Role play: internal auditors differ in their opinions on just what part they should play in the implementation of their organization's enterprise risk management

Internal Auditor, April, 2005 by Russell A. Jackson

IT IS, PERHAPS, A TESTAMENT to the comprehensiveness and flexibility of recent practice guidance on the role of internal auditing in enterprise risk management (ERM) that reasonable minds disagree so strongly on how that guidance should be put into practice. According to some experts, one thing is clear in the guidance: Chief audit executives (CAEs) should not helm their companies' ERM efforts. When they do, their line of thinking goes, both ERM and internal auditing suffer. On the other hand, some experts say that the bottom line is making sure both functions are carried out. If the CAE is the only one willing, able, and politically powerful enough to get the job done, then he or she should do it. In the middle, of course, are the experts who say "guidance" means just that: "guidance." Each company should have the freedom to implement the guidance however its specific culture requires.

At issue are the recommendations in two important documents: The Committee of Sponsoring Organizations of the Tread-way Commission's (COSO's) Enterprise Risk Management--Integrated Framework and "The Role of Internal Audit in Enterprise-wide Risk Management," a position paper issued by The IIA in coordination with the IIA UK and Ireland. A key element of the latter is "the fan"--a graphic that ranks ERM-related functions by appropriateness to the internal audit function (see "Internal Auditing's Role in ERM," this page).

Although the guidance these documents contain is specific enough to have meaning in any company in any country, it is also general enough that it can be applied--and the processes it recommends implemented--in a variety of ways. And that generality is from whence springs the debate over how rigid the documents' guidelines actually are. Is "always" appropriate in an increasingly complex global market? Is "never" appropriate when companies of vastly different sizes, corporate cultures, values, and missions are trying to accomplish basically the same goals by basically the same means? Does guidance on the role of internal auditing in ERM lose its muscle if it's not followed as close to the letter as possible? Views within the internal audit profession vary--and most experts' opinions, in fact, vary from one task to another. Not surprisingly, there are no black-and-white views on internal auditing's role in ERM any more than there are black-and-white situations in which to apply those views.

MAINTAINING INDEPENDENCE

At RadioShack Corp. in Ft. Worth, Texas, executives wanted to create a culture in which risk management was inherent in key business decisions. They established a team to manage the firm's move to ERM. Kenneth G. Barna, vice president for internal audit/controls, represented the internal audit department, and a colleague represented corporate compliance. The pair co-chaired the ERM-development committee. "We realized that ERM can't be looked at as a separate function," Barna says. "It has to be integrated into the organization's day-to-day operations. We worked with a representative from strategic planning and used a cross-functional team approach." In so doing, he says, he learned there are occasions when an internal audit department with the best of intentions must not get involved.

One of the trickiest situations, he says, is when a manager with legitimate responsibility for risk response says, in effect, "Tell me what I should be doing." It must be the responsibility of management, not internal auditing, Barna emphasizes, to put together a draft response to risk. "That," he stresses, "is absolutely critical." Similarly, he continues, the CAE must demur if management asks the internal audit department to determine the company's risk appetite. "One of the risks is when the internal audit department is highly regarded by the management team and managers want the auditors to transition from establishing an ERM framework to actually consulting on it. They'll say, 'Help us get it done.' But there are certain tasks internal auditing can't do--developing risk appetite is one of them. Management must understand the risk and decide on a response that makes sense."

Steve Jameson, formerly assistant vice president for technical services at The IIA, was directly responsible for drafting the initial IIA Practice Advisory on the Internal Auditor's Role in Risk Management and served as The Institute's representative to COSO for its ERM project. Jameson, who now serves as executive vice president and chief internal audit and risk officer at Community Trust Bank in Pikeville, Ky., agrees that the right executives--not the internal audit department--must own the risk. That can be facilitated, he says, by making sure the CAE is part of the thought process, but not part of the decision-making process. "I have internal auditing, loan review, compliance, and security reporting to me," he explains, "and I also coordinated the development of our ERM program. During the development process, regulators asked me how I segregate what I do as chief auditor and what I do as chief risk officer. And they wanted to make sure the board knew I had multiple roles. I said, 'I follow the guidance. I don't own the risk.'" Jameson does that, he says, by sitting on a lot of committees as a nonvoting member so that he doesn't impair his independence.