Bank Board Letter — July 2014
Mike Ososki

Enterprise risk management is a valuable tool to assist institutions in dealing with the uncertainty in our banking environment. An ERM program can facilitate the identification of risk and opportunity while enhancing the capacity to build value. However, audit committees, boards of directors and management often have difficulty identifying a champion to lead and guide implementation and execution of an ERM program. An internal auditor is uniquely positioned to help those charged with governance lead the effort to successfully embrace ERM.

Internal auditors can have vitally important roles in the ERM function. The internal audit role is best positioned to fully understand the scope of an institution’s business strategies and related strategic risks. Working closely with the audit committee, board of directors and management offers great insight into understanding the institution’s risk management philosophy and overall risk appetite. Interaction with line management allows for great understanding of day-to- day operations and the risks associated with implementing strategic goals and objectives.

Stakeholders must understand and give appropriate attention to the business strategies and the risks related to implementing those strategies. Internal audit can facilitate discussions with stakeholders to identify areas of the risk assessment process that present the most significant risks to shareholder value. Using internal audit to help stakeholders focus on the vital few risks rather than the trivial many risks allows for more efficient ERM implementation or execution. Continuously monitoring and assessing stakeholder expectations on risk appetite also is well-suited for internal audit.

If your institution is just starting an ERM journey, consider utilizing internal audit to create an inventory of your existing risk management practices. A review of critical control systems and existing risk management practices can create significant value in your institution by identifying areas where risk identification and mitigation already occur. Reviewing business plans, budget-to-actual analysis and financial statements to assess risk in strategic objectives are crucial activities for an internal auditor.

Examples of other core roles an internal auditor could perform include:
• Conducting reviews with management of key and emerging risks.
• Giving insight on whether risks are correctly evaluated.
• Evaluating current reporting of identified strategic and emerging risks.
• Assisting stakeholders in defining risk tolerances where none have been identified, based on internal audit’s experience and judgment.
• Creating a risk-based approach with appropriately tailored internal audit plan to test compliance with strategic objectives and goals established by the board of directors.

Internal auditors also can expand their involvement in execution accountability and authority over the ERM program resides with management. Expanded roles could include:
• Working with management to develop a risk management strategy for board or audit committee approval.
• Consolidating the information received from the lines of business to report results of the ERM program.
• Coordinating ERM activities, e.g., risk management committee meetings, reporting to the applicable governance committee and following up on pending tasks.
• Identifying the best frequency on which to report key risk indicators.
• Comparing institution’s actual results on key risk indicator reporting with applicable peer groups or relevant industry data.

Building stronger and less adversarial relationships with risk managers, line management and front-line employees is a byproduct of internal audit involvement in the ERM function. Interaction facilitated by internal audit with all parties will allow for the identification and sharing of best practices in risk management, The discussion between internal audit and management regarding the adequacy and effectiveness of risk treatment strategies adds value to the ERM process by identifying areas where resources should be devoted to test risks associated with following business strategies.

Education and training of ERM stakeholders also can be a value add for internal audit, The skills of an internal auditor are well-suited to assist all parties in understanding the implementation and execution of an ERM initiative. Internal audit can provide its own thoughts on particular business lines, products or services that might be more susceptible to risk and require more focused testing.

The evaluation of strategic risks also can lead to more comprehensive identification of emerging risks and whether sufficient monitoring occurs. By educating boards of directors, audit committees and management, internal audit can assist in shaping leadership’s understanding of risk management strategies, leading to more informed, timely and proactive decision-making.

Adequate safeguards are a necessity to prevent the internal audit function from overstepping its role in implementing and executing an ERM program, The nature of internal audit’s responsibilities for ERM should be documented in an audit charter and approved by the audit committee. Internal audit should not be responsible for managing risks or making decisions on behalf of management. However, internal audit can provide advice and input about decisions made under the ERM framework, though it should not have any responsibility in decision making.

Roles an internal auditor should not undertake in an ERM function include:
• Setting risk appetite by concluding on risk capacity, risk tolerance and desired risk level.
• Taking responsibility for the risk management process.
• Implementing responses to identified risks on management’s behalf.
• Giving assurance that identified risks are complete.
• Testing compliance with the ERM function if the internal audit function is responsible.

There are numerous benefits in implementing an ERM function in today’s volatile business environment. Many newly formed and existing ERM programs lack full transparency among all parties participating in risk management. However, internal auditors have an opportunity to be integral team members in the ERM function by obtaining and cultivating the necessary skills to educate stakeholders on the value of internal audit’s participation in the ERM process.

Internal auditors can help stakeholders improve their understanding of key business risks while meeting an institution’s strategic goals and objectives. More informed risk-taking and decision-making can result from using the strengths and competencies of your internal audit function through its participation in implementation and execution of an ERM program.

Article reprinted with permission from BKD, LLP, A ll rights reserved. Mike Ososki is a certified public accountant at BKD, LL P Contact him at