2011 Governance, Risk, and Compliance ConferenceAugust 29 – 31, 2011 / Orlando, FL, USA

The Top Four Essential Objectives to Auditing ERM

Stephen E. McBride, CIA

Agenda

• Definition of key terms• Risk management principles & process• Recent financial events• Risk governance roles• Key areas of focus in establishing audit

objectives

Risk

• The possibility of an event occurring that will have an impact on the achievement of objectives. Measured in terms of likelihood and impact

Risk Management

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives

Why Manage Risk?

• Decrease the cost of financial distress• Reduce earnings volatility• Facilitate optimal investments

Incorporate portfolio theory

Enterprise Risk Management

The application of risk management principles to all significant risks facing an organization

Risk Governance Roles

• Board of Directors• Management• Internal Auditors

Financial Events

• Enron• Washington Mutual Bank• AIG• MF Global

Were these events:– risk management process failures, – implementation failures, or

– both?

Where to Begin

• Failures?– Financial: Credit, Market, Liquidity– Operational– Strategic

• Review models, assumptions, derivatives, strategies, black swan?

• Top 4 objectives

1. Business Strategies and Risk Appetite

• Determine approval of risk appetite • Determine understanding of business

model

Audit Objectives –Risk Appetite

1. Risk appetite – the entity’s risk appetite defines acceptable and undesirable risks.

2. Parameters for risk1. Strategic – new products or initiatives2. Financial – max acceptable loss or performance

variations3. Operating – capacity management, quality

targets, environmental requirements.

2. Internal Environment

• The Board of active and possesses an appropriate degree of expertise

• Chief Risk Officer communication• Management risk council reporting to the

Board• Management’s risk appetite is aligned

throughout the organization

Ethics

• Determine methods for ensuring the Code of Conduct is communicated and complied with across the organization

• Ensure results are properly communicated• Determine whether executives comply with

discretionary expenditures policies

Follow the Money

• Determine how management is rewarded for performance

3. Event identification

• Management identifies potential events• Techniques are used to look at both the past

and the future• Event identification is robust• Management understands how events relate

to one another

4. Control Activities

• Management indentifies control activities need to ensure risk responses are carried out properly

• Policies are implemented consistently• Conditions are investigated and appropriate

corrective action taken• General and application controls are

implemented

Volume of Exceptions

• Determine the volume of policy or internal control exceptions

• Determine steps taken for corrective action

Conclusion

• Determining the control framework and management practices in these areas will help determine risk culture

• Risk culture is the primary indicator of an organization’s risk management oversight and its likelihood of continued long term success