The integration of enterprise risk management and operational risk management roles is bound to lead to more effective risk management.
Based on my experience in the Middle East region, the ERM concept is relatively new and many business owners have difficulties in understanding the role of the ERM function. I recently noted a perceived gap between the “Head of Enterprise Risk Management (ERM)” and the “Operational Risk Manager” roles. In many cases, this leads to a performance expectation gap. In my view, these roles should be integrated to ensure a smooth implementation of ERM.
As part of the implementation of a comprehensive ERM program, a considerable amount of time is required to develop an ERM framework, spread risk awareness, execute entity-wide risk assessments and embed Risk Management in each business unit. This lengthy timeframe can lead to a less responsive and inflexible Risk Management model, given the dynamic nature of businesses and frequent changes in business risks. Bringing a focus onto operational risk management helps achieve quick wins and keeps the risk profile under management attention.
Resilient Risk Management Function
In order to have an effective and resilient Risk Management model, the Risk Management function should work as an operational risk advisor to management by dynamically reviewing business decisions, investments, processes and other risk exposures. In parallel and simultaneously the Risk Management function should also implement a robust ERM program that ensures high level Risk Management assurance and the creation of a risk-aware culture.
While some organizations recruit industry-specialized technical risk managers for operational levels and/or Enterprise Risk Managers to implement the ERM framework, very few organizations have a Risk Management department that combines both the strategic and operational levels of risk management.
Internal Audit vs. ERM
In most cases, an ERM function focuses only on risk identification and prioritization, without being an integral part of the decision making process and actively advising management on dynamic and emerging risks. This can result in Risk Management being perceived and classified by senior management as part of the internal audit function; which can create unnecessary barriers, decreasing the added value of having a Risk Management function.
Based on my experience, the majority of ERM functions in the Middle East (excluding the financial sector) are still working under the umbrella of internal audit departments, reporting directly to a Chief Audit Executive (CAE) and up through to the Audit Committee. This is also the case in the UAE where by a recent study1 has shown that in 35% of the cases, the Chief Audit Executive took the lead role for ERM compared to 25% for the Chief Risk Officer. This model dilutes the effectiveness of the Risk Management activities and increases the limits on Risk Management involvement in decision making process.
- The sufficiency of resources to ensure audit coverage of high risk areas and ensuring maximum value from auditing activities;
- The competency of subject matter experts whom add value through audit recommendations; and
- The management of outsourced internal audit service providers from a quality and value-adding perspective.
The diagram below illustrates the optimal Risk Management Governance Model in any organization:
Characteristics of Risk Managers
Finding a suitable candidate to lead a Risk Management function that has operational risk and ERM responsibilities is not a simple task. In order to gain Senior Management confidence and to be perceived as a trusted business advisor, an effective Risk Manager should possess deep industry-specific experience, in addition to having ERM program implementation experience, coupled with outstanding communication, presentation and interviewing skills.
The Risk Manager should also accept part of the responsibility over his business advisory role, which at the same time, should be part of his key performance indicators.
Risk Management Standards
International Risk Management Standards (e.g. ISO 31000:2009, COSO ERM Framework) focus on having a function which is responsible for the establishment of a robust Risk Management framework that facilitates and coordinates the risk assessment and ensures the promotion of risk awareness within the organization.
Although Risk Management standards emphasize the importance of frequent communication and consultation with stakeholders throughout the implementation of the ERM program, they do not provide sufficient attention to the dynamic role of the Risk Manager as an operational risk advisor whom adds value to the company through his or her industry knowledge.
The Way Forward
The structure and mandate of the Risk Management function is still under global debate with no clear consensus. On one hand, it is important to emphasize the differentiation between Risk Management and Internal Audit; however, on the other hand, it is also important to focus on merging operational risk and ERM responsibilities under the same umbrella.
Although we should emphasize that Risk Management cannot guarantee mistakes will not happen, I do not agree with the idea that Risk Management should be prevented from making decisions for the organization. The reason for this is due to the fact that it is difficult to justify the existence of another “all cares no responsibility” function that has similar roles to the internal audit department in the perception of senior management. If both Internal Audit and Risk Management are seen as an independent assurance functions, then it is justifiable for business owners to merge both functions under one department, in an effort to cut costs.
My alternative recommended model for a Risk Management function is to evolve and justify its existence through having direct involvement in operations and focusing on its risk advisory role by having subject matter knowledge, which has true value to the organization, in addition to its role as a coordinator and facilitator of a comprehensive ERM program.
- Risk Management Practices and the Role of Internal Audit: A UAE Perspective on Non-Financial Institutions. Published by the UAE-Internal Audit Association, 2015.
EHAB R. SAIF, CMA, CIA, CFE is an Internal Audit Manager at a private holding company in Abu Dhabi.