Robert Torok
Robert Torok

If Internal Controls Are B&W, ERM Is Grey

Here's why.

April 7, 2011
by Robert Torok, CA

"Will this action drive profits?" "Will this action reduce our market share?" Organizations make these types of business decisions regularly with no certainty of their outcome. Every decision has many variables to evaluate, including the anticipation of potential responses by other organizations, and eventually even the wisest and most careful of business leaders must make a choice and accept the consequences.

Enterprise Risk Management (ERM) is the oversight, insight and guidance to help an organization make these difficult business decisions (as opposed to legal, ethical or procedural decisions), while minimizing risk. And here "risk" means generating a positive business outcome and avoiding negative ones. ERM guides the behavior and thought process of decision-makers, but doesn't apply an iron-clad rule set to the decision-making process. Such a rule set would be impossible to contrive or apply in most business situations.

Reader Note: Don’t miss Robert Torok’s presentation at the upcoming AICPA National CFO Conference, May 19-20  in Boston.

Unfortunately, many executives confuse ERM with other risk management functions that seek to apply rules to business actions, most notably governance, risk and compliance (GRC).

Example: In the late summer of 2008, after analyzing historic price trends and future predictions, a major airline hedged a substantial portion of its expected 2009 fuel purchases by locking in a large quantity at a fixed price. In that same year, oil prices spiked severely so this seemed a reasonable idea and was lauded by the media at the time. Within a fiscal quarter, this hedge turned into a disaster, requiring a write-down of tens of millions of dollars as oil and fuel prices plummeted. Was this risk foreseeable? Of course it was. But at the time of the decision, the airline had a choice to make. The risk decision was a judgment call and could just as easily have turned out well as it turned out poorly.

There was no compliance rule in which the decision-maker could have checked yes or no, making an absolute statement that the decision was the correct one. There were no hard rules that could inform this decision, merely the exercise of judgment and experience to a very grey situation.

On the other hand, internal controls are a relatively black and white matter: they attest that something is correct at a point in time, and almost by definition exist at the transaction level. Many controls are built into business processes and are used to examine individual transactions for accuracy and adherence to specific rule-sets. Common examples include invoice controls, expense report rules, product quality policies and financial statement reporting and disclosure requirements. In each of these cases, the decision-maker must state that the item in question conforms (or not) to a stipulated rule-set.

Governance and Internal Controls

Governance refers to the processes, systems and cultures by which an enterprise is managed. In some respects, it may be viewed through the chain of command that exists in virtually all organizations of any size. Governance does not, and cannot, address the question of whether a specific transaction is correct, nor whether a business decision is the right or most optimal one. But governance does lead us to ask first whether the process by which the decision was made is morally, ethically, and legally appropriate, and second whether it was made in accordance with the established policies and practices of the organization. Examples include the policies related to the employment of relatives or truth in advertising.

At the time a decision is made, neither Internal Controls nor Governance inform a business decision-maker whether it is in fact the right one. No executive can attest, for example, that an HR policy is the right one, and that a particular supplier is better than another or that a facility location selection represents the best alternative. While each of these may appear to be the best choice at that point in time, circumstances and exogenous factors might make a 'good' decision appear terrible six months or six years later, or even 20 years on in some industries.

The distinction between these types of activities is clear, but executives still confuse terms when defining ERM. A 2009 Ernst & Young survey (The Future of Risk: Protecting and Enabling Performance) asked several hundred global executives: "What risk functions exist within your organization?" and provided nine choices: "Compliance/Regulatory," "Internal Audit, Internal Control," and "Enterprise Risk Management." Of these choices, perhaps the most confusing to some were the inclusive relationships between ERM and other functions. The same survey revealed that having many risk functions creates overlap and confusion and imposes a cost burden on most organizations, in part by creating a silo-based approach to managing risk with each silo reporting separately to executive leadership.

There is a clear solution to this dilemma, as proposed by a recent article:

"Directors should instead, through their risk oversight role, satisfy themselves that the risk management processes designed and implemented by executives and risk managers are adapted to the board's corporate strategy and are functioning as directed, and that necessary steps are taken to foster a culture of risk-adjusted decision-making throughout the organization. ... The board can send a message to the company's management and employees that corporate risk management is not an impediment to the conduct of business nor a mere supplement to a firm's overall compliance program but is instead an integral component of the firm's corporate strategy, culture and value generation process." (Risk Management and the Board of Directors; Wachtell, Lipton, Rosen & Katz; November 2008)

This statement exemplifies the nature of a Board's and executive management's responsibilities for risk management. The "culture of risk-adjusted decision-making" is an integral part of every firm's strategy to generate business value.

Consider these specific risk functions in context to ERM:

  • Compliance/Regulatory. This group is concerned with adherence to external requirements, and therefore should take a 'binary' compliance approach, i.e., non-adherence is not an option and the enterprise should be in a position to categorically state that it is in compliance.
  • Internal Audit (IA).This group ensures that all transactions and accounting decisions meet enterprise and externally mandated standards. The group does not undertake operational audits but focuses on compliance and control.
  • Internal Control (IC).This team focuses on the internal policies and practices that would strengthen the organization. Examples include the establishment of approval limits, travel policies, or contracting terms.

Each aspect of Governance, Risk and Compliance (GRC) is part of an entire ERM program, but they are not themselves ERM nor does their sum constitute ERM, which we qualitatively describe as follows:

  • Since there is no right answer, the ERM process and team can only establish practices to follow and help the organization ensure that risks are properly considered before decisions are made. This includes the governance processes that guide the organization's decision-making.

In a very practical example, every commercial organization faces the situation of selling to a new customer and ensuring that a variety of internal policies are adhered to:

  • Evaluating the potential customer. The sales, marketing and credit functions generally coordinate to ensure that the new customer brings sufficient value to the organization and is credit-worthy. Legal and finance are also often involved with elements such as standard contract terms and pricing. The ERM process/team should ensure that the appropriate criteria are defined in the new customer acceptance process and that this process is appropriately followed in each material situation. The ERM team does not perform any of the steps or checks in the review, but simply ensures that the governance process exists to mandate that they be asked.
  • Sale is made. IA can review the sales transaction to ensure that it has been accounted for and recorded properly. IC can review the same transaction to ensure that approval limits have been adhered. Plus, Compliance/Regulatory may also review the sale/customer to ensure that the items sold were used as intended and permitted under export regulations.

Should These Groups Coordinate?

Of course, but that is no different from the coordination that must exist between marketing and sales, sales and manufacturing and more, to ensure that the business does not stop while these reviews are completed.

A select few of these review steps are black and white, such as adherence to standard contract terms, ensuring that the new customer has a credit score above some minimum level, pricing terms deliver the minimum margin and others. But other steps are very grey, such as: Does our organization wish to be associated with this customer? Can we meet this new customer's expectations? etc., and none of these can be answered with certainty. The best that can be achieved, through the application of ERM processes, is to consider these questions fully and assess possible impacts prior to making the decision.


It all boils down to this: There are, and should be, many risk-related groups in an organization, each performing a unique role. But true ERM includes both hard and fast control functions as well as guidance for business decisions. Executives must change how they define ERM to truly realize the full scope of what ERM can and should achieve.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Robert Torok, CA, is an executive consultant with IBM Global Business Services, leading the development of solutions and methods and delivering Enterprise Risk Management (ERM) services for IBM clients.

* A version of this article appeared previously in the April 2010 edition of Risk & Insurance magazine.