A S S U R A N C E A N D A DV I S O RY

B U S I N E S S S E RV I C E S

B U S I N E S S R I S K S E RV I C E S

!@#
Managing Risk
Across the Enterprise
Connecting New Challenges With Opportunities
 Overview
Enterprise risk management, or ERM, has been around for more than a decade.
During that time we have witnessed several waves of interest and enthusiasm—
and we currently are in the midst of one of those waves. In response, organizations
from across the globe have issued various ERM frameworks designed to help
companies understand and implement ERM. Some of these have taken the form
of comprehensive ERM frameworks and guidelines, while other ERM elements and
approaches are embedded within governance regulations.
This publication does not seek to detail either these existing frameworks or offer
a new detailed methodology for ERM. Instead, we focus on some practical
approaches that have helped companies achieve early success in improving their
management of risk across the enterprise. Some companies have called it ERM
and have been very successful in developing and launching a formal program.
Other companies have opted for a leaner approach, identifying opportunities to
enhance their overall approach to risk management. Across both approaches,
there exists a common set of key challenges and related opportunities to enjoy
early value. We discuss seven of the most significant success factors here,
together with case studies that provide practical insight to the nature of the
challenges and the strategies used to address them successfully.
Our key emphasis is to help you promote effective, efficient risk management
across the enterprise. Call it ERM if you’d like. Our hope is that you find the
information practical and relatively easy to apply, and that tangible results and
value follow soon thereafter.

1 M A NAG I N G R I S K A C RO S S THE ENTERPRISE

With everyone talking about ERM . . .
On the face of it, enterprise risk management (ERM) seems to be having
a resurgence in popularity. In boardrooms of companies both large and
small, spanning industries all over the world, ERM once again is a hot topic
of discussion. 86%
Following the “perfect storm” of corporate failures, new and emerging
regulations, compliance challenges, active investors, rating agencies, exchange
listing standards, D&O underwriters, globalization, and myriad other forces,
corporate executives and directors are intrigued by ERM’s potential to “anchor 14%
the ship.” Many of these same individuals are being stretched increasingly thin,
consumed by compliance and risk oversight responsibilities. Failure could mean
liabilities and fines at company and even personal levels. Faced with these
challenges, directors and executives may view ERM as a methodology that will
provide them with confidence that the company’s risks are known and well
managed, and allow them more time to focus upon on their companies’ growth,
strategy, and value creation. „ Mature ERM program in place
„ Mature ERM not yet established

. . . why have so few companies

actually adopted it?
Despite executives’ growing interest, a survey* recently conducted by Ernst & Young indicates that only 14%
of companies (primarily financial services or other regulated industries) have a “mature” ERM program in
place. This data contrasts with the fact that, since many companies are maintaining and building value, most
are already managing risk across the enterprise, and doing so quite well.
Why, then, do so few companies feel comfortable stating that they have a mature ERM program in place?

* Source – Emerging Trends in Internal Controls – Fourth Survey,

Ernst & Young, September 2005

2
 The path to ERM—
Is it a journey or just a brisk walk?
ERM often is described as a journey, a major Enterprise risk management is a process, effected
initiative, which implies that it’s big and requires
significant new infrastructure, investment, change,
and time—rare commodities in today’s complex
business and regulatory environment. Fortunately,
most companies have already made and continue to
“ by an entity’s board of directors, management
and other personnel, applied in strategy setting
and across the enterprise, designed to identify
potential events that may affect the entity, and
manage risk to be within its risk appetite, to
make very large investments in risk management provide reasonable assurance regarding the

Leveraged
across the enterprise. The key is to determine the

Ernst & Young’s

right approach to
assessing and
enhancing the risk
management
achievement of entity objectives.

”
Paradoxically, most companies recognize the elements
and activities inherent in that definition as processes
they already have in place and perform within the
course of business. So why not call them ERM?
ERM Approach infrastructure and
processes that already Some companies may hesitate because their risk
INFRASTRUCTURE

exist within the assessment, management, and monitoring processes

e
alu

are not on the leading edge of practice and/or employ

dV

company, and
an

the latest technology. Others may feel that, although

s

determining the best

es
cc

they have many structures and functions in place to

Su

way to make them

RM

manage risk, there is a lack of overall alignment,

E

more effective and

of
od

efficient. For some consistency and efficiency. Indeed, many valuable

ho
eli

lessons have been learned recently relative to risk,

Lik

New companies, especially

Academic Practical within regulated
APPROACH industries, a formal
ERM program will be
the right approach and
may require more time and investment. For others,
opportunities for incremental improvement in risk
management may still involve some level of
increased formalization, but overall, the approach
may be considerably more condensed and focused.
In either case, a formal definition of ERM and/or a
brief articulation of the company’s risk management
philosophy can serve as a useful foundation and
guide. A formal definition of ERM recently issued
by the Committee of Sponsoring Organizations
(COSO) states that:
and approaches have been developed that can be
leveraged by all companies—regardless of their
perceived path to ERM. Once again, we pose the
question, “Is the path to ERM a journey or just a
brisk walk?” Much depends on how you define the
destination and how you demonstrate the fact that
you have arrived.
In response, Ernst & Young encourages a practical
approach to ERM that focuses more on leveraging a
company’s existing infrastructure over creating a new
one. In particular, we begin here by taking a hard look
at seven key challenge areas and exploring which
responses are best suited to the needs of the company.
This approach is more likely to produce early success
and value, and help increase the chances for broad
acceptance and support for risk-focused initiatives
and/or ERM into the future.

3 M A NAG I N G R I S K A C RO S S THE ENTERPRISE

Focus on key challenge areas and
associated opportunities
From our work with leading companies all over the
world we have identified seven common and
relatively consistent challenge areas and
opportunities related to ERM. These include:
1. Establish a simple, relevant framework—
Understandably, no one framework can respond to
all risk management challenges faced by
companies. As a result, numerous frameworks for
internal control, compliance, and ERM, have been
released in recent years. In some cases, companies
have adopted these frameworks in order to comply
with regulations. Fortunately, companies now have
the opportunity to leverage and refine that
foundation, employing aspects of other
frameworks and customized approaches to help
address their full spectrum of risk in a way that
is relevant, practical, and that provides value.
2. Demand a clear, concise view of risk—
Executives, directors, and audit committee
members in particular are pushing hard, and often
unsuccessfully, to receive a concise, palatable
view of the company’s key risks, including related
management and monitoring activities.
Fortunately, an initial solution may be just a
simple spreadsheet away.
3. Protect that which matters most—Value is of
utmost concern to stakeholders and shareholders.
Unfortunately, key drivers of value and associated
risks are rarely identified and explicitly considered
within risk assessment activities. In response,
boards, executives and others are now making
explicit efforts to better understand key drivers of
value and the risks that may affect them.
4. Avoid enterprise list management—Some
companies are suffering through enterprise list
management rather than implementing enterprise
risk management. This problem is exacerbated by
the use of risk assessment criteria and related
processes that focus on ranking exhaustive lists of
risks, rather than driving action. Leading
companies are making subtle changes to their risk
assessment, issues tracking, and reporting
approaches.
5. Seek to know what you don’t know—No one
likes surprises, especially unwelcome ones. In
fact, many executives have shared that the risks
that “keep them up at night” are the risks that they
don’t yet know. Unfortunately, traditional risk
assessment approaches may not reveal new and
emerging risks. By employing anonymous
feedback mechanisms, conducting facilitated
workshops, and/or accessing risk knowledge from
outside the company, risks can be revealed
earlier—and surprises minimized.
6. Conduct risk assessment as an embedded
activity—In order to maintain ERM momentum
and relevance, consistent risk assessment
approaches should be embedded in the company’s
strategic, business, and audit planning processes,
among others. Fortunately, once embedded, risk
awareness, assessment, and monitoring become
part of the company’s culture and fabric.
7. Enable internal audit coverage across key risk
areas—Many internal audit functions are
increasingly focused on financial reporting risk.
Although important, this may reduce or eliminate
coverage in other key risk areas. In response,
audit committees and executives are re-examining
the focus, staffing, and charter of internal audit,
and investigating options to identify and address
the areas where risk coverage may be
unacceptably low.
4
 Key Challenges,
Effective Strategies
Strategies
Companies deploy multiple strategies—
from formulating strategic direction to
complying with regulatory changes Strategy
Evolving Risk Profile
ESS
Multiple strategies generate risks and a continually
Risk
ASS
evolving risk profile
Executing Embedded Processes
Companies establish a series of
processes to help manage their Process
changing risk profile
ENHANCE
First, establish context Then, develop or adopt
A key component of any framework should be the
business context in which risk management operates.
a risk framework
This context should help communicate how ERM fits
into the normal business activities of management. It
should be simple, clear, and engaging (see example
above). Developing and communicating this context
will help frame further stages of development and is
often the starting point for discussions around
selecting or building the detailed framework that will
underpin future ERM activities. Without an agreed
context for ERM, there are many opportunities for
management and other stakeholders to re-challenge
the fundamentals of risk management or to be
confused about their roles.
5 M A NAG I N G R I S K A C RO S S
Assess
Risk functions, including internal audit (with management),
continually assess the evolving risk profile
Monitor
Based on the risk assessment, management—
MON
supported by risk functions— performs monitoring
ITO
activities to ensure processes are operating as
R
designed, controls are effective and risks are managed
Enhance
Management, working with the risk functions,
implements identified enhancements
A risk framework should offer a robust foundation
of reference for companies interested in
implementing ERM. As we have discussed, there
are a number of risk management, compliance, and
ERM frameworks that have been developed over the
years, some in response to the corporate crises of
recent times. Examples are shown on the next page.
However, voluntary adoption of these frameworks,
at least in their entirety, has been the exception rather
than the rule.
THE ENTERPRISE
In addition to these broader frameworks, many companies, particularly those companies listed in the U.S.,
have undergone or are undergoing a major review of internal controls over financial reporting driven by the
Sarbanes-Oxley Act of 2002. Fortunately, the infrastructure, technologies, and processes used to support
Sarbanes-Oxley compliance can provide a powerful and leverageable foundation for addressing broader risk
across the organization. Although most companies may ultimately need to customize a framework best suited
to their unique requirements, a number of excellent frameworks are available for reference and may even serve
as a primary foundation. A small sample of these frameworks is described in the table below.
Critical success factors in selecting, building and/or customizing a framework include:
„ Focus on areas where early, tangible value is most likely to result

„ Relevance and value to participants

„ Clear alignment to existing internal control, risk management, and business processes

„ Use of clear, consistent, and familiar language in describing and discussing risk

Sample frameworks
Australia-New Zealand 4360
This standard, often recognized for its straight-
forward and clear approach, presents a generic
framework for establishing the context, and
identifying, analyzing, evaluating, treating,
monitoring and communicating risk.
http://www.standards.com.au
Committee of Sponsoring Organizations
(COSO) Enterprise Risk Management (ERM) –
Integrated Framework
COSO’s Internal Control – Integrated Framework
has been adopted by many companies in support of
their regulatory compliance initiatives, including
implementation of Section 404 of the Sarbanes-
Oxley Act of 2002. The COSO ERM framework,
although not designed to replace the existing
Internal Control framework, does provide a more
extensive foundation for addressing risk across the
enterprise. The framework also is supported by
separate implementation guidance.
http://www.coso.org
The Federation of European Risk Management
Associations (FERMA) Risk Management
Standard
The Risk Management Standard sets out a strategic
process, starting with an organization’s overall
objectives and aspirations, through to the
identification, evaluation and mitigation of risk, and
finally the transfer of some of that risk to an
insurer.
http://www.ferma-asso.org/
Open Compliance and Ethics Group (OCEG)
Framework
The OCEG Framework comprises two broad
components: the Foundation and the Domains. The
Foundation embodies key elements common to all
types of compliance and ethics programs. The
Domains provide guidelines that are specific to a
particular topic, industry, function, geographic
location, or size/structure of an organization.
http://www.oceg.org/

6
 Demand a clear, concise view of risk
For all the talk of ERM and its myriad related
assessment approaches, frameworks, and other
potential considerations, directors and executives
alike share one common and pervasive desire—to
benefit from a risk summary report that describes key
risks, how they are being managed and monitored,
key issues and accountability. In fact, a simple key
risk summary report is perhaps the single most
important monitoring output within an effective,
entity-wide approach to ERM. Imagine having
everyone on the same page from a risk perspective!
A key risk summary report can help directors
understand, in a palatable and action-oriented form,
the key risks facing the company. Executive
managers can better track and oversee the status of
key risks, and function and line management can
better prioritize focus and report the status of key
risks and related activities. Fortunately for most
companies, producing a preliminary report can be
achieved in short order by leveraging existing
business planning and risk assessment processes.
Given the value and importance of a risk summary
report, we provide suggested
elements below. These elements
can serve as a starting point for
audit directors or executives to
outline their own desires and
requests for a risk summary report
for their own companies.

Key Risk Summary Report—Recommended Elements

„ Risk Type (e.g., Financial, Operations, „ Monitoring Approach and Results, e.g., Internal
Compliance, Strategic) Audit, Control Self-Assessment (CSA)
„ Risk Description „ Gaps/Issues/Actions
„ Overall Ratings – Impact, Likelihood, Control „ Risk Owner/Accountable Party
Effectiveness „ Processes, Initiatives and/or Objectives Affected
„ Key Risk Management Activities

Case Study—Risk Reporting and Quarterly Performance

A global logistics provider’s Board was dissatisfied with the company’s ability to effectively identify, monitor, and report the key risks
that could most significantly affect quarterly performance. Among the inadequacies cited was a “silo-ized” approach that was not
aligned with strategic planning, that provided non-quantified, low-value feedback to executive management, and that was not factored
into quarterly forecasts.
To address concerns, company management co-developed a controller-driven, quantified approach that linked risk assessment into
its strategic, business, and internal audit planning processes. By laying a scenario analysis atop the company’s mid-term plan, teams
identified and developed an early warning system approach to risk management, and helped the company pinpoint key risk indicators.
The value of this embedded approach became tangible in the company’s first quarterly risk report, which highlighted top risks, risk
indicators, and, via the new early warning system, “hot topics”—feedback that executive management found effective and valuable for
their assessments related to risk.

7 M A NAG I N G R I S K A C RO S S THE ENTERPRISE

Protect that which matters most—Value
For both public and private entities, the risks that
matter most are those that, if realized, would have the
greatest negative impact on value. Unfortunately, risk
assessments for many companies tend to focus only
at the process level. Although important, it may be
difficult to ascertain if the company’s key business
risks are truly addressed through an approach
confined to process.
For publicly traded companies, risks to shareholder
value, in particular, are of primary importance.
Identifying these risks, and ensuring they are
properly managed within the purview of the board
and management and appropriately monitored, is job
number one. Share value is often driven by looking at
net present value in two key areas—future growth
opportunities and core business operations.
The first component, future growth opportunities,
represents those strategies and supporting objectives
that the company is pursuing, or could pursue, to
potentially increase competitive advantage and
shareholder value over time. For many companies,
these opportunities represent well over half of the
company’s overall share value. Risks to realizing
these opportunities, as well as the risks within
supporting processes and initiatives, are critical but
often overlooked in the traditional risk assessment
process. This is particularly true of internal audit risk
assessments, which tend to focus more on risks and
controls at the business process level.
Future Growth
Opportunities
and Objectives
Shareholder Key Risks
Value
Core Business
Operations
Fortunately, future growth opportunities and
supporting actions are routinely described in some
detail in most companies’ public reports, as well as in
internal planning documents, in the form of explicit
strategies, objectives, budget targets, and initiatives.
These documents can be valuable in building out a
simple framework to guide the risk assessment
process. Identify the most significant risks to
achieving these objectives and initiatives, mapping
each risk to one or more of the affected objectives.
The second component, core business operations,
comprises those assets and related processes in the
company that generate or support the largest portion
of revenue and/or profits. Begin by identifying the
key risks inherent in these processes. In addition,
processes that are inherently risky, but do not
necessarily generate significant revenue or profits,
must be considered as well, especially those that
place a substantial portion of capital at risk – e.g.,
trading areas within some companies. By starting
with the most important areas, the drivers of value,
ERM activities should remain relevant to the business
or organization’s goals. And by identifying risks
related to both future growth opportunities and core
business operations, a truly comprehensive view,
focused on that which matters most to stakeholders,
can be achieved.
8
 Avoid enterprise list management
An unfortunate output of many ERM initiatives is a
long and unwieldy list of risks that focuses little on
guiding and driving responsive action. In fact,
“enterprise list management” is cited by many as the
first stumbling block in implementing ERM and
often is the reason most ERM initiatives fail to
achieve buy-in from executive management.
Strategy
MON
ESS
Risk
ITO
ASS
Process
ENHANCE
9 M A NAG I N G R I S K S A C RO S S
One of the contributing factors to enterprise list
management is risk assessment criteria that are
poorly conceived and applied. In particular, most
companies use criteria to assess risk across only two
dimensions – impact and likelihood. Although
helpful, these criteria alone may fall short of helping
focus and drive responsive action to risk. While these
criteria may help to analyze and prioritize within a
list, they do not focus on actions or response.
By also employing a third criterion—management’s
recommended response to the risk—ERM will drive
the potential improvement or assurance actions. In
fact, the full value of an ERM approach cannot be
realized without this focus on driving action.
Broadly speaking, there are two categories of
responsive action to any risk that may be selected,
and at times, applied in tandem. These include:
„ Monitor – If management feels that a risk is
effectively and efficiently controlled and that the
risk exposure is at an acceptable or tolerable level,
then monitoring of related controls and/or risk
management approaches may be the best course of
action. The question is what type of monitoring?
Options can include the use of internal audit,
control self-assessment and continuous monitoring
of IT-based controls, and more.
„ Enhance – If management feels there is room to
improve how a risk is managed or controlled or to
improve supporting processes, then actions focused
on enhancement of these items may be the best
course of action. In some cases, management may
choose to rate a particular risk as “priority
enhance” area due to the urgency of the need for
review and potential remediation or enhancement.
THE ENTERPRISE
Scatter plots are common outputs of a risk
assessment process. What’s different about the
plotting below is that it helps guide and focus action.
Risks rated at a high impact level and “priority
enhance” should be the subject of management’s
enhancement priorities. Internal audit should focus
where the inherent risk is highest, and management
has recommended monitoring as a response.
Finally, for low-level risks recommended for
monitoring, control self-assessment (CSA) may
prove to be a viable option, especially if the approach
is tested by internal audit. This is especially
important today as companies begin to investigate
CSA as a potential option for embedding and
improving efficiencies within their compliance
efforts.

Impact Management’s
High
Enhancement
Priorities
Internal Audit
Focus
Moderate Other Monitoring
Approach
(e.g., CSA)

Low Recommended
Monitor Enhance Priority Enhance Response

Case Study—Moving from Compliance to Action and Value

A large, publicly traded Dutch company wanted to do more than just comply with Tabaksblat code. It wanted to ensure that responses
to its risk assessment process were as candid as possible and that the assessment of identified risks drove follow-on action. In
support, it employed anonymous input mechanisms, including web-based surveys and workshops supported by electronic voting
technology, to help identify and assess risks.
In addition, management developed a third risk-assessment criterion that focused on rating the effectiveness of related controls. This
criterion, combined with impact and likelihood ratings, helped drive the action planning that management desired and enhanced the
value of the “compliance exercise” overall.

10
Seek to know what you don’t know
“The risks that keep me up at night are the ones that I don’t yet
know” is a common sentiment shared by CEOs and others with
primary responsibility for managing and monitoring risk. This is
especially true for companies that have recently experienced a
surprise risk event, or are in the midst of significant change. In
some cases, recent regulatory-driven risk assessments focused on
financial reporting may have revealed and addressed previously
unknown, yet significant, risks. This has caused many at the top,
and in some cases investors, to wonder what new risks a broader
risk assessment might reveal. Without a regulatory mandate,
however, there may not be resources available to broaden the risk
scope while maintaining equal rigor. Fortunately, there are a
number of techniques that may broaden the reach, candor, and
quality of risk assessment inputs without necessarily straining
the budget. These include:
„ Surveys – Surveys are an efficient approach for gathering risk
input from across a company, and even beyond, to customers
and suppliers. They can be executed via email or Web-based
technology, allowing results to be readily aggregated, analyzed,
and reported. To help increase the focus and relevance of the
responses, ask the simple, open-ended question, “What are the
top three risks to achieving the goals and objectives set forth
by the company?” In order to increase the candor of responses,
consider engaging a third party to gather the results
anonymously. Finally, consider targeting levels of the
organization most likely to have early insights on risk – sales,
customer service, and even manufacturing areas can often
provide these insights.
„ Workshops – Many, if not most, risk assessment workshop
participants enter the room without much enthusiasm for the
exercise. Fortunately, most leave the room with an entirely
different perspective. This is especially true if the workshop is
focused on clear and manageable goals, led by a skilled
facilitator, and supported by anonymous voting technology.
Properly executed, a three- to four-hour workshop can help
produce a risk profile that drives appropriate action,
accountability, and follow-through. Softer benefits of greater
11 M A NAG I N G R I S K A C RO S S
risk awareness and communication are significant as well.
Again, these benefits can be achieved efficiently in what is
often just an annual process.
„ Analytics – Interest in and application of analytical techniques
to support risk assessment is increasing. As with any tool, the
key to success is an awareness of available techniques and
tools, how and when to apply them, and what to do with the
results. Thanks to the increasing use and availability of
consistent data formats, the historical challenge of simply
pulling together data for analysis has reduced. In some cases,
the analysis can even be run continuously, with significant
variations and exceptions escalated down a prescribed path.
Although these and other techniques are being successfully
applied by companies to help reveal new and emerging risks, the
process can actually create new challenges and additional risks
that also must be considered.
„ Discoverability – If a wide net is cast in hope of revealing new
risks and trends, and significant new risk issues are revealed
and documented, they should be suitably acted upon. If not,
there may be legal implications. Consult with your general
counsel or outside legal advisor.
„ Disclosure – In some cases, risks that may be revealed and
documented as part of a broader risk assessment process could
require subsequent disclosure. In response, the disclosure
committee or equivalent should provide input to and
participate in the risk assessment process, as appropriate.
„ Experience and Insight – In some cases, it may be difficult to
recognize risks that haven’t yet been experienced within the
business. In this case, external benchmarks and/or outside
assistance from those with risk insights and experience in the
industry or risk area can be invaluable.
By anticipating and addressing these and other challenges,
companies can develop an efficient and effective risk assessment
process that may enable some in the organization to wake up –
perhaps a bit more rested.
THE ENTERPRISE
Conduct risk assessment as an embedded activity
Although it is common for ERM initiatives to be started with a
large and comprehensive risk assessment process, the process
often stops there due to a lack of resources, interest, and/or
perceived value. To avoid this dead-end, risk assessment should
be evolved into a consistent, embedded activity within the
company’s strategic, business, budget, and audit planning
processes, rather than executed as a significant, stand-alone
process.
Many of the key building blocks for establishing a consistent,
embedded approach have already been discussed. These include:
„ A focus on risk to stakeholder/shareholder value
„ Consistent, action-oriented risk assessment criteria
„ Common reporting elements and style
Incorporating these building blocks into existing planning
processes can and should be a relatively straightforward process.
In fact, many companies have benefited most by keeping the
process simple, and the list of key risks coming out of a
particular planning process relatively short. Ideally, this short list
of risks also will reference related risk management and
monitoring activities, as well as any related issues and actions.
These items, in particular, can then be tracked and reported
through the use of new and emerging technologies.
Fortunately, risk management and compliance technology
platforms have evolved in recent years, largely in response to
Sarbanes-Oxley and other regulatory drivers. While these
technology platforms can serve as repositories of risk
information and provide useful reporting, an increasing trend is
toward a more dynamic system that enables management risk
and control self-assessment, internal audit monitoring, and active
“dashboards” providing real-time interaction on important risks,
to be closely integrated. As ERM continues to develop and more
companies adopt ERM approaches, these technologies will
continue to evolve.
Finally, in order to promote an active risk dialogue between
executive and company levels, and to continually foster the
consistent application of risk assessment approaches and
leverage of the output, companies should consider forming a risk
committee. These committees take on various forms ranging
from the highly formal to a more casual approach, depending on
the needs of the company. Most important, the committee should
meet often enough to ensure that key risk issues can be
communicated and discussed on a timely basis. For many
companies, a quarterly session can suffice.

Case Study—Avoiding Surprises Through Better Coordination

A large European pharmaceutical company faced a number of risk challenges. Legal and regulatory requirements were driving a more robust approach to risk
management. At the same time, executive management and the board desired to have a “complete picture” of the key risks facing the company. In response, the
company chose to:
„ Inventory the myriad areas involved in risk assessment, management, and monitoring, and the approaches used to achieve these ends
„ Apply a maturity model or continuum of practice approach to help identify current and desired future state
„ Develop plans to help close gaps and monitor progress
Although the approach was quite extensive, the improvements realized in identifying and managing the company’s risks, both within the initial assessment and into
the future, made it all an easy pill to swallow.

12
Enable internal audit coverage across key risk areas
The internal audit function is one of the board’s most powerful
mechanisms for understanding the full spectrum of the key risks
facing the company, and monitoring the effectiveness of related
controls and risk management processes. In addition, it is often
the only function with the requisite skill set and mandate to
conduct an entity-wide risk assessment.
It may be increasingly difficult, however, for internal audit to
conduct a thorough risk assessment, let alone to develop audit
plans that are truly risk-based and cover the full spectrum of the
company’s most significant risks. Although most internal audit
functions would like nothing better than to conduct a
comprehensive risk assessment to help support and inform their
audit planning process, and to focus their monitoring efforts on
the company’s most significant risks and controls, they face
many practical challenges, including:
„ Insufficient involvement within, and insight into, the
company’s strategic and business planning processes—a key
area where risks to supporting future growth opportunities and
stakeholder value impacts may be identified
„ Lack of adequate time, skill set, and budget to conduct a robust
risk assessment across all locations and risk areas
„ Inadequate resources and skills to cover key risk areas within
the company’s changing risk profile
„ Increasing pressure to focus primarily on financial reporting
risk
These challenges for internal audit also can create significant
challenges for the board and audit committee. In fact, at a time
when boards and audit committees are under increasing pressure
to oversee risk assessment and management activities across all
risk areas, one of their key mechanisms for achieving this end—
internal audit—may be stretched increasingly thin and unable to
provide the desired level of risk insight and coverage. As a result,
management may not be able to enjoy the same level of risk
management insights and suggestions they’ve come to expect
from internal audit.
To address this challenge, leading companies are taking
proactive measures to begin closing the gap. These include:
„ Leverage – Although internal audit may not be able to conduct
risk assessments directly across the company, they can serve as
proactive developers, facilitators, and beneficiaries of a risk-
assessment process owned by, and executed within, existing
processes of both management and various corporate
functions.
„ Outsourcing and Teaming – In circumstances where internal
audit faces either a resource or skill-based challenge,
outsourcing to or teaming with a third party can be a
compelling option in achieving risk coverage.
„ Rotation and Cross-Training – In order to retain its best
resources and to develop future leaders within the company,
many internal audit functions are increasing their focus on
recruiting resources from within the company’s business areas.
In addition, internal audit resources are rotated through
various risk areas and responsibilities to help maintain a
compelling work environment and to help increase their value
if they eventually choose to rotate back into a business
management role.

Case Study—Driving a Truly Risk-Based Internal Audit Plan

A large, publicly traded, U.S.-based specialty retailer wanted to ensure that its internal audit plan was truly focused on the company’s key risks. Although the
existing planning process did cover areas agreed to be important by both management and internal audit, the board wanted extra rigor applied to ensure that
these were indeed the right areas from a risk perspective.
In support, key drivers of value were identified. Next, risks to these value drivers were identified and assessed through surveys, interviews, and workshops
conducted across the company. Using the risk assessment as a foundation, a truly risk-based audit plan was developed, along with action plans for addressing
opportunities to enhance risk management and performance monitoring processes.

13 M A NAG I N G R I S K A C RO S S THE ENTERPRISE

A continuum of risk practices—
A tool for stimulating thought and action
Throughout this document we have referenced the sample continuum of practice below. It is not intended to be an exhaustive
diagnostic tool, but rather a prompt for discussion and a means of better identifying areas where current risk practices can and should
be evolved further. Simply identify areas of interest on the left, review the practices, and capture key actions that could help your
practices evolve from their current state to a higher level.

Key Risk Elements Traditional Practice Evolved/Leveraged Practice Proposed Action(s)

1) ERM Framework „ Unfamiliar terminology „ Easy to understand „
„ Overly complex „ Practically applied
„ Embraced/driven by specialists „ Embraced/driven by the board and management
2) Risk Reporting „ Inconsistent across processes & functions „ Consistent across processes & functions „
„ Overwhelming board capacity to digest „ Fully supports board needs
„ Voluminous „ Concise
„ Updated sporadically „ Routinely updated
3) Focus on „ Focus on “what can go wrong” at the process level „ Focus on “what can go wrong and what could go „
Stakeholder/ „ Little/no explicit risk linkage to that which drives more right” at the strategic level
Shareholder Value current and future value „ Explicit risk linkage to that which drives current and
future value
4) Risk Assessment „ Criteria drive prioritized lists „ Criteria direct and drive monitoring and „
Criteria „ Criteria drive occasional de-emphasis of unlikely improvement actions
but catastrophic risks „ Criteria drive focus and accountability
5) Seek to Know What „ Risk assessments supported primarily by „ New and emerging risks revealed through „
You Don’t Know interviews, often producing biased and incomplete anonymous risk surveys and/or workshops utilizing
risk profiles anonymous voting technology
„ Little/no use of analytics, external benchmarks, or „ External benchmarks and third-party risk insights
third-party risk insights are referenced
„ Analytics applied where appropriate
6) Embedded and „ Focused approaches to risk assessment conducted „ Consistent risk assessment and reporting „
Aligned in strategic, business, budget, and audit planning embedded within strategic, business, and audit
“silos” planning processes
„ Timing of assessment and planning activities is „ Resource participation, timing, and outputs fully
loosely coordinated, and information inconsistently aligned and transparent
shared across processes „ Business performance monitoring systems
incorporate key risk indicators
7) Internal Audit „ Narrow risk focus, e.g., emphasis on financial „ Broad risk focus, e.g., Financial, Compliance, „
reporting risk Operational, Strategic
„ Little/no risk assessment conducted to support „ Planning driven by broad risk assessment
planning „ Skill sets driven by plan
„ Plan driven by skill sets

We hope that the approaches outlined here have provided some practical insights and ideas for helping your company achieve more
efficient, effective risk management across the enterprise. Call it ERM if you’d like. We hope the benefits speak for themselves. For
further information about Enterprise Risk Management, or to discuss other risk challenges and opportunities, please visit us on the
web at ey.com, or contact your local Ernst & Young office.

14
About Ernst & Young
Ernst & Young, a global leader in professional services, is committed to restoring the public’s trust in
professional services firms and in the quality of financial reporting. Its 106,000 people in 140 countries
pursue the highest levels of integrity, quality, and professionalism in providing a range of sophisticated
services centered on our core competencies of auditing, accounting, tax, and transactions. Further information
about Ernst & Young and its approach to a variety of business issues can be found at www.ey.com/perspectives.
Ernst & Young refers to all the members of the global Ernst & Young organization.

E R N S T & YO U N G www.ey.com

© 2005 EYGM Limited This publication has been carefully prepared but it necessarily
All Rights Reserved. contains information in summary form and is therefore intended
for general guidance only; it is not intended to be a substitute
EYG No. CX0006 for detailed research or the exercise of professional judgment.
Ernst & Young can accept no responsibility for loss occasioned
to any person acting or refraining from action as a result of any
material in this publication. On any specific matter, reference
should be made to the appropriate advisor.