A survey of U.S. businesses has found nearly a third areconducting multiple enterprise-wide risk assessments, but only 20percent consider such efforts to be well coordinated.

The study by PricewaterhouseCoopers indicated that "there is alot of disparity around how risks are being assessed and managed,"said Richard Chambers, managing director and leader of internalaudit advisory services for PwC, Orlando, Fla.

In an interview, he reported to National Underwriter the surveyfound that in some organizations, "multiple parties are doing riskassessments for the company, and in others, there may be nobodydoing them."

According to the study, more than 80 percent of the respondentssaid they conduct an annual enterprise-wide risk assessment, butonly a few said they update the internal audit risk assessmentcontinuously. What's more, 64 percent may be doing little ornothing between annual assessments.

Mr. Chambers explained that enterprise risk management is stilla "maturing concept" within some companies. Although they may wishto "embrace the concept of ERM, they're still struggling with howto do it and who should assume what roles."

He noted there were more than 700 responses to the survey,including 160 from Fortune 500 companies. Respondents indicatedthere were multiple risk assessments being conducted in theircompany, and only 20 percent said those risk assessments werewell-aligned. In other words, different people doing these riskassessments may be coming back with different results.

"I think a frustrated party is the audit committee because theysee these different risk assessments," he said. "They are in aposition to articulate, when they see multiple risk assessmentsbeing done, that you have to do something to get them betteraligned."

He added that internal audit does the assessment, because one ofthe standards adopted is that the audit function should complete anannual enterprise risk assessment and then use the assessment tobuild the audit plan for the coming year.

"What is not so common is who else in the organization is doingthem and how well they're communicating," he said, noting thatamong those conducting the assessments within organizations are thechief risk officer, external auditor, chief compliance officer andrisk manager.

"The main message is that there needs to be a clear delineationof responsibilities around risk assessment and risk management atcompanies," he said.

The survey also revealed a lack of consistency in the way riskmanagement is practiced within major companies in the UnitedStates--specifically, how internal audit functions assess risks andparticipate in risk management processes, PwC said.

"As a result of such inconsistency, the implementation of riskmanagement at many organizations is immature at best and chaotic atworst," the report read. "This is particularly true at companieswhere more than one function conducts risk management activitiesand where the risk assessments do not align strongly with corporatepriorities or with each other."

PwC said the following imperatives should be considered whenstrengthening the internal audit risk assessment process:

o Adopt a process to approach risk assessment and planning.

o Supplement annual risk assessments with quarterly (or morefrequent) updates.

o Leverage prior assessment results.

o Align and leverage risk assessments.

o Seek out the specialized talent needed.

o Coordinate effectively with other risk management groups.

Mr. Chambers commented that to help strengthen risk managementwithin companies, "audit groups must focus on assessing risk on anongoing basis and continue to monitor and update theirenterprise-wide risk assessments."

In the areas of finance, compliance, and operations--sectorsthat might be characterized as traditional areas of focus forinternal audit--respondents expressed fairly high degrees ofconfidence (64, 49, and 43 percent, respectively) in their auditcoverage of these types of risks. They were significantly lessconfident with their audit coverage when dealing with risks in theareas of technology, fraud, and strategic or business risks.

The report, entitled "PricewaterhouseCoopers 2007 State of theInternal Audit Profession Study: Pressures Build for ContinualFocus on Risk," is online at www.pwc.com/internalaudit. The 2006findings, "PricewaterhouseCoopers 2006 State of the Internal AuditProfession Study: Continuous Auditing Gains Momentum," can also beaccessed there.