While Enterprise-wide Risk Management may in some ways still be considered in its infancy, risk is inherent in all enterprises and risk management is not a new phenomenon. Various empirical studies have been carried out by researchers to discuss the role and significance of holistically tackling the problem of Risk in modern day enterprises. This literature review will attempt to synthesise multiple sources of literature to bring to light the importance of implementing a robust Enterprise wide Risk Management framework to mitigate the inherent problem of Risk in organisation
The chapter reviews available literature related to the role of Internal audit in Enterprise-wide risk management. It incorporates both theoretical and empirical review and links it to the current study in analysing the roles and impact of Internal audit in Enterprise-wide risk management.
2.2. Theoretical Review
2.2.1 The Roles of the Internal Audit function in Enterprise-wide Risk Management
2.2.1.1 A history of Internal Auditing
Internal Auditing has come a long way over the last two or three decades (Pickett 2004:10). In years gone by, Internal Auditing was simply employed to double-check financial transactions and consisted of basic tests of the accounts with a view to identify and isolate errors and irregularities. (Pickett, 2004). In contrast, the present day Internal Auditor facilitates the development of suitable controls as part of a wider risk strategy providing assurance on the reliability of these controls. (Deloitte, 2012) There has been a move to executive-level consultations on corporate risk strategies, a departure from basic checks at lower levels of large volumes financial transactions.
The current study illustrates how the present day internal auditor has stepped away from the historical roles and into roles of significance in the implementation on Enterprise-wide risk management.
2.2.1.2 Definition of Internal Auditing
Definitions of Internal Audit vary from those that simply emphasize the role of Internal Audit in evaluation of internal controls to modern definitions that holistically comprise of most Internal Audit functions. In 1999, the Institute of Internal Auditors revised the definition of Internal Auditing to include both assurance and consulting activities across the three related areas of risk management, control and governance (Institute of Internal Auditors, 2009). Since then Internal Auditing has been popularly and holistically defined as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (Institute of Internal Auditors, 2002)
The Internal Audit function became a focal point after the collapse of various large enterprises (Pickett, 2004). Larger organizations began to place an emphasis on Enterprise-wide Risk Management not simply as a reporting requirement but more as an effective business tool that if properly employed, improves organisational performance (Institute of Risk Management, 2010) The corporate executive's management had renewed its interest in risk management and developed a new profound interest in Internal Auditing (Beasley, Clune and Hermanson, 2004).
With this renewed interest in Risk Management emerged ERM resulting in a paradigm shift in the role of the Internal Audit function. Internal Audit's use of a risk-based approach lent itself to an interest in the ERM process (Beasley, Clune and Hermanson 2004). The Internal Audit profession realised that it would have to adapt to the changing environment in which it operated and after a study in 2012 that Price Waterhouse Coopers performed on the perceived status of Internal Auditing in 2012, Price Waterhouse Coopers concluded that the rapid growth of the profession and the many changes in the business environment made it essential for the Internal Audit profession to adopt new mindsets if it wanted to remain a role-player in the future(Price Waterhouse Coopers, 2012). Bartsiotas (2008) pointed out that the Internal Auditors should put forward suggestions and help the managerial staff fulfil its responsibility through monitoring the adequacy and the effectiveness of the risk management. Gill (1999) concurred and highlighted that Internal Auditors should not aim to change their role to that of a risk manager but rather work together with all other risk management and monitoring functions within the organisation to help achieve aligned and streamlined total risk management.
Thus came the global move towards an enterprise wide approach to risk management, with Internal Auditors playing a key role in providing both assurance and consulting services with respect to the management of risk within their organisations (Sarens & De Beelde, 2006). These varying definitions of Internal audit assisted the researcher in analysing the extent to which the internal audit function can play a role in enhancing Enterprise wide risk management.
2.2.1.3 The Roles of Internal Auditors
The concept of risk is fundamental to the Internal Auditing role (Pickett, 1997). Internal Audit deals with controls which are designed to ensure that objectives are achieved; risk may prevent this. Largely, risk should be reduced by adequate controls, and the greater the degree of risk, the greater the need for good controls. Internal Audit thus plays a major role to help to minimise the level of risk that threatens the organisation.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework directed Internal Auditors to assist management and the board of directors or audit committee by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of the entity's Enterprise-wide Risk Management (COSO, 2004). This shift in Internal Audit's stated roles in the risk management function from a traditional monitoring and assurance role, to one of consulting and general oversight of the entire process was not wholeheartedly embraced and was often not fully understood. (Hall, 2007) Many organizations went to either extreme in their use of Internal Auditing in their risk management approach. (IIA and RIMS 2012). Some organizations began to have Internal Audit departments assume ownership over business risks while others restrained Internal Auditors to a strict monitoring role (Hall , 2007).
According to Standard 2120 (Institute of Internal Auditors, 2009) the Internal Audit Function must evaluate the effectiveness of the risk management process. The risk management process is a key responsibility of management and Internal Auditors acting in a consulting role can assist management in identifying, evaluating and implementing Enterprise-wide risk management methodologies and controls to address those risks (Institute of Internal Auditors, 2004).
Zwaan, Stewart and Subramaniam (2011) argue that while Internal Audit engagement in ERM can add value to the organisation, there is also a risk that it could lead to a compromise of independence and objectivity. Recognising this possibility, the IIA issued a position paper delineating the core roles of Internal Audit in regard to ERM, the roles that Internal Audit can legitimately undertake providing safeguards are in place, and roles that Internal Audit should not undertake (Institute of Internal Auditors, 2004). According to Internal Audit Practice Advisory (Institute of Internal Auditors, 2009) and an IIA position paper (Institute of Internal Auditors, 2004), the ideal role for Internal Auditing is to verify the adequacy and effectiveness of the risk management process to verify whether management has planned and designed the process in such a manner that it provides reasonable assurance that the company's objectives and goals will be achieved.
The (Institute of Internal Auditors, 2004) highlights the core Internal Audit roles in regard to ERM as;
Giving assurance on risk management processes
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
The above mentioned are Assurance activities that an Internal Audit function operating in accordance with the International Standards for the Professional Practice of Internal Auditing can and should perform. The current study sought to investigate if the internal audit function in Zimbabwe is operating in accordance according to Professional practice standards.
The (Institute of Internal Auditors, 2004) goes on to further highlight legitimate Internal Audit roles with safeguards as follows;
Facilitating identification and evaluation of key risks
Couching management in responding to risks
Coordinating ERM activities.
Consolidating the reporting on risks.
Maintaining and developing the ERM framework
Championing establishment of ERM
Development risk management strategy for board approval.
The above listed are consulting roles that Internal Audit may assume in ERM with safeguards in place. The current study sought to investigate if these roles are carried out in practice.
Finally the (Institute of Internal Auditors, 2004) specifies the roles Internal Auditing should not undertake;
Setting the risk appetite.
Imposing risk management processes.
Management assurance on risks.
Taking decisions on risk responses.
Implementing risk responses on management's behalf.
Accountability for risk management.
The above mentioned roles are those Internal Audit should not take on. These roles, if assumed with regard to ERM, could severely compromise the independence and objectivity requirements as directed by the Professional Standards. These activities are the responsibility of management and internal auditors should actively avoid involvement in them. (Hall, 2007).
In the case of ERM, Internal Audit can provide consulting services so long as it has no role in actually managing risks which is management's responsibility and so long as senior management actively endorses and supports ERM (Institute of Internal Auditors, IIA 2004). The current study investigates the roles played by the Internal audit function and the extent to which prohibited roles are undertaken by the internal audit function.
In 2005, the IIA Research Foundation conducted a global online survey with Internal Auditors regarding their involvement in ERM (Gramling, Meyers, 2005). The survey found that Internal Audit was primarily responsible for ERM in 36 percent of the organisations surveyed. Further, the study also found that some Internal Auditors were engaged in roles that the IIA had recommended as being unsuitable. A recent study conducted by (Fraser and Henry, 2007) in the UK found that Internal Audit can be heavily involved in ERM. This study consisted of interviews with financial directors, audit committee chairs, internal auditors and risk directors of five listed companies, as well as four audit partners from the "Big Four" audit firms.(Fraser and Henry, 2007) also found evidence of Internal Auditors having responsibility for ERM practices, despite both COSO and the IIA position paper stating such responsibility must rest with management. In general, these studies show that Internal Auditors, in some cases, are involved in ERM activities that have been deemed unsuitable by the IIA, thus signalling a high risk for loss of Internal Auditor objectivity. Engaging in consulting activities associated with ERM raises significant threats to objectivity in the forms of self-review, social pressure and familiarity (Zwaan, Stewart and Subramaniam, 2011).
In the case of ERM, Internal Audit can provide consulting services so long as it has no role in actually managing risks and as long as senior management actively endorses and supports ERM (Institute of Internal Auditors, IIA 2004). The Internal Auditor's core role in the ERM is congruence with the assurance activities, while the legitimate role reflects the consulting activities stipulated in the new definition of Internal Auditing (Institute of Internal Auditors, IIA, 2006). The prohibitive role in the ERM implies that there are various roles that may affect the objectivity and independence of the Internal Audit function.
The current study evaluates the effectiveness of internal audit in enhancing Enterprise-wide Risk Management after considering the risk of loss of Internal auditor objectivity due to carrying out of inappropriate duties.
2.3 Risk Based Internal Audit Contribution to ERM Success
A risk-based Internal Audit approach is the latest "best practice" in the evolution of internal auditing, aimed at maximizing the impact of audit by focusing on the major strategic, regulatory, financial and operational risks that confront an organization. This approach targets high risk areas and helps the auditors achieve maximum value for the company from their efforts. It involves challenging existing structures and processes to identify areas for improvement and propose value-adding changes to the organizations (KPMG CORNER, Nery, 2010). There are many opportunities for improvement and Internal Audit can play a key role in being an agent of positive change in an organization.
What is Risk Based Internal Audit (RBIA)?
Risk Based Internal Auditing (RBIA) is defined as a methodology that links Internal Auditing to the organization's overall risk management framework. Risk based Internal Auditing (RBIA) is the methodology which provides assurance that risks are being managed to within the organisation's risk appetite (Griffiths, 2006).
Internal Audit involvement in risk is based on the view that managers are operating in an increasingly complex and global environment and risk is a central element of corporate governance (Matemera, 2008). The emergence of ERM as a key process provides the Internal Audit profession with a unique opportunity to shift focus to business risk. An organisation that understands its risks, understands its opportunities (Griffiths, 2006).
Risk Based Internal Audit seeks to provide independent assurance to the Board of Directors that: The risk management processes which management has put in place within the organization (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended, these risk management processes are of sound design, the responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board, and a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat. (Ridley, 2008: 116).
In the past, auditors were trained to gain and confirm the understanding of the systems of internal control. Internal control was the path to evaluating the efficiency and effectiveness of management controls. Internal control is now regarded as management's response to business risk, hence the rise of RBIA which starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement. The role of Internal Audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organization to reduce risks to a level that is acceptable to the board (the risk appetite).
While Internal Audit's main contribution is to provide assurance on management's treatment of risk (through governance and control processes) it may also advise management on other aspects of their response to risks such as decisions to terminate, transfer or tolerate risks. The IIA Performance Standard 2110 requires the Internal Audit function to assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
Every company is exposed to risks which makes effective risk management necessary for the progression of a business enterprise as risks cannot be eliminated, but only managed. (AIRMIC, ALARM. IRM , 2002) suggest that the role of the risk management function depends on the size of the organisation.
The risk management function may range from a single risk champion to a part-time risk manager to a full-scale risk management function, which should include setting policy and strategy for risk management, being the primary champion of risk management at strategic and operational level, building a risk-aware culture in the organisation, including appropriate education, establishing internal risk policy and structured business units, designing and reviewing processes for risk management, co-coordinating the various functional activities that provides advice on risk management issues in the organisation, developing risk response processes, including contingency and business continuity programmes, preparing reports on risk for the board and the stakeholders.
The capacity to manage risk, and with it the appetite to take risk and make forward looking choices, are the key elements of energy that drive the economic systems forward (Bernstein, 1996).
Table 2.1 - Internal Audit's change to the risk paradigm
Table 2.1 presents Internal Audit's change to the risk paradigm and compares and contrasts the historical control paradigm to the new risk paradigm..It shows how Internal audit is has evolved towards a risk based approach.
Table2.1 is a comparison of the shift from Internal audit being centred on the controls of the entity to now focusing on the risks on an entity. This table links to the study by showing the shift in Internal audit's characteristics within the new risk paradigm enables it to play a role in ERM.
2.4 The Effects and Benefits of a Robust Enterprise-wide Risk Management
Several years ago, many organizations were focused on mitigating risks, controlling costs, keeping the business out of trouble and protecting the brand. However these businesses soon realised that "There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction." President John F. Kennedy in the 1960s (Institute of Internal Auditors, IIA, 2009) Today, more and more organizations are focused on developing risk management strategies that enable the business to be competitive (Frigo and Anderson, 2011) One such strategy is Enterprise-wide Risk Management which aims to prevent, detect and manage the possibility of something going wrong in an area of business with an impact of the untimely event threatening the enterprise from meeting its business objectives.
2.4.1 Definition of Enterprise-wide Risk Management
There are various definitions of ERM. In 2004, the Committee of Sponsoring Organization of the Treadway Commission (COSO, 2004) released the Enterprise Risk Management Integrated Framework. COSO defines Enterprise Risk Management as a process, affected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The Casualty Actuarial Society (CAS) defines Enterprise Risk Management as disciplines by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purposes of increasing the organization's short- and long-term value to its stakeholders (CAS, 2003).
Another author, Lam (2000) defines Enterprise Risk Management as an integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value while Makomaski (2008) defines Enterprise Risk Management as a decision-making discipline that addresses variation in company goals.
All these definitions have one thing in common, they all emphasize the necessity and value adding role of Enterprise-wide Risk Management in every facet of an organisation. (Cassidy 2005) concurred and found that Enterprise-wide Risk Management existed in planning, organizing, and leading and controlling organizations activities in order to minimize firms' major risks such as financial, strategic and operational risks. One thing all these definitions have in common is ERM is important from all perspectives.
Arthur Andersen (cited by Pickett 2003: 156) argues that there is no one-size- fits-all approach to Enterprise-wide Risk Management (ERM).
In 1999 Deloitte & Touche carried out a survey of significant risks in the private sector, with each risk scored from 1(low level of concern) to 9 (high level of concern) with the following summary results:
Score
Failure to manage major projects 7.05
Failure to strategise 6.67
Failure to innovate 6.32
Poor reputation/brand management 6.30
Lack of employee motivation/poor performance 6.00
The survey (Deloitte & Touche Survey of Significant Risks 1999) revealed that various risks raised concerns across the entire organisation and mitigating these risks effectively was a major concern of management thus making Enterprise Wide Risk Management an imperative tool to employ.
According to KPMG survey in 2006, there are four main reasons why US companies exercise ERM (KPMG International, 2006). These are:
(i) The organization desires to reduce potential financial losses (68 percent);
(ii) The organization desires to improve business performance (64 percent);
(iii) due to the regulatory compliance requirements (58 percent); and
(iv) the organization desires to increase risk accountability (53 percent).
On the other hand, Price Waterhouse Coopers (PricewaterhouseCoopers, 2008) found that firms in Finland are motivated to implement ERM because of the following reasons:
(i) over 96 percent of the users want to adopt good business practice;
(ii) more than 81 percent due to corporate governance pressure;
(iii) 42 percent stated it gives them a competitive advantage; and
(iv) more than 30 percent comes from regulatory pressure and also investment community pressure.
While the studies of these firms merely emphasize the reasons and motivations behind implementing ERM, the Casualty Actuarial Society (CAS, 2003) took a different perspective and reported six factors that not only motivate but actively force organizations to practice
Enterprise Risk Management:
Complicated risks: Beyond the four basic types of risks such as hazard, financial, operational and strategic risk, organizations also faced other risks such as the risks in advance technology, the accelerating pace of business, globalization, increasing financial sophistication. These risks did not occur by themselves and could happen because of a combination of both types of risks (for example combination of globalization factors and advance in technology).
External pressures such as regulators, rating agencies, stock exchanges, institutional investors and corporate governance bodies.
A portfolio point of view which refers to an increasing tendency towards integrating the risks, which were previously managed in silo.
Risks need to be quantified even if it is impossible to quantify all risks. By quantifying risks, management will be able to estimate the magnitude of risk or degree of dependency with other risks efficiently in decision making process.
Boundary-less benchmarking factor. The implementation of risk management now is not only limited to the insurance or financial services, but is now common to other organizations. In addition, rapid changes in technology allow related information on risks to be transferable easily across the organizations.
Risk can be treated as an opportunity. In the past risks that arose were treated defensively so as to minimize or totally avoid them. Now the view is to recognise the value-creating potential of risk. As a result of past experience in mitigating risk, organizations may develop expertise in managing those risks and may be able to transfer their expertise to other organizations. (CAS, 2003)
These surveys illustrate how ERM adoption has spread and continues to spread. In financial institutions (banks, insurance companies, etc.) the need for the Internal Audit activity is expressed over objectives to assure cash flows, liquidity of the institution and safeguarding of the assets while in manufacturing companies the Internal Audit function is related to operational process improvement, supply management analysis or efficient use of assets(Staciokas, Rupšys 2005). Public institutions (local governments, public service companies) will pay attention over effective and efficient use of funds and compliance with regulations; therefore there is a demand mainly for compliance audit in such institutions. (Staciokas, Rupšys 2005).
However, in the last few decades, the incorporation of enterprise risk management into the business environment has grown as a result of many new developments, such as its inclusion in various corporate governance codes world-wide and the fact that it has come to be viewed as one of the cornerstones of sound corporate governance principles (Institute of Directors, IOD, 2009).
In January 2012, Ernst & Young commissioned Forbes Insights to conduct a global survey about the evolving role of Internal Audit. Respondents included Chief Audit Executives (CAEs), C-suite executives and board members representing organizations with global revenues of $500 million or more and spanning 26 industry sectors. In the survey, 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance. An equal number believe that their Internal Audit function has a positive impact on their overall risk management efforts. And yet, 80% of respondents acknowledge that their Internal Audit function has room for improvement. Of these respondents, 70% believe that the improvements should be undertaken within the next 24 months. (Ernst & Young, Insights on business risk, 2012).
In yet another survey on this pertinent topic, a study commissioned by the IIA Research Foundation found that 80% of respondents surveyed from the IIA's Global Auditing Information Network (GAIN) were in some stage of interaction with the Enterprise Risk Management process (Gramling & Meyers 2006). As such it is not surprising that senior leadership and directors for organizations of all sizes, and from across the world are talking about ERM and how to make it work for them.
The difference between ERM and more traditional ways of managing risks is in how the entity centralizes risk management.( Hall, 2007) ERM calls for high-level oversight of the company's entire risk portfolio, rather than having many different individual managers overseeing specific risks in isolation (e.g., the "silo" or "stove pipe" approach) (Banham 2004). This new-found interest in abandoning traditional risk management and embracing an Enterprise-wide Risk Management approach has naturally led to several questions regarding who are supposed to be the architects, implementers, managers and overseers of the entire process. (Hall, 2007).
Table 2.2 presents a comparison between Traditional risk management and Enterprise wide risk management.
Table 2.2: Comparison between Traditional Risk Management and ERM
Traditional Risk Management vs. ERM: Essential Differences
Risk as individual hazards
Risk in the context of business strategy
Risk identification and assessment
Risk Portfolio development
Focus on discrete risks
Focus on critical risks
Risk mitigation
Risk Optimization
Risk Limits
Risk Strategy
Risk with no owners
Defined risk responsibilities
Haphazard risk qualification
Monitoring and measuring of risks
Risk is not my responsibility
Risk is everyone's responsibility
Source: KPMG LLP
Table 2.2 contrasts characteristics of two types of risk management to clearly show the differences. The current study focuses on the ERM as opposed to the Traditional Risk Management.
The current study considers the above mentioned characteristics and evaluates the extent to which risk management practices within organisations studied can be classified as Enterprise-wide risk management approaches.
To gain a better understanding of the ERM phenomenon, the ERM framework shall now be examined.
2.4.2 Enterprise-wide Risk Management framework
ERM Framework works on the basis that there is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the form of a cube. The four objectives categories - strategic, operations, reporting, and compliance - are represented by the vertical columns, the eight components by horizontal rows, and an entity's units by the third dimension. This illustration portrays the ability to focus on the entirety of an entity's enterprise risk management, or by objectives category, component, entity unit, or any subset thereof. (COSO 2004). Figure 2.1 presents the ERM Framework cube.
Figure 2.1: COSO ERM Framework
Source: COSO website
Figure 2.1 is a 3 dimensional cube representing the ERM framework and depicts the direct relationship between objectives and enterprise risk management components used to achieve these objectives. The vertical columns represent four objectives categories -compliance, operations strategic and reporting. The horizontal rows represent eight components of COSO's ERM framework. Finally, an entity's units are shown in the third dimension of the cube. This cube portrays how by looking at the objectives category, component and entity unit, there can be a focus on the entirety of an entity's enterprise risk management. (COSO, 2004). The components form criteria for effective Enterprise-wide risk management.
Determining whether an entity's enterprise risk management is "effective" is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. (COSO 2004). In this study the Internal audit function should have access to all information depicted on the cube to enable meaningful contributions that enhance ERM to be made through the roles played by Internal audit.
Under ERM, organizations view risk as something that can be planned for, oftentimes quantified, managed strategically, and ultimately leveraged against competitors. Others believe the Internal Audit function plays a vital role in overseeing all eight components of the ERM Framework, given Internal Audit's natural focus on risks and controls. Thus, there is no precise method or "silver bullet" for the role of Internal Audit in ERM (Walker et al., 2002). In fact, the controversy led The Institute of Internal Auditors in the United Kingdom and Ireland to issue a position statement addressing specific ways Internal Audit should and should not be involved in ERM to maintain its objectivity and independence.
The COSO ERM framework calls on the Internal Audit function to assist management and the board of directors or audit committee by examining, evaluating, reporting on and recommending improvements to the adequacy and effectiveness of the entity's enterprise risk management (COSO 2004). Some argue that enterprise risk management should be managed by traditional risk overseers from management disciplines such as finance or insurance, and that the role of the Internal Audit function in ERM should be limited to the last component in COSO's ERM framework, which is monitoring. (Beasly, 2006) Management needs enterprise risk management process evaluation, monitoring services and recommendations of its improvement. Internal Audit functions may be used in order to satisfy these needs. (Staciokas and Rupšys, 2005).
The COSO ERM framework is relevant to the current study as it assisted the researcher to draw a link between what is expected of Internal auditors theoretically and what is delivered practically in the drive towards enhancing ERM.
A successful enterprise risk management initiative should be proportionate to the level of risk in the organization, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances (Institute of Internal Auditors, 2004).The focus of enterprise risk management is on the assessment of the identified significant risks and the implementation of suitable risk responses to those assessed significant risks. (Institute of Internal Auditors, 2008).
The Committee of Sponsoring Organisations of the Treadway Commission (COSO 2004) emphasises that Enterprise-wide Risk Management is not an end in itself, but rather an important means. It cannot and does not operate in isolation in an entity, but rather is an enabler of the management process towards enhancing performance in a sustainable way by articulating risk from a holistic approach by managing the risks that affect all units of the organisation.
2.4.3 Benefits of Enterprise-wide Risk Management
The usefulness of ERM has actually been debated and often questioned by scholars and practitioners. Enterprise risk management helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps ensure effective reporting and it helps ensure that the entity complies with laws and regulations, avoiding damage to its reputation and other consequences. ERM is not concerned with how well your organization managed risk in the past. It is concerned with how effectively you can manage risks going forward (Institute of Internal Auditors, 2006).In sum, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. (Institute of Internal Auditors, 2008).
ERM proponents argue that this approach benefits firms (Liebenberg, 2003). It promotes increased risk management awareness which may be translated into better operational and strategic decision-making (Kleffner, Lee, and McGannon, 2003) However, some authors are sceptical about the real impact of ERM and have pointed out companies where ERM is mainly adopted as a compliance exercise; (Collier, Berry and Burke 2007) or as an 'after-the-fact inspection'. (Bowling and Rieger 2005). (Fraser and Henry 2007) have highlighted how the principle at the basis of ERM, the identification of all the risks facing an organisation, can induce organisations just to create bureaucratic trails to prove the quality of processes, making the production of evidence 'more important than managing real risks.'
Research done by (Ernst & Young, 2012) showed that top-performing companies have the following risk management practices in place:
Two-way open communications about risk occur with external stakeholders.
Communication is transparent and timely, providing stakeholders with the relevant information that conveys the decisions and values of the organization.
The board or management committee plays a leading role in defining risk management objectives.
A common risk framework has been adopted and implemented across the organization.
The implementation of ERM has already been documented to improve firm performance (Hoyt et al., 2006). However, one of the successful factors for implementing ERM is to consider broadly the overall risks arising from business environment (Bowling and Rieger, 2005). The current study examines the effect of ERM on an entity and investigates if it is in line with the effects suggested by literature.
2.5 Incorporating and embedding Enterprise-wide Risk Management into an entity
The current study evaluates whether incorporating and embedding Enterprise-wide Risk Management into an enterprise's plans and business strategy is the appropriate mechanism to assist management in successfully executing their management duties.
According to the research by (Ernst & Young Global Advisory risk service line in 2012) , risk is inherent in every business, but organizations that embed risk management practices into business planning and performance management are more likely to achieve strategic and operational objectives. Top-performing companies understand that risk needs to be embedded as part of an "organization's DNA".
Research and study results show that top-performing companies have the following risk management practices in place:
There is a formal method for defining acceptable risk thresholds within the organization.
Stress tests are used to validate risk tolerances.
Leadership has put in place an effective risk management program.
Planning and risk reporting cycles are coordinated so that current information about risk issues is incorporated into.
2.5.1 The value of effective enterprise risk management in turning risks into results
Mature enterprise risk management drives financial results "Our point of view according to our research is that companies with more mature integrated risk management practices outperform their peers financially. Our client experience, research and study results strengthen that perspective" (Randall Miller Global Advisory Risk Leader, 2012). In the current study the researcher looks at the value that ERM is perceived to have within an entity.
2.5.2 ERM focuses on the three core interrelated areas that enhance competitiveness.
Organizations achieve results from risk in three interrelated ways. Some companies focus on mitigating overall enterprise risk, while others focus on efficiency, reducing the overall cost of controls. Still others look to create value, often through a combination of risk mitigation and cost reduction. (Ernst & Young Advisory 2012.)
Figure 2.2: ERM three core competitive edge enhancing areas
Source: Ernst & Young, 2012
Risk mitigation
In a worst-case scenario, an organization's risks can proliferate at a far faster rate than its ability to provide coverage. Organizations need to have the ability to identify and address key risk areas and the agility to quickly close the gaps through:
Identifying and understanding the "risks that matter"
Differentially investing in the risks that are "mission critical" to the organization
Effectively assessing risks across the business and driving accountability and ownership
Demonstrating the effectiveness of risk management to investors, analysts and regulators.
Cost reduction
For many organizations, finding cost efficiencies in every facet of the organization continues to be critical to survival in this volatile economic environment. Opportunities for cost reduction may include:
Implementing a new risk operating model to materially improve the cost structure
Reducing cost of control spend through improved use of automated controls
Streamlining or eliminating duplicative risk activities
Improving process efficiency through automated centres, business activities and continuous monitoring
Value creation
Many organizations are looking for ways where risk and control management can help improve business performance. Opportunities may include:
Achieving superior returns from risk investments
Accepting and owning the right risks to achieve competitive advantage
Improving controls around key processes
Using analytics to optimize the risk portfolio and improve decision-making
Using risk management savings to fund strategic corporate initiative
2.5.2 ERM differentiates top performers
According to the study that was done by (Ernst &Young Advisory Global 2012) they found that while most organizations perform the basic elements of risk management, the top performers do more. The study found specific risk practices that were consistently present in the top performers (i.e., top 20% based on risk maturity) that were not present in the bottom 20%. These risk practices can be organized into the following challenge areas of Enhance risk strategy Embed risk management, Improve controls and processes, Optimize risk management functions, Enable risk management and Communicate risk coverage. The Ernst & Young study findings suggest that these components are critical to transforming risk and driving better business performance for enhancing success and corporate viability. These challenge areas are depicted in the chart in Figure 2.3 below.
Figure 2.3: The Risk Agenda
Source: The Ernst & Young, Advisory Database 2012
Figure 2.3 illustrates how in the Ernst and Young study, companies that succeed in turning risk into results create competitive advantage through more efficient deployment of scarce resources, better decision-making and reduced exposure to negative events by focusing on the challenge areas depicted in the chart.
2.6 Empirical Review
This empirical review examines prior researches done related to Enterprise-wide Risk Management and Internal Audit and seeks to establish whether they can be linked to the current study. The studies of Gramling and Myers and Zwaan, Stewart & Subramaniam were linked to the current study so as to establish if there is involvement in any inappropriate activities by Internal audit in ERM within the context of this research. The studies are discussed below:
Gramling and Myers (2006)
A survey of a sample of 361 global Internal Auditors was carried out. The study examined the extent to which Internal Audit functions adhere to the ERM roles recommended by the IIA. Survey found Internal Audit's role in core ERM roles could be extended as it is less than preferred. The study also found that Internal Audit's involvement in inappropriate activities is greater than it should be.
Zwaan, Stewart & Subramaniam (2011)
The study investigated the use of ERM and the role of Internal Audit in ERM in Australian private and public sector entities. It also examined the impact of Internal Auditors' involvement in enterprise risk management (ERM) on perceptions of their willingness to report a breakdown in risk procedures.117 Certified Internal Auditors participated in the study and the study found that the majority of organisations had recently adopted ERM. It was observed that Internal Auditors were involved in ERM assurance activities but some also engaged in activities that could compromise objectivity. The findings reinforce the need for organisations to adhere to the recommendations of the Institute of Internal Auditors and to ensure that Internal Auditors participated in Risk Management but did not play an inappropriate role in ERM.
Fraser and Henry (2007)
This study was conducted by way of Interviews of a sample size of 5 UK listed companies and 'big four' audit firms. The study examined the mechanisms for the identification and management of critical risks and also identified what the role of Internal Audit should be in risk management. Fraser and Henry found that Internal Audit did have a role to play in risk management. However, due to expertise and independence issues it was recommended a separate risk function should be set up.
Manab, Hussin & Kassim (2010)
This research examined the Internal Audit roles and functions in ERM practices of Public Listed Companies (PLCs) in service sector. The findings showed that 85.7 percent of EWRM programs in financial companies were under the direct supervision of a risk management department as compared to only 34.1 percent in non-financial companies. This result was quite surprising, as more than half (51.3 percent) of the ERM programs in non-financial companies were actually under the supervision of an Internal Audit department. However, only 47.2 percent of the companies were found to have their own Internal Audit, while 52.6 percent reported that they outsourced their audit activities. Quite interestingly, the overall result from a case study analysis found that the Internal Auditor plays a dual function, as an Internal Auditor and also as a risk manager.
The studies of Fraser and Henry and Manab, Hussin & Kassim investigated the role played by the internal auditor in ERM. The current study used these findings as a starting point into investigating the roles of Internal audit in enhancing ERM in a Zimbabwean context.
2.7 Gap between Past Researches and Current Study
While there are limited number of researches concerning the involvement of the Internal Auditors in the ERM such as those of (Gramling and Myers, 2006), (KPMG, 2009), and (Sarens and Beelde 2006), none of these studies investigated the extent to which the Internal Auditors' roles in the ERM affected the ERM implementation. This present study aims to bridge the gap in the literature by investigating whether the Internal Audit effectiveness could influence the ERM implementation by considering the Internal Auditors' roles in the ERM as stipulated in the Position Paper.
Past researches have attempted to address the roles and impact of ERM on an enterprise however none of the above mentioned past researches have looked into the roles of Internal Audit and Enterprise-wide Risk Management from a Less- Economically developed nation's perspective. This study will have a focus on the Zimbabwean context which encompasses different risks encountered by Less- Economically developed nations as opposed to More Economically developed nations. Zimbabwe is a special scenario for this study having emerged from a history making and record breaking period of Hyper-inflation and then entering an era of Dollarization. This study aims to bring to the fore the different facets that the Internal Audit function steps into within the Risk fraught business environment in Zimbabwe with Enterprises attempting to implement robust Enterprise-wide Risk Management frameworks.
2.8 Conclusion
This chapter focuses on what Enterprise-wide Risk Management is and aims to achieve as well as discusses the role and responsibilities of Internal Auditing and the value that Internal Auditing adds to the vital concept of enterprise wide risk management. The chapter reviewed the literature by previous authors and experiment results attained on Internal Audit Enterprise-wide Risk Management. The literature review was linked to the current study and the gap to date was identified.
