target for the survey.

"Overview of Respondents," at left, presents selected characteristics of the survey respondents. Although most respondents (nearly 70 percent) were from U.S. organizations, the sample also included representation from several other countries, including Canada, Great Britain, and Australia. There was a broad response across industries, with no one industry representing more than 15 percent of the sample. The greatest concentrations were in manufacturing, the financial sector, education, and government.

The responding organizations were relatively large, with median 2003 revenues of $1.3 billion; the median number of internal auditors in the organization was nine. In addition, the respondents generally were quite familiar with COSO's proposed ERM framework, with a median familiarity rating of 4.0 on a scale where 1 equals "not at all familiar" and 5 equals "very familiar."

THE CURRENT STAGE OF ERM DEVELOPMENT

Respondents were asked to indicate the stage of ERM development in their organization, ranging from "complete ERM framework in place" to "no ERM framework in place and no plans to implement one." As illustrated in Panel A of "Stage of Organization's ERM Development and Specific Risks Addressed," at right, the respondents reported a wide range of ERM adoption in their organizations. Although 11 percent of surveyed organizations have a complete ERM framework in place, and 37 percent report a partial ERM framework, 17 percent of surveyed organizations have no plans to implement ERM. Seventeen percent of the organizations have yet to make a decision regarding ERM, and 18 percent plan to implement ERM in the future.

The survey asked the respondents in organizations with full or partial ERM frameworks in place (84 organizations) to indicate the degree to which their framework addresses various risk areas, using a scale from 1--not at all--to 5--extensively. The results are presented in Panel B of "Stage of Organization's ERM Development and Specific Risks Addressed." The risk areas receiving the most attention were financing/investing/financial reporting risks (4.2) and legal/regulatory risks (4.2). Strategic/market/industry risks (3.9) and reputation and political risks (3.8) received the least attention.