25 Sep

Bridge the Gap Between Internal Audit & Enterprise Risk Management – Begin With the End in Mind (PART 2)

Author’s Note: This series will help you build an ERM system that will bridge the gap between Internal Audit (IA) and Enterprise Risk Management (ERM).

Part 1 | Part 2 | Part 3

Begin with the End in Mind

Our goal with an ERM system is to be able to track the health of the company by linking processes, controls, and risks to business drivers. Ultimately, this provides a quantitative measurement of enterprise risk and alignment to key business drivers. In addition, if a business driver is struggling it provides a methodology to perform root cause analysis. As we move through this series it is important we have a baseline, so here’s an example of what this might look like:

Health Indication Bar:

For our ERM system we utilize a visual representation of process health. The health indication is a quick indicator to management if the business is functioning as expected and where opportunities for improvement exists. We’ll get into how these health bars are created soon.

Risk Legend

Linking Processes to Business Drivers:

The most important concept is that all business activities link to drivers of business success (business drivers). The success of any given business driver (of which there are many) depends on the success of underlying processes. Or said another way – failure of a business is due to failure of business processes.

In this example we take “Access to capital From Investors” as one business driver and examine the impact of information technology controls. In a real ERM System the Company would perform this same process for all business drivers and across all business processes.

Click to enlarge. Created by Christian Hyatt.

Click to enlarge. Created by Christian Hyatt.

Link Gaps to Actionable Items

In our example let’s assume that there are nine (9) IT controls that impact “Access to Capital From Investors”. With this model we should be able to trace the gap in our business driver to specific control/process failures. This level of detail allows management to benchmark business drivers and drill down to the risks and specific processes hindering success. The value is that management can derive actionable items which will have a direct impact on the Company’s strategic initiatives.

ERM Links

Click to enlarge.

This is the ERM concept. In the next post I’ll begin to break down the basics of developing an ERM framework.

Note: This is a complex topic – so my goal here is to keep these posts short and simple.  I have helped a number of companies implement ERM systems just like this one and I am the author of this particular methodology. If you have questions, ideas, or need help shoot me an email.

Part 3 – The basics of an ERM framework (coming soon)

2 thoughts on “Bridge the Gap Between Internal Audit & Enterprise Risk Management – Begin With the End in Mind (PART 2)

  1. Very good article. Im looking to create a similar dashboard however for a public sector organisation where risk appetite by nature is cautious and scope for erm approach is limited.

    • Hi Kevin –

      What level of Government (national, local?) If your risk appetite is cautious just build in higher impacts for process failures with small acceptable risk. Limiting the scope should make it an easier build – so that might be helpful. Let us know if we can help.

Leave a Reply