AnatBird.com

CONTRASTING ENTERPRISE RISK MANAGEMENT AND INTERNAL AUDIT

Even since ERM was introduced into banking, the question keeps arising: why do we need another risk management function? We already have Audit, both internal and external, not to mention compliance, often embedded in each line of business in addition to the central function, so how many more layers of “checking the checkers” do we really need? Setting aside the regulatory factor, i.e. adding functions and reports just to pacify the regulators, where is the value-add of this function?

Bill Perotti of Frost Bank shared at our recent Enterprise Risk Management Forum how Frost has communicated the yin and yang of Audit and ERM. Many of the points below came from his acute mind and analysis.

Looking back vs. forward. Internal audit reviews the past and ensures what occurred is compliant with bank policies and accurate reporting. Risk Management is proactive and predictive. Its focus is looking forward and identifying risks that require further mitigation across the company, as well as highlighting capital allocation decisions and their risk adjusted implications.

Fix vs. prevention. Internal audit identifies weaknesses already present in the enterprise and prescribes actions to correct those weaknesses. Effective risk management prevents those weaknesses from occurring by spotting future risks and identifying effective mitigations that will avoid the level of risk otherwise left unmanaged.

Audit observations vs. internal assessments. Audit assesses the performance of different departments and lines of business in the bank, then publishes findings including risk ratings for each area. ERM functions typically rely on each department’s self-assessment of the risks embedded in its activities and how effectively those are mitigated. ERM should not be another “check the checkers” function but a facilitator of self- scrutiny and self-generated solutions.

Assurances vs. risk quantifications. The audit function provides assurances that things are done according to policies and procedures. It inspects and then verifies that what actually happens in reality is consistent with policy requirements. Risk management, on the other hand, is focused on quantifying, measuring and offering mitigations to current and future risks. Management might be assured through Audit that the risks are being managed according to policy, but ERM measures the risk itself and its impact on income and capital levels. Management might then determine that the risk is too high even if the practices are in full compliance with policy.

Risk-based or random process vs. detailed, consistent process. The audit process is designed to randomly pick samples of activities and processes and then establish whether they were conducted appropriately. Risk management looks at the entire business and the risks it entails, then systematically assesses whether the risks were effectively mitigated and paid for; it also evaluates their trends. ERM looks at the entire activity and business, rather than evaluate procedural accuracy through sampling.

Risk management program assessment vs. management. Audit assesses whether the risk management program in each department is consistent with expectations, established processes etc. It is ERM that establishes the process by which risk is being managed in each department and throughout the organization. It provides the framework for the audit itself.

Consulting vs. ownership. The audit department functions outside the business lines. It maintains independence and offers advice and counseling to the businesses to optimize their risk management, compliance and accurate reporting. ERM owns the entire risk management process and is accountable for its effectiveness system-wide. It is expected to set policies, risk tolerance levels and procedures that will ensure the organization does not incur risk beyond its risk appetite and tolerance, which necessitates developing a clear understanding of the company’s risk appetite in the first place.

Risk process review vs. process development. Again, the audit function reviews and evaluates, while the risk management function develops the framework and policies which are then implemented and self-assessed by each department.

In sum, the risk management function needs to propose to executive management and the board the appropriate risk appetite for the company and the process it recommends to measure the resultant risk to ascertain that it is within the set parameters. It then reports on-going measurement results to the board’s risk management committee. The audit function takes the framework established by the risk management area and the board, examines the various departments to see whether that framework is working as planned, and reports to the audit committee its findings.
Lastly, an important differentiator of the risk management function is its attention to the enterprise strategic risk. It is the body that questions the on-going effectiveness of the company’s business model and works at measuring that risk. Among the elements to be considered when evaluating the strategic risk of the company are:
For executive management:

Quality of the strategic plan

Process for developing strategic initiatives

Impact of initiatives on day-to-day decision making and business operations

Accountability for strategic initiative effective execution

Plan consistency across businesses (ensuring we don’t work at cross-purposes due to competing initiatives)

For line management:

Decision making using the strategy as the guidepost

Impact of initiatives on organizational nimbleness (decision making speed)

Initiatives’ impact on customer focus

Initiative execution

Forward looking initiatives

Initiative understanding at all levels of the organization (how effectively were they incorporated into the culture)

While these questions are generally qualitative, the answers can offer practical insights into the company’s effectiveness in strategy development and execution, a key activity for long-term health and survival.