I wrote in a previous post (here) about a pragmatic approach to implement ERM in financial services.
This was partly about recognising the practical implications of what is often said that ERM is a journey rather than a destination. The suggestions made included assessing regularly the effectiveness of the ERM system to inform future improvements and that internal audit teams be tasked with that assessment, given their independence from the business and risk function.
Someone suggested that I look up the report of a commission established by the UK's Chartered Institute of Internal Auditors to consider the effectiveness of internal audit in financial services (here).
I was pleasantly surprised to read one of the recommendations: “Internal Audit should include within its scope an assessment of the adequacy and effectiveness of the Risk Management …” (page 8 of the report).
It is interesting that while the Chartered Institute of Internal Auditors and I were looking at this from different perspectives – assurance and implementation, respectively – we both ended up with the same conclusion about the importance of assessing how ERM is operating in practice.Leaving this aside, the report is worth reading to see in practice how risk considerations are affecting other parts of a financial services business. Wearing my economics hat, I particularly liked the Committee’s recognition that mandating 'best practice' of application would not be appropriate (page 5). Indeed, there is a cost-benefit consideration for each financial services business which should shape how these guidelines are complied. Requiring best practice simply rules out this cost-benefit consideration, which can be more beneficial in the long-term.