The Top Four Essential Objectives to Auditing ERM

The Top Four Essential Objectives
to Auditing ERM
Stephen E. McBride, CIA
2011 Governance, Risk,
and Compliance Conference
August 29 – 31, 2011 / Orlando, FL, USA
Definition of key terms
Risk management principles & process
Recent financial events
Risk governance roles
Key areas of focus in establishing audit
• The possibility of an event occurring that will
have an impact on the achievement
of objectives. Measured in terms of
likelihood and impact
Risk Management
A process to identify, assess, manage, and
control potential events or situations to
provide reasonable assurance regarding the
achievement of the organization’s objectives
Why Manage Risk?
• Decrease the cost of financial distress
• Reduce earnings volatility
• Facilitate optimal investments
Incorporate portfolio theory
Enterprise Risk Management
The application of risk management principles
to all significant risks facing an organization
Risk Governance Roles
• Board of Directors
• Management
• Internal Auditors
Financial Events
Washington Mutual Bank
MF Global
Were these events:
– risk management process failures,
– implementation failures, or
– both?
Where to Begin
• Failures?
– Financial: Credit, Market, Liquidity
– Operational
– Strategic
• Review models, assumptions, derivatives,
strategies, black swan?
• Top 4 objectives
1. Business Strategies and Risk
• Determine approval of risk appetite
• Determine understanding of business
Audit Objectives –Risk Appetite
1. Risk appetite – the entity’s risk appetite
defines acceptable and undesirable risks.
2. Parameters for risk
1. Strategic – new products or initiatives
2. Financial – max acceptable loss or performance
3. Operating – capacity management, quality
targets, environmental requirements.
2. Internal Environment
• The Board of active and possesses an
appropriate degree of expertise
• Chief Risk Officer communication
• Management risk council reporting to the
• Management’s risk appetite is aligned
throughout the organization
• Determine methods for ensuring the Code of
Conduct is communicated and complied with
across the organization
• Ensure results are properly communicated
• Determine whether executives comply with
discretionary expenditures policies
Follow the Money
• Determine how management is rewarded for
3. Event identification
• Management identifies potential events
• Techniques are used to look at both the past
and the future
• Event identification is robust
• Management understands how events relate
to one another
4. Control Activities
• Management indentifies control activities
need to ensure risk responses are carried out
• Policies are implemented consistently
• Conditions are investigated and appropriate
corrective action taken
• General and application controls are
Volume of Exceptions
• Determine the volume of policy or internal
control exceptions
• Determine steps taken for corrective action
• Determining the control framework and
management practices in these areas will help
determine risk culture
• Risk culture is the primary indicator of an
organization’s risk management oversight and
its likelihood of continued long term success