Here’s one of those articles that would get my goat if I owned a goat.
It’s the typical rah-rah article about how wonderful ERM is and everyone should be doing it. (I am always a proponent of those.) But the fact that it was published at a site called WebCPA should have tipped me off that I was going to be short one goat by the time I was finished.
After the author quotes the requisite parts from the COSO ERM framework – thus illustrating that she can copy and paste from the COSO ERM framework - she recites a lot of the usual fluff about why ERM is so great. But what really sends my goat running, is how she tries to make the point that somehow internal auditors are the “meek who shall inherent the ERM” so to speak.
Accountants, including internal auditors, have been getting by for years with their control self-assessments and opinions. Thanks to a few financial frauds like Enron and WorldCom, the government passed the Sarbanes-Oxley Act and many internal auditors were kept busy for a while; recently they have IFRS conversions. I am tired of internal auditors trying to make ERM something for internal auditors to do. What’s more, it muddies the water, making it increasingly difficult for ERM practitioners to communicate that risk management is not the same thing as audit.
In the article, the author suggests ERM is the next great thing for internal auditors. She writes: Organizations will also look to internal auditors to provide some non-traditional roles, including trainer, educator, and coordinator, or facilitator. As trainers or educators, auditors must understand that ERM is a process or methodology in the identification, assessment and management of risks enterprise-wide. This process provides for a structured and disciplined approach to implementing risk management.
To that I have to stay stick to your knitting (and auditing).
Perhaps try making internal auditors in charge of human resources or IT? Just please, stay away from risk management and leave ERM implementations to the professionals.