The Audit Podcast — Ep 241: How to Win Support for ERM w/ Beth Wommersley (Universal Destinations & Experiences) Original Air Date: May 20, 2025 Host: Trent Russell
Guest: Beth Wommersley, Audit Leader at Universal Orlando

Episode Overview

This episode of The Audit Podcast features Beth Wommersley, a seasoned CAE with experience launching and facilitating ERM (Enterprise Risk Management) programs across various high-profile organizations. Host Trent Russell explores with Beth the increasing responsibility of internal audit functions in facilitating ERM, gaining executive buy-in, pitching ERM value to boards, managing independence concerns, and aligning with industry frameworks. The discussion dives into practical advice, real-world examples, and actionable steps for auditors seeking to more fully integrate or champion ERM.

Key Discussion Points & Insights

1. Personal and Professional Use of AI

[02:03–04:17]

• Beth uses AI tools like ChatGPT to verify facts in real-time (e.g., checking the accuracy of movies like Deepwater Horizon for her kids) and to support her professional work, such as ensuring presentations align with industry standards and guidance.
• Professionally, she's collaborating with her organization's legal and AI teams to begin piloting AI implementations, focusing on safe usage and data classification.
• AI also helps her communicate more clearly by refining emails.

Memorable Quote:
"I joke a lot too, because I always say I'm an accountant, I'm a CPA, so I'm mathly smart, but I'm not Englishly smart. I have found [AI] to be extremely helpful in emails, making sure that I'm being clear and concise."
— Beth Wommersley [03:51]

2. ERM vs. Traditional Internal Audit Risk Assessments

[07:05–11:54]

• Beth advocates for a single, integrated risk assessment based on ERM:
  "From the very first year that I implemented ERM, I did away with the internal audit risk assessment. I don't do two separate assessments. I do ERM, and then derive my internal audit plan from the ERM results." [07:14]
• Key differences:
  • Internal Audit Risk Assessment: Based on the audit universe, focuses on all areas that can be audited.
  • ERM: Anchored in business strategy; focuses on key risks to strategic objectives.
  • ERM identifies high-level risks (like cybersecurity, reputational risk) requiring deeper drill-downs for audit targets.
  • For intangible risks (e.g., reputation), audits focus on controls, crisis readiness, and response, rather than the risk itself.

Notable Example:
Auditing reputational risk involves reviewing mitigations like brand vetting processes and crisis response plans rather than trying to audit reputation per se.

3. Building the ERM Business Case and Securing Buy-In

[13:07–15:05, 19:12–21:42]

• Initial Step: Secure executive and board support first, as their buy-in is essential for success.
• Making the Pitch:
  • Tie ERM to organizational value beyond internal audit (e.g., crisis management, resilience, opportunity capture).
  • Use real examples from the organization where ERM could have averted issues or enabled opportunity.
  • Highlight quick wins or pilot projects for immediate value demonstration.
  • Align ERM with business goals and decision-making improvements.
• Resource Considerations: Many audit platforms now include ERM modules; low-cost survey tools (e.g., Qualtrics) can be leveraged to minimize incremental costs.

Memorable Quote:
"The value really comes not from doing the ERM exercise and the annual survey or facilitated sessions or mixture...but the value comes when you're actually taking those key risks, identifying the risk strategies, monitoring, managing them, creating maybe KPIs, KRIs, just watching and monitoring that process and communicating it."
— Beth Wommersley [15:03]

Board Pitch Example:
Beth recounted a healthcare company leveraging ERM to identify growth opportunities beyond their saturated market—successfully expanding into tourism helicopters—demonstrating ERM's positive impact on opportunity evaluation, not just risk mitigation [19:41].

4. ERM's Line of Defense & Independence

[24:01–28:11]

• Ongoing Debate: Should ERM reside within Internal Audit (3rd line) or as a separate (2nd line) function?
  • Highly regulated sectors (esp. financial institutions) often separate ERM from audit for independence.
  • In many organizations, audit "owns" ERM as facilitators, not risk owners; management is accountable for mitigation, while audit ensures reporting and oversight.
• Maintaining Independence:
  • Clearly define and document roles in an ERM charter (including a RACI matrix).
  • Ensure risk owners (not audit) report on mitigation status to the ERM committee—a governance function.
• Trend: Growing ERM expectation across industries, but lack of resources for a standalone ERM function often means audit facilitates.

Memorable Quote:
"We're the facilitators, so we're still independent. We're not the ones that are implementing the risk mitigation strategies. We're the ones overseeing that somebody is and reporting it if it's not."
— Beth Wommersley [24:58]

5. Choosing an ERM Framework: COSO or ISO?

[29:06–30:40]

• Beth has implemented both; COSO is more prevalent among public/pre-IPO companies due to greater familiarity.
• ISO makes sense for manufacturing/tech firms where it's integral to SOPs.
• Key: Use the framework most natural for the company's culture and operations. Biggest difference is mainly nomenclature—strategic focus is essential in both.

6. Practical Implementation and Maturity

[31:41–33:28]

• Start Simple, Build Over Time:
  "Crawl before you walk, walk before you run...start where it makes sense but continue to mature it over time."
• Integration and Monitoring:
  • ERM is not a regulatory checklist, but a value-adding, evolving program.
  • Programs should not be static or "put on a shelf"; continuous monitoring and improvement are core to sustained value.

Notable Quotes & Memorable Moments

• On Board Buy-In:
  "The executive management team and the board are in support of ERM, because if they are not in support, I don't want to spend a lot of time developing a budget."
  — Beth [14:22]

• On Opportunities, Not Just Risks:
  "Risk is great and we do that all the time. But I feel like what people would rather hear about is the opportunities. Like, let's talk about that, and opportunity is just the other side of the risk coin."
  — Trent [21:18]

Timestamps for Key Segments

| Timestamp | Topic | |-----------|--------------------------------------------------| | 02:03 | Beth's use of AI personally and professionally | | 07:05 | Why she ditched separate audit risk assessments | | 08:46 | ERM vs traditional audit risk assessment | | 13:07 | Securing buy-in, making the business case | | 14:22 | The ERM "sales pitch" | | 19:41 | Real-life pitching to the board (examples) | | 24:01 | ERM’s “line of defense” and independence debate | | 29:06 | Choosing ERM frameworks (COSO vs ISO) | | 31:41 | Final advice & implementation tips |

Summary Takeaways

• ERM should be leveraged both as a risk-identification tool and an opportunity enabler, directly aligned with business strategy.
• Internal audit can effectively facilitate ERM, provided roles are clearly defined and independence maintained.
• Start with executive buy-in, use examples relevant to your organization, and leverage existing tools/resources.
• Treat ERM as a living, value-added program, not a static checklist; continual improvement and integration are key.
• Choose a framework (COSO or ISO) based on what best fits your company’s existing culture and systems.

For further resources:

• NC State’s ERM content and updates
• Norman Marks’ blog on risk and audit
• Explore existing internal audit software for built-in ERM capabilities

The episode provides practical, experience-based advice for auditors and risk professionals looking to advance or implement ERM in their organizations, with actionable guidance on buy-in, execution, and the value of integrating risk management at a strategic level.