They also want to ensure that they are performing the “right” tests, ones that will ultimately have a beneficial effect on control performance. As each company's risk, control and compliance profile is unique; each company's ERM plan must outline company-specific monitoring processes, tailored to the distinctive risk appetites of that entity.

When working on ERM initiatives, risk practitioners may give high priority to risk assessment and analysis, or the control design phase of the effort. However, planning out a monitoring program should be given the same time, care and attention to detail.

To ensure a robust, effective ERM program, consider each of the following points to maximize your monitoring and reporting efforts.

What Exactly IS Monitoring?

Many people think of monitoring as a function related either to internal audit, such as the checking of financial records or controls; or compliance or legal tasks, like keeping abreast of new regulations. For ERM purposes, however, the definition is more expansive.

Monitoring is the regular testing, observation and recording or reporting of any activities taking place in a project or program. It is the systemic gathering of information on the whole, or parts, of a process or project, often as they are occurring.

Monitoring tends to be conducted by line of business staff, management or experts. In contrast, auditing generally happens after the fact, and is usually done by third parties totally independent of the controls, policies or procedures being tested. Regular monitoring is a compliment to frequent auditing, leading to earlier identification and resolution of control problems.

When designing an ERM program, monitoring needs to be considered on a large scale – planned and coordinated through many business areas, looking at all processes together, with much thought and detail. Just as companies look at risk and controls company-wide within their ERM program, monitoring of controls should be discussed group-wide.

Monitoring activities of one department may need to be identified, documented and prioritized, with their costs and benefits weighed, in light of similar testing in other departments. Reporting of monitoring activities will be as coordinated as possible, and any common tests rolled up into aggregated management information reports. There is also monitoring to be done of progress on the ERM program itself.

How Can Monitoring Activities Be Most Effective?

To be most useful, a monitoring test should pass some basic criteria. It should be:

• Reasonably (if not perfectly) accurate;
• Simple to implement and repeat on a routine basis; and
• Designed narrowly enough to identify and measure specific controls that are used to mitigate risk.

A single test should not be too general, or try to address too many potential issues or control items.

Monitoring within an ERM program should further help answer some key risk questions:

• Has the company identified all of its liabilities and weaknesses in a particular department or procedure? Sometimes new risks are found in the testing phase.
• Are controls working as intended? If a test is poorly designed, it may not give a clear picture of whether a workflow is performing as planned.
• If there are similar risks and controls in place in other departments, are the controls in one department working better/worse than similar tests in other area? This may indicate a potential problem with specific staff or training levels.
• Are the written policies and procedures supporting internal controls thoroughly and clearly enough in order to allow parties outside of the department or day-to-day business function to understand the controls, and how they work? Is there sufficient documentation and transparency?

Other critical elements of a monitoring program include allocating responsibility to manage or carry out the testing, and setting review timeframes. Those responsible for testing processes should be of sufficient competence and experience not just to collect data, but to spot issues immediately and offer recommendations for change whenever possible.

Finally, monitoring activities should be reviewed at least annually, and preferably more often for more significant risk areas. This will help ensure timely adjustments to the program for changes in laws, regulations, company policies and procedures, and any new information affecting the ERM program.

How Much Testing Is Enough?

The frequency of monitoring for a given risk or control depends on a number of factors. The first consideration is the targeted risk's relative frequency and severity – controls related to more financially significant or frequent risks may naturally require more monitoring.

But this is just a starting point. The likelihood of regulatory impact if a control is not working, such as loss of license, fines, fees or penalties for non-compliance to a particular law, may also dictate regular tracking (even if the risk would not otherwise be considered financially material to the company). Other factors can include:

• Whether the controls are wholly or partially automated, or primarily manual;
• How long the controls have been in place (newer controls may require more monitoring as staff get accustomed to performing them);
• The complexity of the control itself to implement;
• The costs and ease of testing the control (Is it relatively easy to perform, like peer or management review? Or does monitoring require specialized or technical skill?);
• Whether control failures or breaches have been previously identified;
• Potential impacts to controls caused by changes in business plans, staffing, and other changes in the company which may divert attention or resources dedicated to specific controls.

Industry best practices should also be considered. Do companies generally test “Procedure X” monthly, quarterly or annually? Professional colleagues in other companies, other risk management professionals, internal and external auditors, consultants, rating agencies, attorneys and even state regulators can be helpful sources to gauge whether your tracking efforts are reasonable, and at least meet any minimum accepted industry standards.

There is also no “one-size-fits-all” monitoring schedule for reviewing an entire ERM program plan. Each company must develop its ERM monitoring schedule in light of the company's resources and appetites for compliance risk.

What do the board of directors and audit or risk committees prefer for reports and disclosures? What are the staff and resources dedicated to ERM, and how will they balance the need to monitor the ERM plan, versus perform other risk tasks?

The goal here is to at least have a specific monitoring plan, even if it is not always an ideal plan.

What Needs to be Reported?

The results of any monitoring and testing program are normally reported to multiple levels of stakeholders. What monitoring or compliance reports are going to be issued, when, and for what purpose, should be well documented in the ERM project plan.

For most recipients, reports will identify control successes and failures, in order to validate, or support a change to, specific company risk management procedures. They can also serve as back-up documentation for necessary corporate disclosures and departmental attestations.

For the senior management team or board of directors, however, reports also need to be detailed enough to ensure that the executives are carrying out their corporate governance responsibilities, and that their level of risk oversight is appropriate. To this end, reports to senior managers should, at a minimum:

• Show the full range of material risks that the company has identified, particularly as relating to the company's strategic objectives;
• Quantify risks as accurately as possible, highlighting any more serious or “high-priority” risks, and realistically measure their potential financial or reputational impact to the company; and
• Document or explain the current risk profile in light of historical data or emerging issues, which can be accomplished, in part, by using standard formatting of reports over time.

To the extent possible, reports should also present findings in light of the organization's unique risk appetite and tolerances.

For example, it may be impractical for a company to state that it has a “zero tolerance” for customer complaints to state insurance departments. A reasonable “complaints” goal may be based on historical averages, industry averages or other factors. If an audit finding only shows that the number of complaints is 100 incidents per year, this data alone is not very helpful to further analysis. If the company has a historical average and expectation of 25 complaints per year, the current year data may now indicate problems or trends needing to be addressed.

Further, reports should answer why any key activity tested has failed, document the extent of the failure, and provide recommendations for fixing or improvement. This final follow-up step is crucial. Unaddressed failures can create unexpected liability if regulators or others determine that the company did not take measures to remediate failures, and ensure effective risk or compliance controls.

From Monitoring to Mastering

Creating a monitoring plan that best meets all of an organization's goals and concerns can be challenging. However, acknowledging the need for a documented, comprehensive monitoring plan is an important first step.

Regular tracking helps ensure that internal controls and procedures are working can uncover patterns, issues and trends that may indicate a larger or systemic problem, well before they would otherwise be identified in a less frequent formal audit process.

Incorporate monitoring procedures, timing, responsibilities and reporting into formal ERM programs, and update the plan as needed to reflect changes in the business strategy or environment. Measure and monitor your risk and controls, or they will control you.