Establishing an IT control environment that is agile and appropriate to an organization is a primary objective of IT Compliance and Controls, a recent book I released based on a global effort. The Institute of Internal Auditors this month in their regular publication, “Internal Auditor“, has a great article “The Right Fit: Auditing ERM Frameworks” by Alexandra Psca defining how auditors within an organization can evaluation an in progress and mature Enterprise Risk Management (ERM) Program.
What is refreshing about this article is the author’s ability to communicate the reality that a full ERM program is unlikely to fully exist in every organization, and the presence of a program may come in different styles and colors. When implementing and managing the enterprise risks of an organization it is prudent it recognize the following:
- ERM is designed to help the organization maximize risks in the daily course of business, and not a roadblock. Focus on enhancing the risk environment
- Organizations have organic controls that are established through the natural placement by internal teams, and these work products make up the full Control environment. Therefore, be sure to be perceptive when forming an ERM, and diligent on leveraging these already present accomplishments.
ERM is designed to reflect on the organization’s operations and risk – therefore one size won’t fit all.
For greater analysis I encourage you to pick up a copy of this periodical from your local Internal Audit department. As the concerns of PCI DSS, GLBA, FISMA, FFIEC, and EU Directives highlight these program’s importance, managers and executives must be sure to manage the growth and adoption of these programs to achieve the enterprise goals.
Alexandra’s article is republished here too.