Ep 241: How to Win Support for ERM w/ Beth Womersley (Universal Destination & Experiences) - The Audit Podcast

Summary6 min read

The Audit Podcast — Ep 241: How to Win Support for ERM w/ Beth Wommersley (Universal Destinations & Experiences) Original Air Date: May 20, 2025 Host: Trent Russell
Guest: Beth Wommersley, Audit Leader at Universal Orlando

Episode Overview

This episode of The Audit Podcast features Beth Wommersley, a seasoned CAE with experience launching and facilitating ERM (Enterprise Risk Management) programs across various high-profile organizations. Host Trent Russell explores with Beth the increasing responsibility of internal audit functions in facilitating ERM, gaining executive buy-in, pitching ERM value to boards, managing independence concerns, and aligning with industry frameworks. The discussion dives into practical advice, real-world examples, and actionable steps for auditors seeking to more fully integrate or champion ERM.

Key Discussion Points & Insights

1. Personal and Professional Use of AI

[02:03–04:17]

Beth uses AI tools like ChatGPT to verify facts in real-time (e.g., checking the accuracy of movies like Deepwater Horizon for her kids) and to support her professional work, such as ensuring presentations align with industry standards and guidance.
Professionally, she's collaborating with her organization's legal and AI teams to begin piloting AI implementations, focusing on safe usage and data classification.
AI also helps her communicate more clearly by refining emails.

Memorable Quote:
"I joke a lot too, because I always say I'm an accountant, I'm a CPA, so I'm mathly smart, but I'm not Englishly smart. I have found [AI] to be extremely helpful in emails, making sure that I'm being clear and concise."
— Beth Wommersley [03:51]

2. ERM vs. Traditional Internal Audit Risk Assessments

[07:05–11:54]

Beth advocates for a single, integrated risk assessment based on ERM:
"From the very first year that I implemented ERM, I did away with the internal audit risk assessment. I don't do two separate assessments. I do ERM, and then derive my internal audit plan from the ERM results." [07:14]
Key differences:
- Internal Audit Risk Assessment: Based on the audit universe, focuses on all areas that can be audited.
- ERM: Anchored in business strategy; focuses on key risks to strategic objectives.
- ERM identifies high-level risks (like cybersecurity, reputational risk) requiring deeper drill-downs for audit targets.
- For intangible risks (e.g., reputation), audits focus on controls, crisis readiness, and response, rather than the risk itself.

Notable Example:
Auditing reputational risk involves reviewing mitigations like brand vetting processes and crisis response plans rather than trying to audit reputation per se.

3. Building the ERM Business Case and Securing Buy-In

[13:07–15:05, 19:12–21:42]

Initial Step: Secure executive and board support first, as their buy-in is essential for success.
Making the Pitch:
- Tie ERM to organizational value beyond internal audit (e.g., crisis management, resilience, opportunity capture).
- Use real examples from the organization where ERM could have averted issues or enabled opportunity.
- Highlight quick wins or pilot projects for immediate value demonstration.
- Align ERM with business goals and decision-making improvements.
Resource Considerations: Many audit platforms now include ERM modules; low-cost survey tools (e.g., Qualtrics) can be leveraged to minimize incremental costs.

Memorable Quote:
"The value really comes not from doing the ERM exercise and the annual survey or facilitated sessions or mixture...but the value comes when you're actually taking those key risks, identifying the risk strategies, monitoring, managing them, creating maybe KPIs, KRIs, just watching and monitoring that process and communicating it."
— Beth Wommersley [15:03]

Board Pitch Example:
Beth recounted a healthcare company leveraging ERM to identify growth opportunities beyond their saturated market—successfully expanding into tourism helicopters—demonstrating ERM's positive impact on opportunity evaluation, not just risk mitigation [19:41].

4. ERM's Line of Defense & Independence

[24:01–28:11]

Ongoing Debate: Should ERM reside within Internal Audit (3rd line) or as a separate (2nd line) function?
- Highly regulated sectors (esp. financial institutions) often separate ERM from audit for independence.
- In many organizations, audit "owns" ERM as facilitators, not risk owners; management is accountable for mitigation, while audit ensures reporting and oversight.
Maintaining Independence:
- Clearly define and document roles in an ERM charter (including a RACI matrix).
- Ensure risk owners (not audit) report on mitigation status to the ERM committee—a governance function.
Trend: Growing ERM expectation across industries, but lack of resources for a standalone ERM function often means audit facilitates.

Memorable Quote:
"We're the facilitators, so we're still independent. We're not the ones that are implementing the risk mitigation strategies. We're the ones overseeing that somebody is and reporting it if it's not."
— Beth Wommersley [24:58]

5. Choosing an ERM Framework: COSO or ISO?

[29:06–30:40]

Beth has implemented both; COSO is more prevalent among public/pre-IPO companies due to greater familiarity.
ISO makes sense for manufacturing/tech firms where it's integral to SOPs.
Key: Use the framework most natural for the company's culture and operations. Biggest difference is mainly nomenclature—strategic focus is essential in both.

6. Practical Implementation and Maturity

[31:41–33:28]

Start Simple, Build Over Time:
"Crawl before you walk, walk before you run...start where it makes sense but continue to mature it over time."
Integration and Monitoring:
- ERM is not a regulatory checklist, but a value-adding, evolving program.
- Programs should not be static or "put on a shelf"; continuous monitoring and improvement are core to sustained value.

Notable Quotes & Memorable Moments

On Board Buy-In:
"The executive management team and the board are in support of ERM, because if they are not in support, I don't want to spend a lot of time developing a budget."
— Beth [14:22]
On Opportunities, Not Just Risks:
"Risk is great and we do that all the time. But I feel like what people would rather hear about is the opportunities. Like, let's talk about that, and opportunity is just the other side of the risk coin."
— Trent [21:18]

Timestamps for Key Segments

| Timestamp | Topic | |-----------|--------------------------------------------------| | 02:03 | Beth's use of AI personally and professionally | | 07:05 | Why she ditched separate audit risk assessments | | 08:46 | ERM vs traditional audit risk assessment | | 13:07 | Securing buy-in, making the business case | | 14:22 | The ERM "sales pitch" | | 19:41 | Real-life pitching to the board (examples) | | 24:01 | ERM’s “line of defense” and independence debate | | 29:06 | Choosing ERM frameworks (COSO vs ISO) | | 31:41 | Final advice & implementation tips |

Summary Takeaways

ERM should be leveraged both as a risk-identification tool and an opportunity enabler, directly aligned with business strategy.
Internal audit can effectively facilitate ERM, provided roles are clearly defined and independence maintained.
Start with executive buy-in, use examples relevant to your organization, and leverage existing tools/resources.
Treat ERM as a living, value-added program, not a static checklist; continual improvement and integration are key.
Choose a framework (COSO or ISO) based on what best fits your company’s existing culture and systems.

For further resources:

NC State’s ERM content and updates
Norman Marks’ blog on risk and audit
Explore existing internal audit software for built-in ERM capabilities

The episode provides practical, experience-based advice for auditors and risk professionals looking to advance or implement ERM in their organizations, with actionable guidance on buy-in, execution, and the value of integrating risk management at a strategic level.

Loading summary

Transcript28 lines

[00:00]
A
So if we as internal auditors are wanting to be trusted advisors, we really want to partner with management and drive value for the organization like we've been talking about at all the conferences. We need to be focused on the same thing that those stakeholders are, and that's where those ERM risks are key.
[00:20]
B
Hello everybody, and welcome to another episode of the Audit Podcast. I'm your host, Trent Russell. Today on the show we have Beth Wommersley. Beth leads the audit team at Universal Orlando. Previously she was at the Holiday in Club Vacations, leading the internal audit function there, and before that she led the internal audit function at SeaWorld. So hands down, probably the coolest series of jobs that I think we've had. On the podcast we had some people send us messages saying, hey, can we do something around erm? Internal audit's getting a lot more involved with erm. A lot more of the responsibility is falling on internal audit to facilitate erm leverage, erm etc. And so that's where Beth comes in. Beth has facilitated ERM at multiple places and also kicked them off, launched them, got them started. And so that's where the entire conversation is around. So for those that don't know, we talk about what the point of ERM is, especially relative to the risk assessments that we typically do with an internal audit. What's the sales pitch for erm? So if you believe in the value that it adds and you want to take on some of those responsibilities, help facilitate it, how can you do that and, and get buy in from the audit committee and the board? What line of defense does it sit in? Should it sit in? Could it sit in? I think there's always questions around that and independence, of course, and then ISO, coso, what framework are we going to follow here? And so with that said, here we go. Okay, what is in your, you can do Internet browsing, history, chatgpt, history, copilot history, a combination of any of those, or if you use Llama or Claude or any other type of LLM. But what have you been doing personally and professionally within those tools that you could tell us about?
[02:04]
A
So I will say I'm really enjoying AI more from the personal perspective right now, but that is changing quite a bit from the business perspective as well. So I can share that. Personally, I often like to watch movies or TV shows that are based on real life events and then I'm always curious when I'm watching them, is it actually true? Is it partially true with creative liberties, is it, is that part of the movie? Completely fictional? So I found ChatGPT to be very helpful. I could just plug it in right there and ask the questions. Recently we were watching Deep Water Horizon with the kids. They'd never seen it, they're huge Mark Wahlberg fans. So we decided to watch it. And during that, the risk management side of me said, I wonder how much of this is actually true versus how much was fictional and really there for entertainment purposes. So I just plugged it into ChatGPT while we were watching the movie and kind of followed along to say, yep, that was in an investigation report, or no, that wasn't in an investigation report. So I kind of use it a little bit to nerd out, even in my personal life.
[03:03]
B
Nice.
[03:04]
A
Most recently in professional life, I was a speaker at the Institute of Internal Auditors GAM conference. So I built my presentation and then I wanted to really make sure that the presentation aligned with IIA standards, COSO, NC states, ERM initiatives. So after preparing it, I used ChatGPT to help me align and make sure that what I had in my presentation lined up with the authoritative guidance. So it's been very helpful. And then on the professional side as well, I just met with our legal team that's heading up the AI board at our company and we are going to start implementing it where we can. I think most companies have some, some sort of tiered classification within their data. So we talked about what we can use it on, what we can't use it on, and how we could safely use it with our enterprise licenses. So we're working through what those case scenarios look like and how we're going to use it in our department, hopefully in the next month or two. So then I'll really start using it a lot more from a professional perspective. I joke a lot too, because I always say I'm an accountant, I'm a cpa, so I'm mathly smart, but I'm not Englishly smart. I have found it to be extremely helpful in emails, making sure that I'm being clear and concise in emails.
[04:18]
B
Yeah, I like the movie thing. I don't know if it was on the podcast or somewhere else. I was talking about this, but my. Oh well, we were talking about art on a different podcast and a former CAE who's like an artist now and like the way I judge art is the same way Andy does from the office. If you've ever seen that, where he goes, this art is good, that art is bad. Like that's me. It makes no sense to me and I can just look and go Yeah, I like that one. I don't like that one. Similarly with movies, I don't try to figure out what's going on. I just watch. I don't get any of the foreshadowing. I don't get any of the, like, literary elements that are to it. And this color means this, and this is what this means. And the reason they hung on the frame for an extra two seconds and the guy blinked, that's what straight over my head. Completely dense when it comes to that. So. And usually a movie will end and I'll go, I have no idea what was the point of, like, what was the meaning of the ending? And so that's where I've been using a lot too, is I'll watch a movie and then immediately go, hey, can you tell me what the ending of. I think it was Taxi Driver is what I watched recently. Can you tell me the ending of Taxi Driver? And what, like, there's this like, brief half a second where you see something in the rearview mirror, I think. And I was like, what was that about? And so it's helped me understand exactly what's going on. I had to do it with White Lotus also. It's like, can you explain what just happened? So I like that one a lot. Hey, everybody, we're going to take a quick break from our guests and if you need to get analytics or AI actually working in your internal audit department, or if you already have some of it, you feel like you're not really getting exactly what you need out of it, you know there's more you're not getting that. Go to the Show Notes, look for the Green Skies analytics link, click it on the website. There'll be other links that you can click that will take you directly to a calendar to schedule time. It's literally three clicks to get the time scheduled to get it figured out. All right, back to the show. Most of this episode is around, erm, you mentioned NC State, so there's a really, really solid resource there for anyone who's interested in kind of all things, erm, just search NC State. Erm, it'll take you there. Sign up for the email list and then kind of see all the new content that they put out. But, um, there has been more on audit relative to, erm, as of late. And actually someone specifically emailed me and said, can you have someone talk? Erm, you and I were talking, you said, erm. And I said, you're coming on the show because we have to have you. So anyway, with all that said, what's the point of erm, when we do risk assessments a part of. As a part of the internal audit function, there's like, erm, they do their thing, internal audit, does a risk assessment. So, like, what is maybe even higher level, what is ERM, for those that don't even have ERM within their organization?
[07:06]
A
Yeah. So it's actually a very interesting topic and I've had debates with friends and colleagues around this topic. Exactly. So from the very first year that I implemented erm, I did away with the internal audit risk assessment. I don't do two separate assessments. I do ERM, and then derive my internal audit plan from the ERM results. That being said, you do have to dig in a little bit because ERM is at a very high level. So if cybersecurity risk is high, then you might have to dig in and figure out what specifically you need to target your audits on. So those do require some additional conversations. But rather than throwing out a broad net and saying, this is all my audit universe, I'm looking at it from the perspective of what matters to our executives and to our board of directors and other stakeholders, our investors or whoever, customers, all that. So if we think about it, if ERM is done properly, it's really being driven from the business strategy. What matters to those people that we just talked about, the board, our investors, our customers. That business strategy is developed to drive that value. So if we as internal auditors are wanting to be trusted advisors, we really want to partner with management and drive value for the organization. Like we've been talking about at all the conferences, we need to be focused on the same thing that those stakeholders are, and that's where those, ERM, risks are key. So that's why I did away with. Since about 2006, 2007, I have not used a separate internal audit assessment.
[08:40]
B
If someone's listening, going, that basically sounds like the risk assessment I do for internal audit. What are the differences, maybe key differences between the two?
[08:47]
A
So the key difference is what I've seen in more traditional internal audit assessments is you've got this standard audit risk universe that you're looking at and you're assessing that audit risk universe as opposed to erm, you're really starting with the business strategy and saying, what are the key risks that might keep us from achieving those business objectives and that business strategy, what could disrupt that plan? So you're looking at it from a different perspective. Not just everything that's in the organization that can be audited, you're looking at it very focused in erm, what is our strategy and what are the key risks that could impact that strategy. And then from there those are much higher levels. So like I talked about cybersecurity, that's going to be a very high level risk and you then have to dig in, drill in a little bit deeper if that is one of the ones that's high. And you decide that should be as part of your internal audit plan. You do have to dig in and figure out what the objectives are going to be. You also want to make sure that you're not duplicating efforts. But if you were to go look at NC State, like we talked about earlier, they have some really great. Every year they join with Protiviti and they do a survey of what the key risks are right now and then what people think the key risks are going to be in the future. And you can see that those are written at a much higher level and you do have to dig into those. But it at least focuses your internal audit risk assessment into where the key areas are as opposed to just looking at, you know, what's our risk and accounts payable, what's our risk over in this operational area. So it's very, it's more pointed. The other thing that people will often say to me is, well, if I use erm, there's risks that are going to come up high that I can't audit. So reputational risk might be an example where they say, you know, it's intangible, it's public backlash. How do I know how to audit that? It's not about auditing that specifically, but it's looking at that risk and saying, what are we doing to mitigate ourselves if that does happen? What are our preventative controls? So branding and marketing, they probably have processes and procedures that they're looking at their ad campaigns, they're vetting their social media influencers and they have processes that they go through. So you can do an audit that's more traditional from that perspective or you can look at it from the perspective of, okay, we have all these preventative controls, but what if something does still happen? What if one of the ad campaigns does fall flat and we get some public backlash on that? So from there it's more what do we do when that happens and how well prepared are we? So I would say stepping away from the traditional historical audit type of procedure or looking at controls, running a tabletop, just like you would do with business continuity and disaster recovery. Understand where are the holes? Where did people not understand what their role was? In the crisis management situation and did we prepare the CEO in case that person is walking out to the parking lot and there's news reporters ready to ask them questions. So making sure everybody understands their role, understands who they need to talk to and that, that you're ready to deal with crisis. So there's two different ways that you can handle it from that perspective and for anyone.
[11:54]
B
I always plug Norman Marks blog whenever I can because probably one of the best resources for internal audit and risk management folks as well. He's been preaching this for years. Go strategy wise instead of entire audit universe, help the organization succeed kind of thing. So if anyone's not subscribed to that, you should be able to search for Norman's name. I don't know. Puts out two, maybe three relatively short. They might take three minutes, five minutes to read a week. And they're always. There's always a lot of good stuff in there. So highly recommend. Recommend that and his thoughts on ERM in general. You can go search for that. All his books and all that stuff also. But okay, so let's say that maybe people that are listening that are like, all right, here I am, I'm down with that. We should start doing that. How? How should they could they pitch that to get the resources that they need in order to make it happen? Is there. I'm assuming there's additional software that would be really helpful. Did you need more hours from your team to put this together? Like how do you. How can they pitch this and then be equipped on the business case to make sure that they can or better ensure rather that they actually get this thing running?
[13:08]
A
Yep. So I start with getting the buy in first. Really the executives and the board has to be behind it or it's not going to be successful. That being said, board and executives do want to know cost for anything that you're going to implement. So having something prepared without digging too deep is definitely important to have in your back pocket in case that question does pop up. But it's first, what do we want to drive out of it? Where what kind of value do you think that you can bring to the organization? And it's probably got to be more than just your internal audit plan. So thinking through how are we going to handle crisises, you can use other companies as an example too, you know, and how they manage through a crisis, whether it was good or bad, and how internal audit or sorry, enterprise risk management could help them in that situation. Definitely aligning ERM with the business goals and how it can be successful.
[13:59]
B
All right, so let's say we have convinced some, some auditors that are listening that ERM is the way to go. And now they basically have to build the business case and convince influence management to give them that responsibility as well as give them the budget to do that. How can we get that buy in? What's kind of the sales pitch for erm?
[14:23]
A
So I start with making sure that the executive management team and the board are in support of erm, because if they are not in support, I don't want to spend a lot of time developing a budget. But you do have to have enough information because costs do matter. So enough information and an idea of how you're going to structure that. But I start with where can we add the most value? What can ERM bring to the organization where we may be lacking? Where do we have some blind spots? Do we have any specific examples, examples that we can bring in from the organization where we had something either go wrong or missed an opportunity because we weren't doing erm And ERM could have maybe helped us identify those and take advantage of them. So bringing in real life examples from your own company or bringing in real life examples from other companies and what they could have done and how ERM could help them, certainly aligning with the business goals, demonstrating some quick wins, maybe it's a pilot project and you start with something a little bit smaller. Um, but definitely showing how ERM can help your organization is going to be key when getting their support. And I say that you need to have board and executive management support before doing the ERM program. Because if you think about it, you're just the facilitator. The people that are actually managing and monitoring those risks are the people throughout the business. So you've got to have that executive support to help build that risk aware culture and drive. The importance of doing the program and for people to actually participate and, and take advantage of also helps with improved decision making. So thinking about it, just bringing that risk aware culture. So if you're looking at an acquisition, is everybody talking about the risks and identifying them so that you have a clear path forward in what you're going to consider and what you might, what obstacles you might come across and what might be some value adds resiliency is a big one. So we've talked a little bit about this. But helping organizations prepare and be ready for potential disruptions or taking advantage of scenarios and opportunities that are out there. So in general, having a plan that's practiced and can help people manage, whether it's A stressful situation or again, taking advantage of opportunities. So, um, ERM can help with that risk mitigation strategy, really bringing that structured approach so you've identified your key risks. What are you going to do with that? You know, I have seen companies that just do the survey and then they put it on shelf and they're done, or they've done individual facilitated sessions and come up with their risk scores and then they put it on the shelf until the next year if you're going to do that. I don't think that there's value in doing erm. The value really comes not from doing the ERM exercise and the annual survey or facilitated sessions or mixture, however you're gathering your risks. But the value comes when you're actually taking those key risks, identifying the risk strategies, monitoring, managing them, creating maybe KPIs, Kris, just watching and monitoring that process and communicating it. So when you're considering your resources, some of the audit programs now already have tools built into it for erm. Actually a lot of them do. So if you have one of those tools that has and ERM surveys, risk maps, things of that, taking advantage of those are the best because you already have them, you're already paying for the subscription. If you're not. I've used other tools. The first time I implemented erm, we had to figure out how we were going to do the surveys. So we did individual facilitated sessions to identify the key risks, ran those key risks through the leadership team. We made some tweaks and changes to them and came up with the survey. But we wanted to reach out to a broader group. So we used a survey format to identify the key risks. We also gave weighting to the board and executive leadership versus the individual contributors so that we didn't skew the ratings. So we were sure that we had proper rating from the executive and board level that have more of a holistic view of the organization and the risk landscape. And so at the time I was using a homegrown, our own system that we had built in access to manage our internal audit process. So it did not have any of the tools that the systems have today. So I reached out to our marketing team and said, what are you using to get our net promoter scores? They were using Quiltrics, so we just dialed a couple of licenses so that the internal audit team could use it. And the cost was very minimal. I think it was few hundred bucks. So it was very easy to pitch that to be our tool to use because it wasn't a large incremental Cost. And then the resources were just some of our internal audit team. So it became one of the projects that we managed.
[19:13]
B
I think that's great. I think what might be even more helpful, let's assume I am the board audit committee stakeholders that you have to convince that I have to give you the resources for erm. So you go, you, you pitch me, I won't, I won't beat it up or anything, but you go, what, what, like, what's your pitch that other people can take, maybe other CAEs can take? And go, yeah, that sounds good, I can use some of that. Let me use that.
[19:42]
A
So I go back to using examples. Right. So previously I worked at a company that was very healthcare focused, very heavy M and A. That's how our growth strategy was. Primarily. We had some green fields, but it was mostly M and A. And the aeromedical industry is fairly small and the mode of transportation is primarily helicopters. So we got to a point where we'd acquired a lot of the companies within our core service industry. So the opportunity there was kind of diminishing. We had to find ways to continue to grow. So the board said, you know, go forth, what's adjacent, what else can we still be good at? What's still within our core competencies? So here's an example where you've got an opportunity, not a risk. From an opportunity perspective, how can we grow? So because we were so ingrained in the risk aware culture already and having those conversations our CEOs brought forth, hey, let's go into tourism helicopters, you know, they seem to have decent margins, they're within our core competencies. It's still operating helicopters, just a different industry. And we did, we acquired two tourism helicopter companies. They were very successful. Of course, there were things that leadership had to learn that was different in tourism from healthcare, but it still rolled in nicely. And by doing that risk assessment specific to those acquisitions, our leadership teams were ready and prepared by bringing in that acquisition. So they were both very successful. So that's where you can show how ERM can add value, even from a positive perspective, as opposed to always thinking it in negative terms, like, something bad is going to happen.
[21:18]
B
I love that so much. And people that listen to the show know if they're listening, they probably know that I was smiling when you said that because, like, risk is great and we do that all the time. But I feel like what people would rather hear about is the opportunities. Like, let's talk about that and opportunities just the other side of the risk coin to some degree, in a Lot of situations. And so I always try to put it in that perspective, which I think you did fantastic on. So do you have more on the example side or.
[21:42]
A
So we had a very interesting situation where I was working with a company. We decided that we were going to go into to not as developed of a country internationally. And the risk that we were typically used to thinking about, whether it be fraud risks or just integrating culture risk, obviously culture risk plays in when you're going to another country. But what we identified was a safety risk. And while this isn't at the ERM level, this is getting that risk aware culture throughout the organization. So as we were talking about expanding into this other country, one of the risks that we were having as management in the management discussion is, you know, the country that we're going into, one of the things that's highly prized more than even money is having clean water. So. And for us to provide our services, clean water was absolutely key to providing services. So we had a whole filtration system that we were going to have to be putting at the, at the base. And in that case we realized we really need to have safety around, that we need to keep our, our team safe that's on the ground because people are going to want to have access to this purified water. So it's really interesting how you can use that from an operational perspective and how it really helps you drive the business and identify how you're going to keep your team members saved, how you're going to keep your assets safe, all of that.
[23:05]
B
The thing I wanted to follow up on was earlier, from earlier was when you mentioned the facilitator role. And I was talking to another CAE who said the very same thing. And so she's a year in as a CAE and I think within like the first two months they were like, erm, it's yours, go. And she was like, okay, I guess, but she used the word facilitating. Erm. And so that kind of brings me. I'm curious if there. I'm sure there's got to be somebody out there who's like, oh, we can't do this. There's some kind of independence thing or that's a second line or a first line thing or whatever. Is there a lot of back and forth discussion around that or is it pretty cut and clear, like, nope, this is audit's thing and we're going to do it. I know there's some organizations who are like massive and they have their own entire ERM teams that are separate from internal audit. From what I've. The ones I've talked to, they do a really good job of working together. That's not always easy, but I can just see someone going, independence, we're not going to do that.
[24:02]
A
Yes, that is true. And it is actually a very hot topic right now. You're actually hitting on something that. That's a big hot topic. I was actually recently at a Chief Audit Executive event, pre conference event, and it was a big debate topic. We had a breakout session that was specific to ERM and there were CAEs that felt very strongly it needs to be second line of defense. It should not be an internal audit. And then there were others that were definitely on the side of, no, it makes sense it should be an internal audit because we're risk experts, we do this for a living. And, and so putting it in there. And then too, a lot of us do drive our internal audit plans off of erm. So it's. Sitting with an internal audit is another reason or debate for putting it under internal audit. But there is, there is a lot of people that feel strongly both ways. I think you just have to do the right lines. And I think there, the thing that you talked about is absolutely key. We're the facilitators, so we're still independent. We're not the ones that are implementing the risk mitigation strategies. We're the ones overseeing that somebody is and reporting it if it's not. So it's not that much different in my mind than doing an internal audit. You know, here we need a risk mitigation strategy. It's not being done, or we need a risk mitigation strategy and they're doing a great job. So gold star for you. So facilitation is. Is really key and that's what people need to remember. Every time I've done it, I've made sure that the board is comfortable with what our role is going to be, clearly defining it in the. In the charter, in the ERM charter. So just like you have an internal audit charter, your audit committee charters, all of that, you should also have an ERM charter, which is guiding who's responsible for what. I've often included like a racing matrix to show who's responsible, who's accountable, who's consulted and who's informed. And then that helps really clearly lay out everybody's role within the ERM program. And that can also help draw the lines of independence as well. I will say at that session, the majority of the people that felt that it needed to be second line of Defense, those came from highly regulated industries, primarily financial institutions, where you do commonly see it in the second line of defense. And it is truly a separate. They have the resources, they have the budget. The trend, the growing trend is that industries want erm, they see the value in it, but they can't afford to have a completely separate department and have a whole nother set of people that have that risk background and that expertise that internal audit brings to the table. So it does make sense in a lot of cases and in all of my CAE roles, both when I've been in industry and then when I was a partner in risk advisory Services, I actually functioned as an outsourced CAE for one of my clients. In all those cases, I've owned the er, owned from a facilitation perspective on the ERM program. But it was up to management to then, okay, here's the risk presenting it management, you tell me how you're going to mitigate that risk. I'll be the reporter on that single funnel through to make sure that the audit committee is informed and the CFO and the CEO. But you know, management has to own those risk mitigation. Which actually brings me to another interesting point too, because we're not the owners. If you're doing like most companies will do, some sort of ERM, executive committee and then some subcommittees, to me, it's important to have those risk owners actually report out on a quarterly basis. And you probably don't have enough time for every risk owner to report on a quarterly basis. But do it on like a rotating cycle where they come in and actually present what their mitigation strategies are and where they're at in their plan and maybe where they're delayed on a project or ahead of schedule on getting something implemented and what's going well and what's not going well, presenting that to your ERM, executive committee, which is typically made up of your C suite. So then that way the C suite can ask questions and they're really doing their job then of understanding the key risks and making sure that, that monitoring and management of those risks is taking place.
[28:11]
B
Okay. And so on. The who owns it piece, it sounds like it's not black and white.
[28:17]
A
It's not.
[28:18]
B
You can make an argument for either, either side. Ultimately it comes down to what's best for your organization.
[28:24]
A
It is. And industry, I would say financial institutions, with their type of regulation, it does make sense that theirs is completely separated. I don't have a background in financial institutions, but I've spent a lot of Time. I have a lot of friends that are in it and it does make sense for them.
[28:41]
B
Yeah, and that was the, the examples that I had were they're both were financial institutions where they had their own ERM teams like you know, a handful of folks and they're just doing that. Excellent. Okay, maybe a little bit more detailed. If someone's going, is this ISO coso, what do I do? How do I do it? What am I supposed to do with this? What's the advice there? You just go, hey, whatever, you know, pick it and run with it or what's the advice you give there?
[29:06]
A
So I have implemented both. I've used ISO and I've used coso. I will say more commonly I've used coso. That's the most common that I've come across. And some of that could also just be that my background is primarily with either publicly traded companies or pre IPO companies and Koso's standard framework and knowledge that everybody has already. But that does go back to the fact I always recommend when I'm working with clients on erm, use whatever makes the most sense for your company. So I've used both. The biggest difference that I've seen is nomenclature, but both start with business strategy at the core, just like we talked about. You've got to start with what the strategy is and then identify your risks and opportunities based on your business strategy and that's where your focus is for your erm, and then identifying those risks and monitoring and managing those strategies. I always tell companies use the framework. Like I said, that makes the most sense. Where I have implemented using ISO are companies that are manufacturing and technology clients that I had where ISO is just part of their everyday culture. They use ISO, it's throughout their SOPs, they follow the framework and in those cases it makes sense because you want to make sure that ERM fits within your company. Just like we talked about embedding it into the culture. It's absolutely important that it makes sense to everybody. And the buy in comes if it's. And like ISO, if you already have it in your organization, people are used to it. So sticking with what's familiar will help make the ERM program more successful.
[30:41]
B
All right, so Beth, you spoke about, there's the, it's like a very big trend, erm, with internal audit now. And I think that's obvious also by at least one person specifically emailing me saying I'm seeing this trend also. Can you get some ERM folks on there? And so thank you a ton for basically being Kind of our first ERM person to talk about this and I feel like this is the appropriate level to start with. If you don't have the buy in yet, if you like, you need to get ERM within your organization and you need to facilitate it. How can you do that? And so I think the way you've set it up has been fantastic. The examples are great. Later on we'll probably do some episodes with people where we go down a level and start talking a little more tactical about, okay, you have it like you got the approval, you got the budget that you need, now here's how you start doing it. And so that'll be future episode for those that are wondering. So anyway, thank you for being basically our first ER in person. I think it was fantastic advice. With all that said, what do you want to leave the audience with?
[31:42]
A
Well, thank you for inviting me to be part of the show and I'm very passionate about ERM, if you can't tell. So I love talking about it. I would say a couple of things to leave the audience with that. ERM is not a checklist. It's not as stringent of a framework as maybe like a regulatory compliance type of audit or procedures or things like that. It's definitely there to be a value added program to your organization. So design it to fit your company, make sure that it fits your culture. You design the program to fit within what your company needs and how it will be most successful and mature it over time. So that's another thing that I've often told clients. Crawl before you walk, walk before you run. And then of course, as you're implementing it, start where it makes sense but continue to mature it over time. So I had one compliant, one client, excuse me, that their department was solely focused on erm. They actually didn't have an internal audit department, they just had an ERM program. And it was great to just see them constantly doing continuous monitoring. They had a great program but they were always looking to NC State, to Gartner, to us. I was a partner at the firm at the time, always looking for what's the next best thing and continuing to improve that even though they had a solid program already. So it was really an honor to work with them and be a part of that team that helped them continuously improve their erm. So I'd say start where you can and then grow it over time. But the one thing lastly is not just doing a survey and putting it on the shelf. Have enough of the program designed that you're going to do something with those results so that at least there's some level of monitoring and managing what those key risks are.
[33:28]
B
Hey everyone, thank you very much for listening to this episode of the Audit Podcast. Whatever platform you're listening on right now, I'm sure there's a subscribe button somewhere, so please hit the subscribe button there. If you're listening through itunes or Spotify, feel free to go give us that five star rating. It only took me about 16 seconds to give myself a five star review view, and it really helps to get future guests to come on the show, so we'd really appreciate that. Lastly, be sure to check out the show notes and follow us on all our social media channels, on Instagram, on LinkedIn, and on TikTok. Also, if interested, please sign up for our weekly newsletter from the Audit Podcast. Thank you all. Have a great one.