The speed and magnitude of change in the world continues to accelerate. Companies that were once leaders in their sector, including Kodak, Blackberry, Sears, and Macy’s, have suffered massive declines in value and sector status. Whole industries, like taxi cabs, travel, and retail, have seen massive business model shifts with the arrival of game changing players like Uber and Amazon. Most recently, customer feedback from multiple sources is strongly signalling that enterprise risk management (ERM) and internal audit need to radically change their core business models or risk similar fates. Accountants serving as board directors, CEOs, CFOs, controllers, and chief audit executives need to play lead roles driving radical change to better meet the needs of their companies and boards.
The problems with the traditional internal audit business model, a model where well-intending auditors assess a small percentage of the total risk universe each year and form subjective opinions on internal control “effectiveness”, continue to grow as the needs of management, boards and other stakeholders escalate exponentially. ERM processes, which are often an annual or semi-annual exercise to update risk registers created as a response to regulatory compliance requirements, are now expected to help boards meet escalating demands for effective board oversight of risk processes, risk culture, and risk appetite and tolerance. Traditional risk-centric, risk-register based ERM is ill-equipped to provide a robust response to these new expectations.
What’s the Solution?
The natural inclination of people faced with growing evidence that status quo methods and business models need to change radically is to propose slow and incremental changes in hopes that small tweaks will do the job. It won’t. Quantum changes in status quo ERM and internal audit business models and methods, similar to those being driven by Uber and Amazon, are needed.
We believe the solution to growing dissatisfaction in ERM and internal audit products and services is a simple one, but recognize that human resistance to radical change is often daunting. We call the new approach Objective-Centric ERM and Internal Audit.
Unlike traditional approaches to internal audit and ERM, this approach focuses on populating an entity level Objectives Register with an organization’s top value creation and preservation objectives and assigning an Owner/Sponsor to each objective to report residual risk status upward. The role of ERM specialists is to build and maintain the ERM framework and help Owner/Sponsors assess and report upward to the board. The role of internal audit is to report to senior management and the board on the reliability of the ERM framework and the residual risk status reports provided by Owner/Sponsors. Details on the approach, deficiencies of current approaches to ERM and internal audit, the business case for change, and training/reference aids are beyond the scope of this short article. They are available as free open source resources for end users on our website.
Objective-Centric ERM and Internal Audit Process Overview
Accountants around the world can, and must as true professionals, play leadership roles to drive the changes necessary to meet the assurance needs of key stakeholders and societies we live in. For organizations willing to challenge the status quo, it is possible to produce far more value from the hundreds of billions of dollars currently being spent globally on traditional ERM and internal audit. Will you help drive change?