NOTICE: The materials in this free Resource Center are the product of over 30 years of development and testing working with organizations of various sizes and industries around the globe. To accelerate adoption of Objective Centric ERM and Internal Audit methods globally we now offer reference aids to public and private sector organizations free of charge, with the exception of any organization whose purpose is to generate revenue from direct or indirect sale of the materials. Contact us today to become an authorized distributor. Permission to reproduce with attribution is granted by Risk Oversight Solutions Inc. (ROS), with the exception noted above. ROS and authorized ROS service providers offer implementation and training support services to organizations that want to implement Objective Centric ERM and Internal Audit. Contact us today to help your organization dramatically increase the efficiency and effectiveness of your ERM and Internal Audit programs.
Objective Centric ERM and Internal Audit – Why should you change your approach?
The simple truth is that traditional risk centric approaches to ERM and point-in-time internal audits have not worked very well, and are not delivering the value stakeholders want and expect. This has been the conclusion of many governance failure post mortems, and is increasingly the conclusion of Boards and C-Suite level executives surveyed.
Objective Centric ERM & Internal Audit has been specifically designed to focus the efforts of top management, work units and assurance groups on an organization’s top value creation and preservation objectives – integrating the efforts of all assurance providers. The central goal is to generate better information on the true state of retained risk to help senior management and the Board balance conflicting objectives and drive long term value creation.
Using end result objectives as a foundation for integrated assurance is a simple step that quickly aligns strategic planning with the efforts of ERM and internal audit groups. Want more value from your ERM and internal audit spending? Objective centric ERM and internal audit is the answer.
Objective Centric ERM & Internal Audit Methodology Library
Risk Oversight Solutions offers the following reference aids to public and private sector organizations free of charge, with the exception of any organization whose purpose is to generate revenue from direct or indirect sale of the materials. Contact us today to become an authorized distributor. Permission to reproduce with attribution is granted by Risk Oversight Solutions Inc. (ROS), with the exception noted above.
In addition to the free Objective Centric ERM and Internal Audit materials below, email us to receive a complimentary Owner/Sponsor Introductory Step-by-Step Guide to Completing RiskStatusline and the Objective Centric ERM & IA RiskStatusline MSWord Template to complete your assessment. It includes risk assessment methods, risk treatment considerations and more. The template is an easy to fill out form to complete your Objective Centric Risk Assessment. Contact us today for these complimentary documents.
RiskStatusline™ Risk Treatment Principles: Risk Treatment Design Aid and Expanded Trigger Statements
Sample Risk Management Policy based on Objective Centric ERM and Internal Audit (including key roles and responsibilities)
Risk Culture Survey to determine your Implementation Maturity for Objective Centric ERM and Internal Audit
What is Objective Centric ERM & Internal Audit?
- All formal risk assessment work done by the board, senior management, work units ERM, internal audit, and other specialist risk groups use a single and common “OBJECTIVES REGISTER” as a foundation. This simple act integrates the work of all assurance providers.
- The OBJECTIVES REGISTER should contain the organization’s top value creation and value preservation objectives. Value creation objectives are objectives key to the long term success of the enterprise that will create enhanced shareholder/stakeholder value. (Example: Increase market share by 20%, Ensure services meet or exceed customer expectations, etc) Value preservation objectives are objectives which, if not achieved, have significant potential to erode stakeholder value. (Example: Complying with laws, Ensure reliable financial statements, Safeguard confidential information, Ensure continuity of key operations, etc)
- The C-Suite and board oversee which objectives warrant the additional cost of formal assurance and are included in the OBJECTIVES REGISTER; and participate in the process of assigning OWNER/Sponsors, deciding on the amount of risk assessment rigour warranted for each objective, and deciding which group/person, if any, will provide independent assurance on the risk assessment process and results reported to the C-Suite and board.
- Objectives are assessed using the RiskStatusline™ assessment approach. This approach is aligned with ISO 31000 and COSO ERM 2016. Unlike ISO and COSO ERM it produces a concise picture of residual risk status for the objective being assessed and then goes on to assess whether the current risk treatment design is “optimized”, the lowest cost possible combination of risk treatments capable of producing an acceptable residual risk status.
- The board and C-Suite receive regular reports on the current state of retained risk linked to top value creation and preservation objectives and details on the current residual risk status to assist them in determining if the current status is, or is not, within the organization’s risk appetite/tolerance.
The Business Case for Change
- This approach, unlike many ERM and IA approaches, recognizes that determination of the right strategic business objectives and knowledgeable acceptance of risk when balancing value creation and preservation objectives are key to long term success.
- Traditional risk centric approaches to ERM that use risk registers as a foundation and spot-in-time internal audit methods that opine on effectiveness of internal control have often not worked very well. This has been the conclusion of many post crisis governance post mortems (for examples see the work of the Financial Stability Board) and is increasingly the conclusion of boards and C-Suite level executives that have been surveyed.
- Responsibility for primary assessment of risks and residual risk status rests directly with the person(s) most directly responsible for the objective – not with staff groups like internal audit and ERM functions. Informal risk management is replaced with more rigorous and insightful risk assessment on key objectives that warrant the cost.
- Unlike traditional assurance approaches like THREE LINES OF DEFENCE, emphasis is on value creation as well as value preservation objectives.
- The focus of assessment work is to evaluate the current retained risk position and assess whether it is, or is not, acceptable to the organization and board of directors.
- The approach focuses on acceptability of residual risk linked to key objectives and whether current risk treatment designs are optimized.
- Objective centric ERM and internal audit meets escalating risk oversight expectations and supports boards that are increasingly being called on to more actively participate in setting and overseeing strategic objectives.
- Book chapter: Tim Leech and Lauren Hanlon, Three Lines of Defense vs Five Lines of Assurance: Elevating the Role of the CEO and Board in Risk Governance (Source: Wiley Handbook of Board Governance, Richard Leblanc editor, Chapter 17, 2016)
- Magazine article: Tim Leech and Lauren Hanlon, Paradigm Paralysis in ERM and Internal Audit (Source: Ethical Boardroom Summer 2016)
- Webinar: Tim Leech, Paradigm Paralysis in ERM and Internal Audit: A Big Risk to Better Governance (Source: Conference Board of Canada webinar December 7, 2016
- Magazine article: Tim Leech, Reinventing Internal Audit: Recent governance-related developments require the profession to revisit some of its long-held paradigms (Source: Internal Auditor April 2015, Winner of 2016 IIA Outstanding Contributor Award)