Is internal audit helping the organization get to the truth about its changing risk exposures? Does management understand and act on emerging risks timely? Are the right risks being elevated to the right people at the right time? Auditors who answer "no" to any of these questions are not alone.
Internal audit functions around the world are trying to help management keep its finger on the pulse of changing and emerging risks. Although emerging risks can sneak up on an organization with catastrophic impact, equally important are known risks that are changing without appropriate management attention or appreciation. The internal audit function at Devon Energy Corp., a Fortune 500 oil and natural gas exploration and production company, helps its management team identify both changing and emerging risks through a practical approach to enterprise risk management (ERM).
A Continuous Process
Devon's ERM process is driven by the company's audit committee and strongly supported by management. With Devon's chief audit executive reporting directly to the audit committee and administratively to the CEO, internal audit is in a great position to facilitate the ERM process.
Now in its sixth year, the ERM process helps management identify and better understand changing and emerging risks that could impact the company's achievement of its objectives. Risk management is built into how Devon operates--all employees play a role in identifying and managing risks every day. Consequently, it is vital that ERM aligns with the company's risk management processes, rather than becoming a bureaucracy that places an unnecessary burden on the business.
Five fundamental components of the ERM process enable Devon to identify and communicate the right risks to the right decision-makers at the right time:
* An enterprise risk inventory.
* An enterprise risk documentation.
* Risk group workshops.
* An annual ERM survey.
* An ERM steering committee.
Although each component contributes to Devon's ability to monitor the risk environment and identify changing and emerging risks, all five are most effective when applied as a continuous, interrelated process.
Enterprise Risk Inventory
At the core of Devon's ERM process is the enterprise risk inventory, which is embedded within each of the other four components. In developing this inventory, internal audit worked with management to identify and define significant risks across the company, including relevant emerging and changing...