In the corporate landscape of governance, Enterprise Risk Management (ERM) and Internal Audit (IA) are morphing under the realm of increasing complexities of business operations and a series of external shocks, so called polycrisis. While they both aim to protect and enhance business value, their functions and approaches are inherently different. Combining these roles may seem efficient, but it can lead to blurring the three lines of defence.
From a governance viewpoint, we assign ownership of ERM to the CRO and a reporting relationship to the Risk Management Committee, which is now a statutory committee, and the IA to the Chief Internal Auditor, reporting to the Audit Committee.
The Institute of Risk Management (IRM), the world’s leading certifying body for ERM exams across 140 countries, defines ERM an integrated and joined-up approach to managing risks across all departments of an organisation (irrespective of any sector) and its extended networks. This is usually a CXO wide effort, as ERM considers geopolitical and country risks, financial and operational risks, technology and cyber risks, environmental and sustainability risks, social and people risks, governance and compliance risks and…
