Is internal audit helping the organization get to the truth about its changing risk exposures? Does management understand and act on emerging risks timely? Are the right risks being elevated to the right people at the right time? Auditors who answer "no" to any of these questions are not alone.
Internal audit functions around the world are trying to help management keep its finger on the pulse of changing and emerging risks. Although emerging risks can sneak up on an organization with catastrophic impact, equally important are known risks that are changing without appropriate management attention or appreciation. The internal audit function at Devon Energy Corp., a Fortune 500 oil and natural gas exploration and production company, helps its management team identify both changing and emerging risks through a practical approach to enterprise risk management (ERM).
A Continuous Process
Devon's ERM process is driven by the company's audit committee and strongly supported by management. With Devon's chief audit executive reporting directly to the audit committee and administratively to the CEO, internal audit is in a great position to facilitate the ERM process.
Now in its sixth year, the ERM process helps management identify and better understand changing and emerging risks that could impact the company's achievement of its objectives. Risk management is built into how Devon operates — all employees play a role in identifying and managing risks every day. Consequently, it is vital that ERM aligns with the company's risk management processes, rather than becoming a bureaucracy that places an unnecessary burden on the business.
Five fundamental components of the ERM process enable Devon to identify and communicate the right risks to the right decision-makers at the right time:
- An enterprise risk inventory.
- An enterprise risk documentation.
- Risk group workshops.
- An annual ERM survey.
- An ERM steering committee.
Although each component contributes to Devon's ability to monitor the risk environment and identify changing and emerging risks, all five are most effective when applied as a continuous, interrelated process.
Enterprise Risk Inventory
At the core of Devon's ERM process is the enterprise risk inventory, which is embedded within each of the other four components. In developing this inventory, internal audit worked with management to identify and define significant risks across the company, including relevant emerging and changing risks.
After much consideration and refinement, Devon ended up with 17 risk categories and approximately 50 inherent risks that were customized to the company's business and culture. For example, environmental, health, and safety (EHS) could be a risk category with inherent risks such as environmental stewardship, worker safety, and EHS compliance. Once the company had developed a well-defined risk inventory, the resulting common language became the foundation for future discussions about risks that are changing or emerging as Devon's business and risk profile changes.
Enterprise Risk Documentation
Starting with the enterprise risk inventory, internal audit worked with more than 100 leaders and managers across the organization to help gain a better understanding of the 17 risk categories and inherent risks. To ensure consistency, auditors used a standard template to document risk information for each of the 50 inherent risks. This template included:
- An inherent risk overview (i.e., risk name, sponsor, definition, and scope).
- Contributing factors (i.e., issues and root causes that drive risks).
- Risk management activities (i.e., processes and controls that help manage risks).
- Changing and emerging risks.
- Risk management plans.
Auditors developed a one-page executive summary for each risk category to help highlight the most important changing and emerging risks. Internal audit discussed the executive summaries with the executive team, audit committee, and board.
Auditors team with risk sponsors to update the documentation package every 18 months. This provides a great opportunity for management to discuss, understand, debate, and appropriately act on Devon's changing and emerging risks.
Quarterly Risk Group Workshops
To keep the enterprise risk document evergreen, two or three similar risk categories are discussed quarterly during risk group workshops facilitated by internal audit. By grouping similar risk categories, the company is able to rotate through all of the risk categories every 18 months. The two-hour workshop typically includes six to 10 senior vice presidents and vice presidents from different departments.
The workshop's primary purpose is to provide management an open and honest forum to discuss the most significant changing and emerging risks. The first 15 minutes are used to anonymously vote on the "actual" and "desired" risk management effectiveness and prioritize the inherent risks based on the gap between actual and desired. Once the risks are prioritized, the bulk of the time is spent discussing the changing and emerging risks that are contributing to the gap. Changing or emerging risks are further discussed with executives as needed.
Annual ERM Survey
The updated enterprise risk document is made available as a reference during the company's annual ERM survey. The survey polls about 75 leaders, including Devon's executive team, to prioritize the 17 risk categories. This process allows managers to review any changing or emerging risks noted in the enterprise risk document as they complete the survey. Also, a section of the survey allows management to add risks for consideration.
Due to the recognized importance of the ERM survey process and its consistent application each year, 100 percent participation is common. Metrics such as financial impact, likelihood, velocity, and preparedness are used to help prioritize the risks. Internal audit creates numerous graphs and charts to provide the executive team risk insights such as changing and emerging risks, year-to-year changes in risk status, and comparison of risk perspectives between the executive team and management. Auditors discuss significant changing or emerging risks with the audit committee and board as appropriate.
To provide oversight and guidance to the ERM process, Devon's executive team serves as the ERM steering committee. The committee allocates two meetings a year to changing and emerging risks obtained through the ERM survey, enterprise risk documentation, and quarterly risk group workshops.
The committee is another important component of the ERM process that ensures Devon is able to address ever-changing risks in a dynamic business world. Internal audit can contribute by facilitating the timely identification and communication of changing and emerging risks.