The International Federation of Accountants (IFAC) has published a first class document, Enabling the accountant’s role in effective enterprise risk management.
While it is focused on accountants, primarily in Finance, the explanation of the value and purpose of enterprise risk management should be required reading for boards, executives, and practitioners as well.
Frankly, I wanted to excerpt half the booklet, but here are some of the more valuable portions with highlights by me.
To add value, accountants [and the rest of us – ndm] need to be seen as risk experts who are outward-looking and provide valuable insights to manage risk in a way that supports their organizations in responding to uncertainty and achieving their objectives.
Business requires taking risks and seizing opportunities to achieve success.
The accountant’s [and everybody else – ndm] primary role in ERM is not solely to mitigate risk, but to promote and facilitate effective risk and opportunity management in support of value creation and preservation over time. This involves being focused on the benefits of intelligent risk-taking in addition to the need to mitigate and control risk.
ERM requires information and analysis that may indicate success or failure, and support decisions around potential courses of action.
The need for effective ERM has never been greater as organizations navigate complex and interconnected risks to their business models and operations.
The reality is that risk management is underdeveloped in many organizations; a reactive approach to risk management is currently the norm. Risk management is typically siloed rather than seen as a core competence and strategic asset. Consequently, risk management processes are ineffective and inefficient and not seen as adding value to decision making and responding to uncertainty.
To be effective partners and contributors to an organization, accountants need to understand the principles of risk management and how they can be implemented to manage opportunities and threats as part of the existing planning and control management cycle.
A challenge in effectively managing risk is that risk oversight and management are poorly understood, resulting in different interpretations and approaches, which depend on personal experiences, organizational role, and sector. For example, in financial services, or in managing financial performance, the measurement and assessment of risk has been a predominantly quantitative exercise designed to avoid loss or fraud. Since the financial crisis, this approach is recognized as being too narrow to adequately inform decisions and manage uncertainty. In other sectors, specific challenges such as health and safety or digital and cyber risk are predominant risk areas which ultimately shape the overall approach to managing risk.
The challenge that arises with applying risk management activities solely through a lens of risk mitigation is that it increases cost with little benefit to the organization’s resilience and success.
Risk management should sit at the heart of every organization. Effective risk management requires different parts of an organization and multiple processes to come together to understand collectively how the organization is exposed to uncertainty, and how this uncertainty may undermine the achievement of business objectives, and the opportunities for growth and innovation. It is about ensuring an organization is safe and resilient, but that it also continues to thrive.
Risk management is therefore fundamentally about making decisions in the context of uncertainty. It involves understanding the past, present and possibilities for the future. ERM processes involve identifying, assessing, and treating uncertainty and related risks and opportunities that could affect the outcomes of an organization’s objectives.
Ultimately, ERM gives the board and managers a better understanding of how risk affects the voice of strategy. It also provides confidence that all levels of the organization are attuned to the risks that can impact strategy and performance, and that these are proactively being managed.
An effective contribution to ERM involves enabling decisions and driving insights to decision makers. There are various elements to better supporting decisions in risk management. More informed risk-taking and decision-making requires high quality information about opportunities and risks and their implications. Ultimately, high-quality information is crucial to good decision making as it reduces uncertainty – and can support a higher risk appetite where appropriate.
The guidance misses one important piece of advice that I would share with any CFO (or board member, CEO, and practitioner).
That advice is that leaders of the organization, such as the CFO, need to lead everybody to understand risk management the way it is discussed by IFAC.
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024