Some corporates are positioning ERM teams to sit under internal audit or corporate strategy.
Many enterprise risk management teams are at an inflection point as they aim to become strategic partners to the business. Some corporates are finding that ERM can add more value to the business by sitting within functions like corporate strategy or internal audit.
- At a recent meeting of NeuGroup for Enterprise Risk Management, two members who recently experienced a shift in reporting—one to internal audit and the other to corporate strategy—compared their approaches and the impact on their ability to add value.
The case for strategy. Last year, the head of corporate strategy at one member company assumed responsibility for the company’s ERM team due to a push from the CFO to make the function more strategic.
- The strategy leader had no previous experience in risk management but was tasked to bring his broader view to a function that had up to this point been entirely tactical.
- He now sorts all risks into three buckets: enterprise-level risks, audits and compliance, with audit as an independent function and compliance sitting within the legal department. This frees up time for the ERM team to “take on a few select enterprise strategic issues that cannot be adequately managed by other functions.”
- Though the new structure is still in its first stages, the ERM team has kick-started comprehensive sustainability risk tracking, including short-term reputational risks and long-term economic impacts.
- There were two big reasons for the move, he said: “Number one: relevance. Is the function helping with managing risks that are relevant to today’s environment in today’s world?
- “The second, I call outcome orientation,” he said. “You had functions for a long time focused more on process without thinking holistically about the outcomes and the value derived from the process.”
The case for audit. One member who recently conducted a study of peers found that 40% of audit teams own their companies’ ERM programs, and most members at the meeting shared that they report to internal audit.
- NeuGroup’s managing director of research and insight Nilly Essaides said that while moving ERM to reside within internal audit could potentially lead to an overly compliance-related focus, it all depends on whether IA has expanded to a broader risk perspective. “However, there is the risk that in some circumstances, IA is not a truly strategic partner and will therefore change the approach of ERM,” she said.
- One member who heads her company’s audit team took on enterprise risk management when the chief accounting officer, who also headed the ERM team, left the company. It was more of a tactical decision at the start but led to a value-adding supervisory role.
- “They thought IA was a perfect fit, since we have a large view of the company’s risk: strategic, financial, operational, etc.,” the member said.
- “What I’ve now done with the process is we facilitate it, but our executive leadership team owns the risks. So they have to present those risks and mitigation plans to our audit committee.
- “I’ve moved the activity to be owned more by the business, so they’re accountable for those risks.”
Other options, dotted lines. Others at the meeting also recently moved the position of the company’s risk management team, some with a more complex structure.
- One ERM head now reports to the chief risk officer at the company, who has helped her think more strategically about how risk management ties into the company’s global operations. She now has quarterly calls with risk leaders for each team within the company, and said the “open dialogue allows us to challenge each other.”
- Another company’s ERM function is housed within finance, but has a “dotted line” to the head of compliance.
- “I thought [ERM] should be directly under me, but this setup is actually better,” the company’s compliance head said. “From a personnel perspective, it’s hard to ask 20-25 non-lawyer finance types to be in legal, and we’ve also now been able to straddle the major functions of what an ERM team is ‘supposed’ to do.
- “On compliance matters, [ERM] works at my direction, but they also have a lot of involvement in dealing with financial risks and operational risks, which would be more under the CFO; so they have a foot in both worlds. Though a dotted line is always a little bit of extra work, I’ve been really happy with the coverage.”
- One member agreed that having a dotted line connecting ERM to multiple functions can be very beneficial. At his company, ERM sits in internal audit, but has a dotted line to financial strategy and the CFO.
- “It’s been a fantastic complement,” he said. “We also work closely with our compliance office under the legal team, and it’s a great relationship. We do a lot of partner audits and reporting, and fundamentally, I’ve found to be a very good pairing.”