As enterprise risk management (ERM) continues to mature in organizations around the world, it has become clear that there are many different approaches to implementing it effectively. However, one of the themes that continues to evolve is the interaction and relationship between the chief audit executive (CAE) and the chief risk officer (CRO). The roles of these positions are highly interrelated and interdependent. In fact, in many organizations the CAE is the CRO.
Both the CAE and CRO functions have unique opportunities to strengthen and improve the organization’s risk management processes. For this to happen, the CAE and the CRO must work together closely, collaborate on many aspects of ERM, and coordinate with each other to eliminate redundant efforts and leverage the work of the two functions. To optimize ERM, organizations must first ensure the CAE and CRO functions are optimized individually and are integrated with each other appropriately.
Who Leads ERM?
In September 2017, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an updated ERM framework, Enterprise Risk Management–Integrating With Strategy and Performance. The revised framework defines ERM as “The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”
COSO’s updated guidance includes five components and 20 principles intended to help organizations navigate an increasingly complex governance, risk, and compliance environment. Today’s business world is driven by astounding advances in technology, new media channels, and wireless access and mobile devices. The recent update repositions the framework in five ways:
- Focuses on strategy.
- Clarifies that ERM isn’t a standalone activity.
- Advances the debate about risk appetite and tolerance.
- Focuses on organizational value.
- Provides a good mechanism for assessing an organization’s risk management practices.
The updated framework improves on COSO’s previous framework. It recognizes the impact of culture and strategy on an organization’s risk management practices, and importantly, it focuses on the creation, preservation, and realization of value.
However, the new framework does not provide guidance about which business function should be performing the wide variety of tactical activities that build the foundation for effective ERM. These activities include creating risk documentation, developing analysis and prioritization tools, designing governance and oversight processes, and establishing an ongoing process to ensure ERM is integrated into the culture and fabric of the organization. While the framework addresses some of these issues from a theoretical and strategic perspective, it leaves the implementation of specific activities up to each organization. Historically, the CRO or the CAE designed ERM based on the organization’s culture and the past use of internal audit and risk management processes. The updated guidance provides minimal information about which role should be performing specific ERM activities. Unfortunately, because the role of each of these functions is unclear and often depends on the personalities and skills of the individuals performing the jobs, many organizations end up with an ERM process that is not as efficient or effective as it could be.
The CAE's Role
The International Professional Practices Framework (IPPF) says internal auditing “helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” The IPPF definition specifically tasks the CAE with the responsibility for evaluating and improving an organization’s risk management processes. The CAE should perform periodic risk assessments of the organization, create an organizational audit plan to evaluate the effectiveness of internal controls, and advise management on opportunities to strengthen and enhance controls.
Generally, this process requires development of an enterprise risk assessment that leverages risk assessments from various parts of the organization such as financial and operational processes, project management, IT, supply chain, and other business functions. It also may incorporate relevant risk assessments that management has performed related to strategy, operations, and compliance. The risk assessment process should result in a continually updated audit plan that includes engagements and tests that will allow internal audit to provide management with independent and objective assurance around the effectiveness of the organizational control environment.
The activities that allow internal audit to gather risk assessment data include discussions with management, reviews of policies and procedures, and surveys. To analyze the data, auditors must document and prioritize it based on the organization’s needs. Many CAEs and management teams prefer the risk assessment data to be visualized by using charts, graphs, and heat maps. Internal audit’s risk assessment analysis should culminate with an enterprisewide risk register and a prioritized list of organizational risks that helps the CAE determine the optimal audit engagements for the organization.
The CRO's Role
The role of the CRO continues to evolve. CROs are responsible for implementing a consistent, integrated risk management framework throughout the organization. They oversee an enterprise risk assessment, articulate the risk appetite, and familiarize the organization, its shareholders, regulators, and rating agencies with the ERM program. Moreover, they ensure the organization has developed ways to mitigate risks to its objectives and create a risk-aware culture across the organization.
The CRO may function under a variety of names: head of enterprise risk management, head of risk, director of enterprise risk management, or director of risk. Whatever the official title, COSO’s updated ERM framework indicates that the CRO often is responsible for providing expertise and coordinating risk considerations. Yet surprisingly, other than a brief mention, the framework is silent regarding the CRO’s role in ERM.
In practice, the CRO may have a background in insurance, disaster recovery, finance, IT, internal audit, compliance, or other disciplines. However, as ERM matures, more organizations are appointing CROs who have the ability to contribute at an executive level. As a strategic function, the CRO has become critical to helping organizations achieve their overall objectives by ensuring risk management functions are integrated across the organization and advising management about policy and decision-making.
The skills that make a CRO successful include the ability to advise executives and the board, collaborate with operational business leaders to identify risks, recommend opportunities to strengthen risk mitigations, and communicate with all levels of management and external stakeholders such as regulators. On top of these skills, CROs need a thorough understanding of the business. Managing risks is everyone’s job, but the CRO must be able to consolidate input from numerous broad disciplines and identify ways to add value cost-effectively.
Much like the CAE, the activities that allow the CRO to execute his or her duties include performing enterprisewide risk assessments and leveraging risk assessments that are already performed in other parts of the organization. The CRO uses many of the same tactics such as discussions with management, interviews with subject-matter experts, analysis of risk metrics, and surveys. The CRO also will create a prioritized list of risks.
The primary difference between the CRO and CAE roles in ERM is that the CRO participates in the organization’s risk-making decisions and often is directly involved in facilitating risk decisions. On the other hand, it would be a conflict to a CAE’s independence if he or she were making risk decisions for the management team.
The CAE and CRO share many common objectives. They both provide reasonable assurance that the organization is capable of achieving its objectives. To accomplish this, they evaluate the risk environment, ensure the management team is focused on the appropriate risks, and advise management about opportunities to improve risk management and comply with laws, regulations, and company policies.
The CAE and CRO both should be following the organization’s structured risk management framework, including using common risk management language, interviewing the owners identified for each risk, and using the results of the analysis and prioritization aspects of the framework. By following the organization’s framework, the two functions can reinforce the importance of risk management, educate business users about the process, and extend awareness of risk management to other employees.
To succeed in their roles, both functions require leaders who have strong interpersonal skills in addition to their technical expertise. In their interactions with senior executives, the CAE and CRO must be able to communicate clearly, facilitate difficult meetings, and articulate complex issues concisely. Also, both roles require individuals who can conceptualize strategic issues and advise executives and the board about potential strategic risk management opportunities.
Opportunities for Collaboration
Because of their common objectives, as well as similar and sometimes overlapping roles, the CAE and CRO must work closely together. By collaborating, the two functions can have a combined effect that will benefit the organization more than the sum of their separate effects and enable its risk management processes to operate more effectively.
Create Complementary Charters To ensure a good understanding of their roles, the risk and audit functions each need to develop charters describing their purpose, roles and responsibilities, reporting structure, and authority. The audit committee should review and approve the CAE’s charter annually, while the risk committee, or its equivalent, should approve the CRO’s charter each year.
Document Responsibilities Documenting which role should be responsible, accountable, consulted, and informed using a RACI matrix can help clarify and facilitate an improved understanding of each function’s role. The combination of a charter and a RACI matrix can improve the effectiveness of both functions significantly and eliminate unnecessary effort.
Collaborate on the Enterprise Risk Assessment Because both functions rely heavily on an enterprise risk assessment, the CAE and CRO should specifically identify the risk criteria that are important in their organization. By agreeing in advance on the content, layout, language, and approach to the risk assessment, both functions will be able to use the same information.
Coordinate on the Audit Plan The CAE should work closely with the CRO to ensure the organization’s internal audit plan is designed to address organizational risks identified by the enterprise risk assessment. This can be accomplished by mapping and cross-referencing each of the planned audits to match the organization’s risk profile. For example, if the risk function has identified cybersecurity as a key risk, the audit plan should consider audits relating to vulnerability assessments, penetration tests, and access controls. By ensuring the organization’s most important risks have an independent and objective audit process, management and the board should have more assurance about the overall risk management process.
Address Potential Conflict or Rivalry Despite the critical nature of both roles, CROs and CAEs may disagree because of conflicting priorities, internal politics, and competition for resources. Open, frequent, and regular communication between the CAE and the CRO provides a good mechanism to address these issues.
The CAE as ERM Leader
In many organizations, the CAE is heavily involved in ERM activities. These CAEs act as facilitators, working with risk leaders throughout the organization to document risks, execute risk surveys, and chart and graph the risks after the management team has prioritized them. By facilitating and overseeing some of the ERM-related activities, the internal audit function can fulfill its responsibilities and add value in an integral part of the organization, as suggested by the Definition of Internal Auditing.
The IIA position paper, “The Role of Internal Auditing in Enterprise-wide Risk Management,” presents a range of ERM activities an effective internal audit function should undertake. The most important safeguards that protect internal audit’s independence and objectivity include documenting internal audit’s role in the internal audit charter that has been approved by the audit committee, clarifying that management remains responsible for risk management, and ensuring internal audit does not make risk management decisions. Moreover, CAEs should apply the relevant International Standards for the Professional Practice of Internal Auditing, including Standard 2120: Risk Management, 2010: Planning, and 2050: Coordination and Reliance. If the audit committee decides to use its internal audit function in an ERM leadership role, these issues should be discussed with the audit committee and the executives to ensure roles are clear.
Regardless of whether the CAE is leading ERM, the CAE should be intentional about developing an audit plan that integrates into the ERM program. One effective way to ensure adequate coverage is to organize the audit plan by ERM risks. Internal audit should identify the organization’s key risks and determine the relevant audit programs from the audit plan by each risk area. This approach provides comfort that the audit plan covers the key risks.
Virtually all industries face difficult challenges in managing risks in a complex, rapidly changing environment. That makes having effective risk managers in place a priority as organizations struggle to develop risk management programs that fit their specific circumstances. By working together, the CAE and CRO can improve risk awareness and develop a stronger overall ERM process that positions risk managers to meet the needs of their organizations.