Key ingredients of an effective risk management approach include buy-in from senior executives, says Roopa Baboota, CPA, Financial Internal Audit Manager at Google.
The company needs an enterprise risk management process because it’s really about driving investor, stakeholder, and shareholder value, and ultimately that is the number one concern for companies these days.
So, it’s ultimately about gaining insights from all of the different players in your organisation that the enterprise risk management process actually does and getting those insights to actually anticipate risk or how the company may be impacted by something in the future.
You need buy-in from all layers of the organisation to truly have an effective enterprise risk management programme.
You have the chief risk officer, which is really that person that is aggregating and facilitating the overall ERM process for an organisation, and they are developing a policy that they are proposing to a risk management oversight function to make sure it’s actually in line with the risk appetite of the organisation. And ultimately, the chief risk officer is responsible for liaising within all levels of the organisation as well to make sure that they are really conducting sound risk assessments around the clock. And that risk management oversight function that I mentioned really should be comprised of the C-level suite, really those individuals — the CEO, the CFO, CIO, legal counsel — all really, really important players because they are bringing the a plethora of different experiences from each of their backgrounds, and they are ultimately in the best position to comment on how some of these risks are actually affecting the business as a whole. So those are the main functions that I would say are really important in the ERM process.
Now another function that I would like to mention is the internal audit function as well and the internal audit function depending on the maturity of the company you are working in. The internal audit function may be charged with the consulting capacity, where they have a natural mindset to link risk and governance together, so they are able to engage with management to actually get them thinking about risk in the right manner and analyse risk the right way and develop a program because internal audit has likely already developed their own risk assessment process and developed their audit plan. But another capacity that internal audit can really focus in on is from an assurance perspective as well, and really that’s providing absolute assurance over some of the results maybe that are coming through the ERM process.