This week, I wrote about how to audit risk management on my IIA blog. Not everybody, either in comments on the blog or elsewhere on LinkedIn, understood my point.
The risk management program has to be sized and oriented to meet the needs of the organization.
Some organizations need a deeply resourced ERM program, because they face risks of immense proportions every day, the potential for adverse events (or opportunities) arise quickly and have fast clockspeed (i.e., come at you fast), and they need to react fast. Other organizations have far fewer risks, of far less significance, and can afford a less intense risk management program.
It's like the contrast between the care and attention you pay to your driving on an empty road and the care and attention when the road is full of fast-moving trucks and motorbikes.
When you consider, as management, how large and well-resourced your cash management function is, you base it on the value it represents, the risks you are managing, etc. It's not one-size-fits-all. The same applies to risk management.
My point is that before an auditor assesses the adequacy of ERM, he/she needs to understand the needs of the organization. The auditor should assess whether the risk management program meets those needs. A framework can help, but judgment is needed to assess whether too much or too little is being done.
Do you agree?
