Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents, and natural disasters.
Enterprise Risk Management (ERM) has emerged to help identify and assess the institutional risks that could preclude the achievement of goals and objectives within an organization. This framework for evaluating risks gives management the advantage of grasping opportunities within their reach by taking advantage of favorable conditions in their market or operational environment. In a report by the Poole College of Management at North Carolina State University entitled “2019 The State of Risk Oversight,” survey respondents of organizations that have not yet adopted an ERM approach indicated that they do not think ERM is a priority or benefits do not outweigh costs. In reality, prioritizing ERM can provide an organization with the tools it needs to achieve its objectives:
- Identification of risk at all levels of the organization
- Standardized reporting of risks
- Early detection of potential risk events
- Elimination of redundant processes to improve efficiency
- Reduced effort and cost in meeting regulatory and compliance standards
There is value in collaboration between the ERM and the Internal Audit risk assessment processes. The ERM process provides input to Internal Audit on areas management considers high risk. In return, Internal Audit objectively assesses the system of internal controls and informs management on the areas where there is opportunity to strengthen the system of internal controls and increase efficiency of operations.