Author’s Note: This series will help you build an ERM system that will bridge the gap between Internal Audit (IA) and Enterprise Risk Management (ERM).
In Part 2 of this series I discussed what an ERM Dashboard might look like, but that still leaves out the details when it comes to creating one for yourself. In this post (and going forward) I’d like to to discuss the “how” when it comes to developing an ERM system. But first, we need structure – a framework.
How Do I Build an ERM Framework?
Think of an ERM Framework as the data structure for your ERM system. (You can think of it as your table structure if you’re building a database.) In short, the framework provides a way to think about business processes, risk, business drivers , and how they are all connected.
To develop an ERM Framework like the example below I like to break an ERM System down into component parts. For our example, here are the things I’ve identified:
1 – Business Drivers – Those processes and activities that drive revenue, health and growth. Business drivers will be determined by executive management and the board. From an internal audit perspective, these are a given as provided by executive management.
2 – Business Risk – Business risks are those risks to business drivers. Each business driver will have multiple risks and not all business risks will impact each business driver. (Think many to many relationships in a database). In the example below “Access to capital from investors.” could be impacted by multiple business risks. The internal audit team should work with members of management and ERM to determine business risks and their linkage with business drivers. (Example) In reality, there will likely be dozens of business risks linked to each business driver.
3 – Business Activities & Internal Controls – Internal controls and business processes link to business risk and eventually business drivers. These processes and controls are the activities of conducting business. From an internal audit perspective, these activities will be most directly linked to your audit plans and where audit findings and gaps will be identified. Again, there are probably dozens of controls that link back to each business risk and business driver.
Example: IT Controls, Business Risk, Business Drivers
The power of this framework is the ability to link specfic activities with business drivers. In theory, effectiveness (or lack thereof) of business drivers can be directly traced to specific business activities.
Going forward we will discuss techniques for gathering and organizing data for each ERM Framework component above.
Note: Christian has helped a number of companies implement ERM systems just like this one and is the author of this particular methodology. If you have questions, ideas, or need help shoot him an email.