This book outlines
a vision of how enterprise risk management (ERM) should be performed within
organizations and then describes how that process might be audited.
Personally, I am
not sure what enterprise risk management is. It has always impressed me as a
buzz word invented by some consulting firm's marketing department. It seems the
Committee of Sponsoring Organizations (COSO) has released guidelines describing
their vision for ERM. The first half of this book describes that vision. The
second half describes a how, once implemented, it might be audited.
If you don't
embrace the book's vision for ERM, you will not find much that is useful amidst
its information on auditing. The two are too integrated to separate one from the
other.
Contents
1. Why risk management?
2. Determining risk management maturity
3. Enterprise-wide risk management
4. Risk appetite
5. Control risk self-assessment
6. Developing an audit approach
7. The illusion of perfection
8. A
holistic ERM concept
The serious flaw
with the book is that it is all high level, abstract theory. Do you want to know
how to validate a value-at-risk implementation? The book doesn't mention
value-at-risk. How about auditing the credit risk management function? The book
doesn't mention credit risk either. How about sifting through brokerage reports
to check for signs of fraud. Nope, sorry. Data integrity, systems security,
pricing model validation ... it covers none of this.
The book treats
risk as an abstract notion that corporations "manage" through hypothetical
business processes. It reads like some sort of consulting report, with words
like: risk surveys,
criticality levels, rollout, risk appetite, silos, self assessment, fragmented
uncertainty, risk management maturity. I found it all quite tedious.
Okay, I'm being
harsh. The book may be useful. If you are thinking of implementing ERM, it will
be a good way to get your "feet wet" before plunging in and spending money on
consultants. [10/26/05]
.gif)
