As enterprise risk management (ERM) continues to mature in organizations around the world, it has become clear that there are many different approaches to implementing it effectively. However, one of the themes that continues to evolve is the interaction and relationship between the chief audit executive (CAE) and the chief risk officer (CRO). The roles of these positions are highly interrelated and interdependent. In fact, in many organizations the CAE is the CRO.
Both the CAE and CRO functions have unique opportunities to strengthen and improve the organization's risk management processes. For this to happen, the CAE and the CRO must work together closely, collaborate on many aspects of ERM, and coordinate with each other to eliminate redundant efforts and leverage the work of the two functions. To optimize ERM, organizations must first ensure the CAE and CRO functions are optimized individually and are integrated with each other appropriately.
WHO LEADS ERM?
In September 2017, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an updated ERM framework, Enterprise Risk Management--Integrating With Strategy and Performance. The revised framework defines ERM as "The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value."
COSO's updated guidance includes five components and 20 principles intended to help organizations navigate an increasingly complex governance, risk, and compliance environment. Today's business world is driven by astounding advances in technology, new media channels, and wireless access and mobile devices. The recent update repositions the framework in five ways:
* Focuses on strategy.
* Clarifies that ERM isn't a standalone activity.
* Advances the debate about risk appetite and tolerance.
* Focuses on organizational value.
* Provides a good mechanism for assessing an organization's risk management practices.
The updated framework improves on COSO's previous framework. It recognizes the impact of culture and strategy on an organization's risk management practices, and importantly, it focuses on the creation, preservation, and realization of value.
However, the new framework does not provide guidance about which business function should be performing the wide variety of tactical activities that build the foundation for effective ERM. These activities include creating risk documentation, developing analysis and prioritization tools, designing governance and oversight processes, and establishing an ongoing process to ensure ERM is integrated into the culture and fabric of the organization. While the framework addresses some of these issues from a theoretical and strategic perspective, it leaves the implementation of specific activities up to each organization. Historically, the CRO or the CAE designed ERM based on the organization's culture and the past use of internal audit and risk management processes. The updated guidance provides minimal information about which role should be...