A survey of U.S. businesses has found nearly a third are conducting multiple enterprise-wide risk assessments, but only 20 percent consider such efforts to be well coordinated.

The study by PricewaterhouseCoopers indicated that "there is a lot of disparity around how risks are being assessed and managed," said Richard Chambers, managing director and leader of internal audit advisory services for PwC, Orlando, Fla.

In an interview, he reported to National Underwriter the survey found that in some organizations, "multiple parties are doing risk assessments for the company, and in others, there may be nobody doing them."

According to the study, more than 80 percent of the respondents said they conduct an annual enterprise-wide risk assessment, but only a few said they update the internal audit risk assessment continuously. What's more, 64 percent may be doing little or nothing between annual assessments.

Mr. Chambers explained that enterprise risk management is still a "maturing concept" within some companies. Although they may wish to "embrace the concept of ERM, they're still struggling with how to do it and who should assume what roles."

He noted there were more than 700 responses to the survey, including 160 from Fortune 500 companies. Respondents indicated there were multiple risk assessments being conducted in their company, and only 20 percent said those risk assessments were well-aligned. In other words, different people doing these risk assessments may be coming back with different results.

"I think a frustrated party is the audit committee because they see these different risk assessments," he said. "They are in a position to articulate, when they see multiple risk assessments being done, that you have to do something to get them better aligned."

He added that internal audit does the assessment, because one of the standards adopted is that the audit function should complete an annual enterprise risk assessment and then use the assessment to build the audit plan for the coming year.

"What is not so common is who else in the organization is doing them and how well they're communicating," he said, noting that among those conducting the assessments within organizations are the chief risk officer, external auditor, chief compliance officer and risk manager.

"The main message is that there needs to be a clear delineation of responsibilities around risk assessment and risk management at companies," he said.

The survey also revealed a lack of consistency in the way risk management is practiced within major companies in the United States--specifically, how internal audit functions assess risks and participate in risk management processes, PwC said.

"As a result of such inconsistency, the implementation of risk management at many organizations is immature at best and chaotic at worst," the report read. "This is particularly true at companies where more than one function conducts risk management activities and where the risk assessments do not align strongly with corporate priorities or with each other."

PwC said the following imperatives should be considered when strengthening the internal audit risk assessment process:

o Adopt a process to approach risk assessment and planning.

o Supplement annual risk assessments with quarterly (or more frequent) updates.

o Leverage prior assessment results.

o Align and leverage risk assessments.

o Seek out the specialized talent needed.

o Coordinate effectively with other risk management groups.

Mr. Chambers commented that to help strengthen risk management within companies, "audit groups must focus on assessing risk on an ongoing basis and continue to monitor and update their enterprise-wide risk assessments."

In the areas of finance, compliance, and operations--sectors that might be characterized as traditional areas of focus for internal audit--respondents expressed fairly high degrees of confidence (64, 49, and 43 percent, respectively) in their audit coverage of these types of risks. They were significantly less confident with their audit coverage when dealing with risks in the areas of technology, fraud, and strategic or business risks.

The report, entitled "PricewaterhouseCoopers 2007 State of the Internal Audit Profession Study: Pressures Build for Continual Focus on Risk," is online at www.pwc.com/internalaudit. The 2006 findings, "PricewaterhouseCoopers 2006 State of the Internal Audit Profession Study: Continuous Auditing Gains Momentum," can also be accessed there.

Special Reports /

Risk Assments Faulty At Many U.S. Companies, PwC Says

Related Stories

Recommended For You