Home > COSO, GRC, ISO, Risk > Important new IFAC paper on risk management

Important new IFAC paper on risk management

With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization.

This is one of the most important papers on risk management in recent years – not because it says something new, but because it (a) comes from this well-respected, global organization, (b) is contrary not only to many current practices but also to how guidance from several regulators is being interpreted, and (c) is expressed forcefully and eloquently.

The IFAC paper has a wealth of good advice. I can only excerpt portions because if I quoted everything of note, I would end up copying most of the document!

I encourage everybody to download and read the paper for themselves.

The theme is captured in this:

In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a nonintegrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management. A separate risk management function, even though established with the best intentions, may hamper rather than facilitate good decision making and subsequent execution. Managing risk in an organization is everyone’s responsibility.

The paragraph makes some essential points:

  • Risk management (and the part of risk management that is internal control, as controls only exist to provide reasonable assurance that risk is at acceptable levels) is all about enabling informed, intelligent decisions
  • The overall purpose is to set and then achieve the right objectives
  • A separate risk management function often separates the consideration of risk from the running of the business – degrading rather than enhancing decision-making and organizational performance

IFAC continues the theme:

This Paper contends it is time to recognize that managing risk and establishing effective control form natural parts of an organization’s system of management that is primarily concerned with setting and achieving its objectives. Effective risk management and internal control, if properly implemented as an integral part of managing an organization, is cost effective and requires less effort than dealing with the consequences of a detrimental event. It also generates value from the benefits gained through identified and realized opportunities.

Risk management should not be separate from management processes. It is more than embedding the consideration of risk into management processes. It is an integral part of decision-making and running the enterprise.

This is stressed:

Risk management should never be implemented in isolation; it should always be fully integrated into the organization’s overall system of management. This system should include the organization’s processes for good governance, including those for strategy and planning, making decisions in operations, monitoring, reporting, and establishing accountability.

Note that risk management helps organizations select objectives and related strategies as well as enable optimal performance and achievement of the objectives. Risk management does not start after objectives are established, but before. “Setting objectives itself can be one of the greatest sources of risk.” IFAC explains that:

Risk management assists organizations in making informed decisions about:

  • objectives they want to achieve;
  • the level, nature, and amount of risk that they want to assume in pursuit of those objectives; and
  • the controls required to support achieving their objectives.

IFAC emphasizes that the management of risk is not for its own sake. It is to enable the achievement of the right objectives.

The main objective of an organization is not to have effective controls, nor to effectively manage risk, but to properly set and achieve its goals; to be in compliance and capable of managing surprises and disruptions along the way; and to create sustainable value. The management of risk in pursuit of these objectives should be an inseparable and integral part of all these activities.

In IFAC’s discussion of maturity, they say something that sounds very similar indeed to OCEG’s definition of GRC: “Effective risk management supports management’s attempts to make all parts of an organization more cohesive, integrated, and aligned with its objectives, while operating more effectively, efficiently, ethically, and legally.” (They continue with a very high-level example of a four-stage maturity model.)

I like how they say that the owner of the enterprise objective (responsible for performance against it) should also be the owner of related risks, not any risk officer:

As an organization’s risk is inextricably connected to its objectives, the responsibility for managing risk cannot lie with anyone other than the person who is responsible for setting and achieving those objectives.

Line management needs to accept its responsibility and not delegate risk management and internal control to specialized staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer, be the “owner” of risk management in organizations. However, these support functions nevertheless play a crucial role in supporting line management in the effective management of risk.

There is a critical discussion of risk management flaws, with not only a list of the most serious but a table that compares good and bad practices. Some of the flaws they identify as serious are:

  • “Having a compliance-only mentality ….. ignoring the need to address both the compliance and performance aspects of risk management.”
  • “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and, thereby, creating and preserving value.”

Some of you know that I am writing a book about world-class risk management. When it comes to risk reporting, I found the topic tough to write about because so many risk reports (and risk registers) are just a list of risks and their risk ‘levels’. They are not focused on how each of the enterprise’s objectives is affected. I will include this section as a quote because it gets it right and says it well:

As risk is the effect of uncertainty on achieving objectives, it would be inadvisable to manage risk without taking into account the effect on objectives. Unfortunately, in some organizations the linkage between the risks periodically reported to the board and the strategic objectives that are most critical to the long-term success of the company is at best opaque and at worst, missing completely. As a consequence, risk is insufficiently understood or controlled, even though the organization devotes some attention and resources to the management of risk. Risk management without taking into account the effects on objectives is thus ineffective.

Let me close this post with a quote from Unilever that is included in the IFAC document:

“At Unilever, we believe that effective risk management is fundamental to good business management and that our success as an organization depends on our ability to identify and then exploit the key risks and opportunities for the business. Successful businesses take/manage risks and opportunities in a considered, structured, controlled, and effective way. Our risk management approach is embedded in the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to others.”

What do you think? I welcome your comments.

By the way, I hope those involved in the COSO ERM update, as well as those working on an update of the ISO 31000:2009 global risk management standard, pay attention. IFAC has proved that accountants can publish excellent guidance on risk management!

  1. Alan Proctor
    May 9, 2015 at 11:54 AM

    All good stuff but the last corporation I witnessed actively manage risk (outside of regulatory requirements) as described in the paper was Tosco Oil. Guess who the Auditor General was there? On May 9, 2015 12:42 PM, “Norman Marks on Governance, Risk Management, and

  2. Helen
    May 9, 2015 at 1:11 PM

    Excellent stuff!

  3. ravi kulkarni
    May 10, 2015 at 1:18 PM

    With this article, I honestly have become a big time fan follower of Mr. Norman marks

  4. John Vendel
    May 10, 2015 at 3:43 PM

    I enjoyed the article and agree that organisations that consider Risk Management as a stand-alone function fail to obtain the advantages that embedded risk management has in enabling the company’s objectives. However, there is a need to balance empowerment of individuals to manage risk and appropriate training, reporting and governance.

  5. May 10, 2015 at 9:58 PM

    Agree totally with you ravi, the last two articles I read from Mr Marks have been truly thought leading.

  6. Patrick
    May 11, 2015 at 12:00 AM

    It is totally in line with the vision of risk management we do have for our company. The challenge remains in convincing line management and senior executives to be systematic when they define objectives and assess and manage associated risks and opportunities. Stating that they are responsible and accountable for risk management does not necessarily say that they can naturally do it.
    Thanks Mr. Marks for having shared this document and thanks to my colleague who forwarded your post to me.

  7. May 11, 2015 at 7:04 AM

    Norman, thank you for sharing this document.

    Out of curiosity, why do you think companies decided to create a separate function instead of evolving business processes to embed risk management practices throughout the organization and have risk naturally managed at the process level?

    • Norman Marks
      May 11, 2015 at 7:07 AM

      Larry, I think there are several drivers:
      – The prior existence of risk managers who ran insurance and were assigned ERM
      – The perception that this is an add-on, compliance requirement
      – The influence of consultants
      – The influence of regulators
      – The opportunity to give it to internal audit. They, in turn, either retained it or helped management set up a risk office
      – The failure to link risk and performance management – an inability to see how risk enables better decisions and should be owned by operating management

  8. Arnold Schanfield
    May 11, 2015 at 9:26 AM

    I agree with your commentaries Norman on the document and remarks. I disagree strongly with your last remark that COSO ERM and related parties including ISO creators should pay attention because accountants have in fact stepped up to the plate. No- this is not the solution. The solution I laid out in prior blogs and that is that folks such as members of the IIA should withold their training dollars from the IIA and instead spend these dollars with credible organizations such as the IRM except now there is an excellent training organization in this country -USA- especially. Individuals should plunk down some bucks and attend one of your training sessions from which they will learn much and then buy your book. This is how the population will become educated- first in attending your course and then by putting pressure on organizations putting minutiae into the marketplace.

    It is very difficult to change bad habits when greed is a factor. We have known for quite some time as to the limited nature of documents on risk emanating from the IIA, COSO and have tried in so many ways to be helpful to help them change and they have resisted all efforts. They don’t understand this field and do not want to change what they are doing. So the way you get change is to get to the masses as you are doing and the regulatory authorities just as this paper from from the IFAC is doing/will accomplish. The organization and individual involved were willing to listen and put egos aside and did not have the millions of marketing invested in the wrong products to deal with. As I have stated repeatedly since at least 5 years- this will not end well for COSO.

    They will change or change will be forced on them and if they desire to change, they will need help from those that truly understand this field.

  9. May 12, 2015 at 2:20 AM

    Hi Norman

    Credit for this very helpful IFAC publication should go firstly to Vincent Tophoff, who has been the main author. While Vincent had help from his committee and sought suggestions from me and Grant Purdy, it was Vincent who put it all together so well, and added his own innovative ideas.

    I particularly like the fact that he has avoided two of the biggest problems with risk guidance at the moment, which are: 1) the abstract, isolated ‘risk management process’ and 2) endless references to ‘risks’. The combined effect of these has been to push many users towards risk register workshops rather than towards managing risk as an integral part of well designed management methods.

    Instead, Vincent has given advice at each stage of a recognizable decision-making process that is not just a decision about a risk response. This is a much better way to go.

    By avoiding the usual writing mistakes and giving advice on a recognizable management thought process Vincent has made a much more powerful case for integral RM.

    Matthew Leitch

  10. Erdal
    May 12, 2015 at 9:04 AM

    I wonder who would establish the context of risk management in a company where there is no separate risk function. Of course it is the line management’s duty to MANAGE risks but risk function exists to support them. All the arguments I heard against separate risk functions can be used also against human resources departments or finance departments or quality departments etc. These functions are SUPPORT functions and they were all evolved due to necessities.

  11. Dennis Webbers
    May 12, 2015 at 11:18 PM

    Hi Norman,

    Many thanks for bringing this IFAC Publication to my attention. I remember talking to a CAE of a large insurance company who indicated that the Risk Management function is a temporary phenomenon anyway. Once businesses understand and implement the general idea, which is so eloquently reflected in the IFAC paper, the Risk Management function may cease to exist. Interesting thought!

    Best regards,
    Dennis Webbers

  12. Steve Ulmer
    May 17, 2015 at 2:04 PM

    What I found interesting is the term “risk appetite” is not used anywhere in this report (nor is “risk tolerance”). The report from the IFAC seems to me to be a back to basics document.

    I have struggled with defining or explaining the concept of “risk appetite.” Sure there is a lot written about it, but there doesn’t seem to be anything approaching a consensus about how to apply the concept so it is clear and relevant.

    Michael Power in his great paper entitled “The Risk Management of Nothing” has a very interesting quote:

    “In summary: the concept of ‘risk appetite’ has been promoted as part of the widespread diffusion of ERM, yet understanding of the concept and its implications is weak relative to the more bureaucratic elements of the framework. COSO and similar risk management texts presume that risk appetite can be unambiguously known and understood by organizations and the individuals within them. Yet, such a presumption flies in the face of behavioural

    It will be interesting to see how COSO addresses this issue in their update to the ERM Framework.

  13. Mike Corcoran
    May 21, 2015 at 7:27 PM

    Absolutely nothing new here. Just another article and professional organization repeating what we already know. With CEO turnover on average at 3 years — good luck!

    • Norman Marks
      May 22, 2015 at 3:46 AM

      Mike, while you and several others who have posted here may understand this, just look at general practice! It is so different, with risk being managed in silos by CRO’s who police decision-making by management.

      Every time we see a reputable, influential body publish advice that should be taken, even if it is not new, we should encourage them rather than disparage them.

      How else can we help move practice forward?

  14. Mike Corcoran
    May 21, 2015 at 8:21 PM

    Objective centric thinking has been around for quite awhile and what I learned/discovered when I started my career with AA&CO. Unilever has it wrong and it started when they were heavily quoted during the Cadbury reforms that no one seems to remember in the UK. It is not about risk management! It is about creating value by solving society needs, business problems and yes wants. I have advocated for so many years–value creation and preservation thinking which challenges leaders inside a company to stand up to the BOD and CEO to invest in people and technology versus short term exploitation (Unilever mantra) and sending cash out of the organization (dividends to pension schemes) because they are inept at generating greater returns. There are those that garden to reap an annual harvest and those that invest to feed those in greater need and perhaps with good ideas, close to ideals. This notion of risk management, well, just perpetuates the same old thing.

    • May 22, 2015 at 12:13 AM


      As a piece of writing about risk management, IFAC’s paper is a significant step forward. Yes, I know there’s a lot in there that is very familiar. Almost everyone thinks that risk should indeed be managed within core management activities and not be some kind of separate process. That’s obvious and not new.

      The key point, however, is that in this publication they have dropped the identify-assess/evaluate-treat process applied to ‘risks’ that has become a fixture in recent years, and instead talked about a recognizable decision process (not just one about ‘risks’) and given more specific advice on how to do it.

      That in itself is also not new because advice on decision-making has done this many times before.

      What is new is that this advice has been presented as risk management advice and comes from an organization that would usually just repeat the identify-assess/evaluate-respond material. IFAC is showing the way to other organizations like it, and to the ISO committee.

      There’s a long way to go to fully reform guidance on risk management but this document is a significant step because it shows the way forward to organizations that previously have been going down a blind alley. IFAC is also the sort of organization that is more likely to influence regulators, including those that set rules for listed companies.

  1. May 11, 2015 at 8:16 AM
  2. May 11, 2015 at 8:16 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: