Assuming that there is a credible ERM function/process in place, IA needs to provide assurance that the ERM processes are effective, and they also need to validate that the key controls that management assumes to be working in their RA are in fact effective, but also IA should be able to some extent opine on whether the company-wide RA done by the ERM and management teams are reasonably stated and that they are not aware of any major discrepancies. To your point about continuous, every internal audit according to the COSO framework should be concluding about the adequacy of management’s RA process for the area/function reviewed.
Post by John Fraser on Norman Marks on Governance, Risk Management and Audit
John, stripped of all the jargon and acronyms, the ultimate purpose of whatever ‘ERM’ and ‘IA’ are meant to mean or be, can surely only legitimately be that the organisation makes the best decisions it can. That is because the only way that organisations can pursue their purpose is to make (and implement) decisions to take advantage of opportunities, and the only way it can achieve its purpose is by ensuring that the decisions are the best that can be made. This has always been so (long before anyone uttered the ‘a’ or ‘r’ word) and always will be so (long after the ‘a’ and ‘r’ words disappear from the business lexicon … hopefully, a milestone that is not too far away). And yet decision-making is not the focus of either ERM or IA and never has been.
As Grant Purdy and I say in our recent book ‘Deciding’ (which Norman kindly introduced here in his 25 April blog) organisations will have more success in pursuing their purpose if they consistently make ‘even better’ decisions.
In describing what we contend is a universal method of decision-making (i.e. the method used by all ‘Deciders’ whether they realise it or not) we have attempted to explain how to excel in applying each element of this method as it is this – decision-making skill – that is the only way organisations and their ‘Deciders’ can determine their success.
All those responsible for governance need have confidence about, is how well this method is being applied by the many Deciders across the organisation. In the same way that sales, RoI etc are visible to the governance team (because they bother to look) so too is the quality of decision-making easily discernible especially if those involved in governance and management themselves, excel. Trying to contract-in reassurance, rather than looking themselves, is an easy (but generally unsuccessful) cop out.
Ensuring consistently good decision-making is analogous to manufacturers or service providers achieving the intended levels of performance of their product (i.e. delivering ‘quality’). In the 80’s, those efforts switched from checking the final product and throwing out the duds, to focussing on design and execution of each of the steps of the process through which those products were made (in the understanding that dud products are the outcome of dud processes and good products are the outcome of good processes). So too must the focus of organisation performance monitoring, switch to the quality of decision-making.
So the message is, whether it is the board and management (or the cop-out of using a hired gun – however they may be described) just look at the people who are making the decisions and their decision-making skills. As we say in ‘Deciding’, it is a tricky business being a Decider so helping them individually and institutionally to make decisions is where the effort should go. Not in irrelevant ‘r’ and ‘a’ stuff with the associated focus on failure and checking for duds at the end of the decision production line.