Important new IFAC paper on risk management
With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization.
This is one of the most important papers on risk management in recent years – not because it says something new, but because it (a) comes from this well-respected, global organization, (b) is contrary not only to many current practices but also to how guidance from several regulators is being interpreted, and (c) is expressed forcefully and eloquently.
The IFAC paper has a wealth of good advice. I can only excerpt portions because if I quoted everything of note, I would end up copying most of the document!
I encourage everybody to download and read the paper for themselves.
The theme is captured in this:
In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a nonintegrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management. A separate risk management function, even though established with the best intentions, may hamper rather than facilitate good decision making and subsequent execution. Managing risk in an organization is everyone’s responsibility.
The paragraph makes some essential points:
- Risk management (and the part of risk management that is internal control, as controls only exist to provide reasonable assurance that risk is at acceptable levels) is all about enabling informed, intelligent decisions
- The overall purpose is to set and then achieve the right objectives
- A separate risk management function often separates the consideration of risk from the running of the business – degrading rather than enhancing decision-making and organizational performance
IFAC continues the theme:
This Paper contends it is time to recognize that managing risk and establishing effective control form natural parts of an organization’s system of management that is primarily concerned with setting and achieving its objectives. Effective risk management and internal control, if properly implemented as an integral part of managing an organization, is cost effective and requires less effort than dealing with the consequences of a detrimental event. It also generates value from the benefits gained through identified and realized opportunities.
Risk management should not be separate from management processes. It is more than embedding the consideration of risk into management processes. It is an integral part of decision-making and running the enterprise.
This is stressed:
Risk management should never be implemented in isolation; it should always be fully integrated into the organization’s overall system of management. This system should include the organization’s processes for good governance, including those for strategy and planning, making decisions in operations, monitoring, reporting, and establishing accountability.
Note that risk management helps organizations select objectives and related strategies as well as enable optimal performance and achievement of the objectives. Risk management does not start after objectives are established, but before. “Setting objectives itself can be one of the greatest sources of risk.” IFAC explains that:
Risk management assists organizations in making informed decisions about:
- objectives they want to achieve;
- the level, nature, and amount of risk that they want to assume in pursuit of those objectives; and
- the controls required to support achieving their objectives.
IFAC emphasizes that the management of risk is not for its own sake. It is to enable the achievement of the right objectives.
The main objective of an organization is not to have effective controls, nor to effectively manage risk, but to properly set and achieve its goals; to be in compliance and capable of managing surprises and disruptions along the way; and to create sustainable value. The management of risk in pursuit of these objectives should be an inseparable and integral part of all these activities.
In IFAC’s discussion of maturity, they say something that sounds very similar indeed to OCEG’s definition of GRC: “Effective risk management supports management’s attempts to make all parts of an organization more cohesive, integrated, and aligned with its objectives, while operating more effectively, efficiently, ethically, and legally.” (They continue with a very high-level example of a four-stage maturity model.)
I like how they say that the owner of the enterprise objective (responsible for performance against it) should also be the owner of related risks, not any risk officer:
As an organization’s risk is inextricably connected to its objectives, the responsibility for managing risk cannot lie with anyone other than the person who is responsible for setting and achieving those objectives.
Line management needs to accept its responsibility and not delegate risk management and internal control to specialized staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer, be the “owner” of risk management in organizations. However, these support functions nevertheless play a crucial role in supporting line management in the effective management of risk.
There is a critical discussion of risk management flaws, with not only a list of the most serious but a table that compares good and bad practices. Some of the flaws they identify as serious are:
- “Having a compliance-only mentality ….. ignoring the need to address both the compliance and performance aspects of risk management.”
- “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and, thereby, creating and preserving value.”
Some of you know that I am writing a book about world-class risk management. When it comes to risk reporting, I found the topic tough to write about because so many risk reports (and risk registers) are just a list of risks and their risk ‘levels’. They are not focused on how each of the enterprise’s objectives is affected. I will include this section as a quote because it gets it right and says it well:
As risk is the effect of uncertainty on achieving objectives, it would be inadvisable to manage risk without taking into account the effect on objectives. Unfortunately, in some organizations the linkage between the risks periodically reported to the board and the strategic objectives that are most critical to the long-term success of the company is at best opaque and at worst, missing completely. As a consequence, risk is insufficiently understood or controlled, even though the organization devotes some attention and resources to the management of risk. Risk management without taking into account the effects on objectives is thus ineffective.
Let me close this post with a quote from Unilever that is included in the IFAC document:
“At Unilever, we believe that effective risk management is fundamental to good business management and that our success as an organization depends on our ability to identify and then exploit the key risks and opportunities for the business. Successful businesses take/manage risks and opportunities in a considered, structured, controlled, and effective way. Our risk management approach is embedded in the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to others.”
What do you think? I welcome your comments.
By the way, I hope those involved in the COSO ERM update, as well as those working on an update of the ISO 31000:2009 global risk management standard, pay attention. IFAC has proved that accountants can publish excellent guidance on risk management!