ERM and Internal Control: Two peas in a pod
26 October 2016
By Dennis Chesley
I have a colleague who can best be described as a planner. You know the type: he’s always making lists and timetables, setting milestones and thinking about contingencies. I should note that those are great qualities in a risk manager, so I’m really glad to have him on my team.
His wife, a banker, is a planner, too. Now, you might think that putting two planners together in a close relationship is a recipe for conflict, but their dynamic is really complementary; they’re the proverbial two peas in a pod. And, it struck me that their relationship is much like enterprise risk management (ERM) meets internal control.
Sound like a stretch? Bear with me while I give you an example. Tomas and Jan (not their real names) planned a European vacation not too long ago. Tomas took the lead in sketching out an itinerary across southern Europe, starting in Barcelona, roaming through Italy and ending on the Greek isles. He planned out the days, cross-checked current events in all the cities they were thinking about, and made sure they had backup activities in case of rain. He even had a plan in case the security situation in Greece became uncomfortable: they would re-route to Istanbul. It’s not like Jan wasn’t involved. She had a lot of input and helped to shape the timing and some of the locations. But Tomas took the lead and, once agreed, Tomas set off to buy the tickets.
Then Jan took the lead in making sure their trip could come to life. She wrote pack lists and made sure that all of their plans and contingencies could actually happen. This included the mundane details (“If day 6 is walking around the Acropolis rain or shine, then we had better add umbrellas to the pack list”) to key factors on which their plans would hinge upon (“It’s pretty unlikely, but let’s set SMS alerts on riots in Greece. But even if visiting Istanbul is only a 5% probability, we might want to have our visas in hand.”)
That’s actually similar to the complementarity between ERM and internal control. Many ERM processes, take risk response, for example, are made more effective by control activities. A risk response might be a certain plan of action. The internal control ensures that the plan has what it needs to take place and also makes sure someone knows when that plan should be enacted. I’ve seen organizational crisis plans collect dust in a drawer, with key leaders unsure when they should declare a situation a “crisis” and key departments unaware of their roles when it came about. Control activities should have been in place to make sure the plan was ready for action. That’s one way that ERM really complements internal control and you can read more about that here.
Personally, I don’t know how Tomas and Jan travel like that; I like to go-with-the-flow when I’m vacation. But I get it and I appreciate how good they are together. I also appreciated that they sent me a post card from Santorini. I just wonder whether they thought to send it spontaneously, or whether it was one of the action items they set before they left?