Key Insights
- Transforming Enterprise Risk Management (ERM) from a compliance process to a strategic decision-making tool improves its value.
- A defined risk appetite directly shapes and influences key board decisions.
- Engagement efficiency can be improved by coordinating internal audit and risk advisory to eliminate redundant testing.
Partners scoping ERM assessments often encounter a common pattern: clients invest significantly in comprehensive risk frameworks that don't shape strategic decisions. Boards receive detailed quarterly risk reports, yet those reports rarely influence acquisition approvals, market entry decisions, or capital allocation. Only 11% of organizations view their ERM as a strategic tool, while 64% report their frameworks deliver minimal or no strategic benefit.
This effectiveness gap stems from how ERM differs from traditional risk management. Where departmental approaches treat financial, operational, and technology risks independently, ERM creates a unified view connecting risk management directly to strategic objectives. COSO establishes five integrated components linking directly to organizational strategy and performance, giving practitioners a structured basis for assessing whether client frameworks actually function as decision-making tools.
This guide examines ERM assessment frameworks, internal audit's role in enhancing effectiveness, and how modern platforms streamline ERM engagements.
What Is Enterprise Risk Management?
Enterprise risk management is a structured approach that helps organizations identify, assess, and respond to risks across the entire business rather than managing them in isolated departments. Where traditional risk management treats financial, operational, and compliance risks separately, ERM connects these exposures to strategic objectives and board-level decision-making.
For audit and advisory firms, ERM has matured into a distinct professional service line. 46% of risk managers are now solely dedicated to ERM activities, reflecting how organizations have formalized this function. Yet only 27% of finance leaders report their ERM would identify significant reputation risk events before they occur.
For practitioners, this creates opportunities to help clients move from documented frameworks to functioning risk management capabilities that actually shape decisions. Understanding these opportunities requires distinguishing ERM from traditional approaches.
ERM vs Traditional Risk Management
Traditional risk management operates through departmental silos with each function managing risks independently. Finance tracks financial risks, internal audit evaluates controls, compliance monitors regulations, and IT addresses cyber threats. Each department maintains separate risk registers, uses different assessment methodologies, and reports through distinct channels. This fragmentation creates gaps where interconnected risks fall between departments and duplicates effort where multiple teams assess the same underlying exposures.
ERM builds risk appetite and tolerance into strategic planning from the outset. When organizations evaluate entering new markets, launching products, or pursuing acquisitions, ERM frameworks require explicit consideration of whether opportunities align with board-approved risk appetite before execution begins. COSO shifts risk management from a reactive, departmental function to a board and executive-level capability shaping strategic decisions.
These structural differences reshape engagement scoping. Traditional audits test whether specific controls operate as designed: IT security configurations, financial reporting procedures. ERM assessments require evaluating enterprise-wide capabilities: Can the board challenge management on risk appetite? Do strategic decisions incorporate risk thresholds before execution?
How to Assess ERM Using the COSO Components
ERM assessments are structured around five interrelated components, each requiring specific evaluation procedures.
Governance and Culture
Governance and culture establish the foundational elements through board oversight and organizational structure. Board oversight evaluation examines whether directors receive comprehensive risk information, actively challenge management on risk appetite decisions, and maintain expertise appropriate for organizational risk profiles. Organizational structure assessment focuses on whether risk roles have clear accountability, adequate resources, and appropriate reporting lines.
Strategy and Objective-Setting
Strategy and objective-setting connect risk management to strategic planning. The assessment focuses on whether organizations articulate risk appetite clearly—not just documenting statements but translating them into operational thresholds that guide decisions. Testing should also examine whether strategic planning processes explicitly evaluate initiative alignment with approved risk appetite before resource allocation.
Performance
Performance encompasses risk identification, assessment, and response. Key evaluation areas include whether organizations capture emerging risks through systematic environmental scanning, whether assessment methodologies prioritize exposures appropriately, and whether responses align with risk appetite.
Review and Revision
Review and revision address monitoring and adaptation. The focus here is whether organizations establish ongoing monitoring processes that detect changes in risk profiles, revise risk assessments when business conditions change, and update risk responses when controls prove ineffective.
Information, Communication, and Reporting
Information, communication, and reporting ensure appropriate risk information flow. Assessment areas include whether board reporting provides risk visibility, whether escalation paths enable timely response, and whether key risk indicators measure what matters. Effective frameworks establish clear escalation criteria defining when risk exposures require board notification versus management response.
The assessment process begins with establishing scope and gathering process documentation. After performing preliminary risk assessments, fieldwork spans all five components, with findings documented alongside supporting evidence throughout.
Internal Audit's Role in ERM Effectiveness
The IIA's Three Lines Model positions internal audit as the provider of independent assurance: distinct from management's first-line operational risk ownership and second-line risk and compliance monitoring functions.
In practice, internal audit's core assurance work means evaluating whether ERM components operate as designed, whether risk assessments reflect actual exposures, and whether responses effectively mitigate threats.
Beyond assurance, internal audit can provide advisory support while maintaining independence. Common advisory activities include risk management education and training, facilitating risk identification workshops, coaching on framework development, and sharing best practices.
The key consideration: when internal audit takes on operational responsibilities for ERM design or implementation, the Chief Audit Executive should engage external parties to audit those areas to preserve objectivity.
Coordinating with Risk Advisory Teams
Risk advisory services and internal audit teams often work on ERM engagements for the same clients. While this creates collaboration opportunities, it also introduces coordination challenges: distinct roles don't automatically prevent duplication or gaps.
Without intentional coordination, silos form quickly. Multiple teams end up testing the same controls, requesting similar evidence from the same operational managers, or running parallel risk assessments with different methodologies that produce conflicting conclusions. Emerging risks can fall between traditional categories, and interconnected risks spanning multiple functions may lack comprehensive visibility from any single team.
Implementing Combined Assurance Models
Combined assurance models offer a practical solution. The approach recognizes that ERM remains management's responsibility while giving internal auditors the visibility they need to provide effective assurance. By synthesizing SOC reports, Sarbanes-Oxley testing, and internal audit risk assessments, teams can deliver a comprehensive view of organizational risk without duplicating effort. This coordination reduces audit fatigue for operational teams and streamlines testing across assurance functions.
Making collaboration work requires clear boundaries and structured coordination. Internal audit provides objective assurance while risk functions handle the day-to-day work of identifying, assessing, and monitoring risks. CAEs need access to risk function methodologies and results, annual planning should align between teams, and documentation should clearly show assurance coverage across risk areas.
Internal audit still owns the responsibility for determining where additional independent assurance is needed beyond other providers' work.
How Modern Platforms Can Transform ERM Assessment Work
ERM engagements involve substantial manual work that modern platforms can streamline. The typical process: gathering information across departments, assessing risks, conducting fieldwork, maintaining documentation, creates significant coordination overhead. Modern platforms reduce this burden by centralizing workflow and automating routine tracking.
Evidence Collection and Document Management
Evidence collection is often a major pain point. Teams request risk registers, assessment documentation, and board reports from clients, then organize these materials into engagement workpapers while tracking which evidence supports which testing procedures. When managing multiple concurrent client assessments, keeping track of dozens of outstanding requests across a portfolio becomes difficult without centralized tracking.
Modern audit and risk platforms address this by centralizing risk registers, controls, and evidence within engagement management systems. Configure frameworks once—mapping controls to risks, establishing testing procedures, and defining evidence requirements—then apply these templates across multiple client engagements. Document management features eliminate email-based tracking by providing centralized repositories where clients upload evidence directly. Practitioners map documents to applicable controls, and AI assists with extraction and analysis within those defined mappings.
AI-Powered Testing and Analysis
Manual note-taking during risk workshops diverts attention from analysis and creates inconsistent documentation. ERM teams can use GenAI capabilities to maintain a consistent voice while freeing up time for more strategic initiatives, allowing leadership to focus on deeper insights rather than documentation tasks.
For engagements involving controls testing, AI-driven capabilities improve evidence matching and testing support. For SOC 2 and compliance assessments, the Testing Agent automates end-to-end control testing by mapping evidence, executing tests, and documenting results with citations and exception flags. For financial audit sample-based testing, the Testing Agent can automate up to 70% of testing by extracting data from source documents into Sample Sheets with direct source references. This shifts the focus from manual data extraction to oversight and professional judgment, though practitioners maintain responsibility for sampling methodology, evidence mapping, and final determinations.
Workflow Automation and Portfolio Visibility
Workflow automation reduces administrative burden significantly. Request generation capabilities allow teams to create customized evidence requests based on control requirements, track client responses automatically, and send escalations when requests age beyond defined thresholds. Bulk action features enable consistent updates across multiple workpapers simultaneously rather than repeating manual steps for each control tested.
Real-time dashboards provide portfolio visibility that managers need. When coordinating multiple concurrent ERM engagements, seeing status across the entire portfolio (like which engagements have outstanding client requests, which testing procedures are complete, which workpapers are in review) becomes possible without manually compiling updates from distributed teams.
Building an ERM Practice That Scales
Whether you're assessing COSO component effectiveness, coordinating between risk advisory and internal audit teams, or managing evidence collection across multiple concurrent engagements, the underlying challenge is the same: ERM work generates substantial coordination overhead that traditional tools weren't designed to handle.
The gap between documented ERM frameworks and operational effectiveness represents a significant opportunity for audit and advisory firms. Clients want help moving from frameworks that look good on paper to risk management that actually shapes how they make decisions.
Fieldguide gives practitioners the infrastructure to deliver that value efficiently. Rather than piecing together spreadsheets, email chains, and disconnected tools, teams can manage the full ERM engagement lifecycle from a single platform built for how risk advisory and internal audit work actually gets done. Schedule a demo to see how it fits your firm's approach to ERM assessments.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
