Should Enterprise Risk Management (ERM), Internal Control, Compliance, and Internal Audit Be Separate or Combined?

Should Enterprise Risk Management (ERM), Internal Control, Compliance, and Internal Audit Be Separate or Combined?

If Internal Audit should remain independent, where should ERM, Internal Control, and Compliance report?

This is an important governance question with no one-size-fits-all answer.

One practical option is to combine ERM, Internal Control, and Regulatory Compliance into a single integrated second-line assurance function reporting to an executive with enterprise-wide oversight or an appropriately empowered executive to provide sufficient authority to challenge management decisions & influence risk-informed decisions. Such reporting that may be considered include the:

  • Company Secretary,
  • Chief Governance Officer,
  • Chief Risk Officer or
  • another appropriate executive provided that the reporting structure preserves sufficient objectivity and does not compromise Internal Audit’s independence.

The most appropriate reporting line should ultimately reflect the organization’s governance structure, regulatory expectations and operational realities.

Final Thoughts

Ultimately, the question is not simply whether these functions should be separated or combined.

The more important questions are:

  • Are the roles and responsibilities of each function clearly defined?
  • Are they adequately resourced with competent professionals?
  • Are the reporting lines appropriate to preserve accountability and independence?
  • Do the functions work collaboratively without compromising their respective mandates?
  • Are they effectively positioned to strengthen governance, improve organizational resilience, and create sustainable value?

These are the considerations that should guide every organization’s governance review, operating model, and assurance restructuring initiatives.

In my view, organizational effectiveness is driven not merely by how these functions are structured, but by the clarity of their mandates, the quality of their execution, the strength of their coordination, and the preservation of appropriate independence where required.

What has been your experience?

Should the ERM, Internal Control, Compliance and Internal Audit functions remain separate

or

Does a combined assurance model delivers better value?

Keep your reactions, comments and inquiries coming.

To read my other articles, check https://sallyogwookeyumahi.com/

#GRC

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *