ACCA continues to contribute to risk management literature

I want to recommend this paper (available from my LinkedIn profile, as usual) from the ACCA.

It contains a wealth of useful information, not only on its major theme (tempering the pursuit of profit), but on other aspects such as risk culture – a favorite topic of mine.

On page 33, they have a list of what comprises effective risk management:

• Understanding the control environment, including the competence of the board and staff, the culture, key motivators and the ethical climate.
• Understanding the company’s strategy and purpose and the associated risks.
• Understanding of the business model, the value drivers, the systems and their associated risks.
• Balancing risk against reward.
• Efficient business processes, including management and financial reporting systems.
• Compliance with relevant requirements.
• An appreciation that risk management is not about managing individual risks, but about understanding patterns of risk and how they are interrelated.
• Understanding all the significant risks threatening, or potentially threatening the company, including those which might kill it.
• The board and the company’s attitude to risk and their willingness to accept it.
• The ability to manage risks so they are within limits of acceptability.
• A process of feedback involving monitoring and learning, so that strategic and other key decisions are taken only where the risks are understood and acceptable.
• In any complex large organisation, an independent assurance function that gives objective assurance, to the board or the non-executive directors, on each of the above elements.
• The board having ownership of, and strong commitment to, risk management, including a clear understanding of the above elements.

This is an interesting list, and I would only differ in emphasis on the first three. I don’t believe it is sufficient simply to “understand” these factors.

• The control environment (they are referring to the layer in the COSO internal control framework of the same name) needs to be more than understood – it needs to be effective. I would have preferred reference to the equivalent layer in COSO enterprise risk management framework: the internal environment
• Risks and strategy need to be linked, and then managed together – a more active activity than simply understanding strategies and related risks
• The business model and drivers are critical to an effective risk management. In my opinion, the effectiveness of a risk management program is in large part measured by its contribution to the consistent achievement of business strategies and the enhancement (or at least protection) of business value

The paper says that an independent assurance function (such as internal audit) is necessary in “any complex large organisation”. I agree, and suggest that it may be necessary in smaller or less complex organizations as well.

This earlier post on evaluating the effectiveness of a risk management program, and this post about a UK framework for assessing risk management, may be useful.