**5. The Internal Auditor (IA) and the Internal Control (IC) and Risk Management System (ERM)**

The Internal Control (IC) and Risk Management System (ERM) consists of the processes executed by the Board of directors, managers and other corporate structure entities to: i) provide a reasonable assurance on the reliability of the financial statement figures; ii) achieve compliance with organisational conduct, i.e. compliance with the law and regulations in force; and iii) achieve greater awareness of business risks and allow continuity in achieving operational efficacy and efficiency objectives [17]. The Internal Control and Risk Management System is basically represented by the lines of action and by the control and procedure system adopted by the management to achieve the efficient and orderly conduct of corporate activities basing choices on reliable data and consciously monitoring the important risks. The internal control system must be seen as the process put in place by the company to achieve a reasonable assurance that the corporate goals will be achieved. It supports the company in identifying and analysing the risks connected to achieving those goals. It allows management to stay focused on the business and achieve its objectives in compliance with the regulations. It is, in short, made up of the rules, procedures and organisational structures aimed at allowing the identification measurement, management and constant verification of the main company risks.

More specifically – focusing on the issue of risk and therefore on the Enterprise Risk Management model – it ensures that the directors have activated an appropriate process to define business and governance objectives which are consistent with the corporate mission and are in line with the levels of risk appetite (i.e. with the overall exposure to risk the organisation is willing to accept) and acceptable risk (satisfactory residual risk after mitigation measures of the individual risk situations). It is divided into three phases: identification of the events, risk assessment and identification of response to the risk itself. The ERM supports the organisation in identifying the risks associated with the adopted strategy and, if necessary, alternative strategies. In assessing the potential risks that can arise from a specific strategy, the underlying critical assumptions are considered. The risk management process monitors and provides valuable information on changes in the assumptions and their effect of achieving the strategy. Pursuing every strategy entails risk that can change depending on the context dynamics. At times the risk is so important that an organisation may want to review the strategy chosen or possibly replace it with another one characterised by a more appropriate risk profile.

In most Italian family SMEs – but not only Italian ones –, the system described above is not implemented at all, or its implementation is insufficient or self-referential.

In this regard, the introduction of the IC-Code represents a considerable element of discontinuity because obliging significant external controls on these entities means forcing these entities to put their administrative and accounting processes in order or strengthen them. Undoubtedly, in many cases this cannot but lead to a greater focus on the internal control system, and therefore to the introduction in their staff of internal – or even outsourced figures initially – figures with skills typical of Internal Auditors.

The introduction of a risk mapping and assessment process takes on particular relevance in small and medium enterprises as it allows them to make more informed decisions. In fact, the risks identified must be analysed and acknowledged in terms of importance, thus allowing management to focus on those that have a higher future probability of occurring and which thus have a greater impact. This also allows enterprises to identify responses which are more structured and not random ones to each identified risk. A risk can be accepted if it is in line with the sustainable risk, or can be avoided by, say, transferring it to third parties through an insurance policy, or even reduced with interventions using the internal control system or, finally, shared through partnership agreements to reduce the impact in the event a negative event occurs.

What should be noted is the fact that the proper operation of the Internal Control (IC) and Risk Management System (ERM) involves several corporate governance parties (**Figure 1**) [20].

The first party in the system is the Board of Directors, which has an interest in basing its decisions on robust data. To best achieve this purpose, it is useful that a Control and Risk Committee composed of non-executive and independent directors (IA) is identified within the board itself when possible and considering the size of the board in an SME, with the task of supporting, with appropriate preliminary activities, the Board of Directors assessments and decisions. Tailoring the issue to

#### **Figure 1.**

*Map of relevant administration and control roles in a going concern situation.*

#### *Corporate Governance and ERM for SMEs Viability in Italy DOI: http://dx.doi.org/10.5772/intechopen.96688*

family SMEs we can say that the simple introduction of a sole independent director in SMEs can have a considerable impact in this regard.

Secondly, especially in cases where it is not possible to set up committees within the Board of Directors, the figure of the Internal Auditor (IA) is primary. Once identified, he or she assumes a central role in the internal control process as the main person responsible for the implementation, operation and monitoring of the system itself. He or she must be included in the company's organisational chart, directly under the Board of Directors as it reports directly to the Board and is responsible for verifying that the Internal Control (IC) and Risk Management System (ERM) is appropriate and that, consequently, the accounts and the information made available in general are complete and reliable. As mentioned above, it is precisely this figure that, in our opinion, will take on significantly greater importance with the introduction of the new IC-Code regulations.

Thirdly, of course, the Board of Statutory Auditors is an active party in the Internal Control and Risk Management System, albeit with a different vantage point, namely with a senior role within the control system. As mentioned above, the Board of Statutory Auditors oversees the appropriateness of the organisational structures and therefore also the effectiveness of the internal control and ERM by interfacing with the Board and the Internal Auditor. It should be underlined that this role is explicitly recognised in new 2020 Italian Corporate Governance Code.

Finally, it should be added that, if present, the Auditor too will appreciate the setting up of an effective Internal Control and Risk Management System as it will allow them to reduce detailed analyses by relying mainly on walk through procedures and consistency checks for the pursuit of their objectives.

#### **6. Monitoring ESG risks in SMEs**

It is worth noting that in October 2018 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed, in collaboration with the World Business Council for Sustainable Development (WBCSD), the guidelines "Environmental, Social & Governance - Enterprise Risk Management. Applying enterprise risk management to environmental, social and governance related risks" for the application of Enterprise Risk Management also to Environmental, Social & Governance risks (hereinafter "ESG risks").

ESG risks concern the following issues: environmental, such as climate change, pollution and the protection of natural resources; social, such as the defence of human rights and working conditions or relations with local communities; governance, such as remuneration policies, the composition of the board of directors, control procedures and conduct in terms of compliance with laws and ethics.

In recent years, media and investor attention on environmental and social issues has increased considerably, making it more and more important to manage these risks, also in view of increasingly ESG-oriented national and international legislation. Institutional investors themselves are showing increasing interest in responsible investment and the way companies are addressing social and environmental changes to achieve long-term, sustainable growth. ESG has also been addressed at the regulatory level. This is the framework of Legislative Decree 254/2016 which, by introducing "non-financial reporting", requires, albeit currently only for large, listed companies, to disclose annually, among other aspects, risks and policies adopted in the environmental, social, personnel, human rights and anti-corruption fields. It is our opinion that the spread of a general and shared focus on these issues is set to bring them into SMEs reporting and language. The process of integrating ESG issues into these settings will probably be more gradual and, as usual, at

the beginning acting on a voluntary basis by following the reference benchmark represented by listed companies.

However, the increasing disclosure of ESG issues highlights the lower attention recognized to ESG risk management, even in larger companies, compared to the concern with more checked out operational, strategic and financial risks.

According to the World Business Council for Sustainable Development (WBCSD), the main reasons for this are: i- the difficulty in quantifying ESG risks in monetary terms, as they are long-term risks with uncertain impacts; ii- the lack of knowledge of the ESG risks which characterise a company and the scarcity of crossfunctional collaboration between the risk manager and those dealing with sustainability; iii- the fact that ESG risks are often managed by a team of specialists and seen as separate or at least less important than strategic, operational and financial risks.

The COSO [24] and WBCSD Guidelines therefore propose the redesign of the following specific objectives:


It is our opinion that these are valuable indications necessary for an effective assessment of business viability. They can therefore be addressed when SMEs are called upon to implement new or renewed internal control and risk management systems to take account of the IC-Code indications. It is worth noting that the Italian Organism Business Reporting (OIBR) has recently set up a Study Group to assess the inclusion of non-financial indicators, including ESG, in the parameters for assessing and identifying corporate crises for early-warning purposes provided for by the IC-Code.
