Fraser I & Henry W (2007) Embedding risk management: Structures and approaches. Managerial Auditing Journal, 22 (4), pp. 392-409. http://www.scopus.com/inward/record.url?partnerID=yv4JPVwI&eid=2-s2.0-34247146355&md5=5ef9ff4f1fa2574a9fcd8aaa4dd96be2; https://doi.org/10.1108/02686900710741955
Purpose - The paper aims to report research into ways by which companies identify risks and embed risk management and control procedures and also to report on interactions between internal audit and audit committees and their contributions to risk management.
Design/methodology/approach - The first section of the paper comprises a review of the literature on risk management and the roles played by internal audit and audit committees. The paper then reports the results of a series of interviews with officers in UK plcs and external auditors on the issues identified from the literature.
Findings - There was agreement that, while parent boards have ultimate responsibility, the ownership of risks must reside with management at lower levels. Companies tended to adopt a multi-procedural approach to developing consistent risk management procedures. Internal auditors were believed to have a role to play but concerns were expressed about expertise and independence. The paper recommends a split of the internal audit and risk management functions to preserve internal audit independence and clarify internal audit roles. Audit committees are increasingly involved in risk management but there are doubts as to whether they have the time and expertise to undertake more than high level risk reviews. The paper, therefore, recommends that separate risk committees should be established to direct risk management, with audit committees adopting a watching brief over the process.
Originality/value - The Turnbull Report emerged against a background of growing demand for assurance on risk management and control effectiveness and the approach adopted has been endorsed by the Turnbull Review Group. This paper is a timely evaluation of the work being done by UK plcs in this area and indicates that there are issues to be resolved before risk management is fully embedded in company operations.
Risk management; Internal auditing; Audit committees
Managerial Auditing Journal: Volume 22, Issue 4