The target group for these guidelines is organisations that would like to either establish an Enterprise Risk Management function or develop their existing risk management function further. The principles in this guidance may also be useful for organisations without a discrete Enterprise Risk Management function, but where responsibility for Enterprise Risk Management is assigned to another function with enterprise-wide responsibility.
The main motivation for internal auditors’ involvement in defining what is good practice for Risk Management is that Enterprise Risk Management has developed over the last 15 to 20 years to become a vital element in good corporate governance. Unlike the profession of internal auditing which has had a unifying global body defining principles and standards the Institute of Internal Auditors (founded in 1941) there is currently no equivalent worldwide body representing the profession of Enterprise Risk Management.
In the Nordic and Baltic countries the profession is characterised by a number of formal and informal associations, some of which are members of a European representative body FERMA. The primary aim therefore of this good practice guideline is twofold, firstly to set a common benchmark which it is believed may strengthen the development of the risk management profession in the Nordic and Baltic countries and second, to facilitate the internal audit function to discharge more effectively its responsibility according to the professional standard requirement that “the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes”.
The “Good Practice Guidelines for the Enterprise Risk Management function” has been developed by a steering group drawn from the institutes of internal auditors for the Nordic and Baltic countries.