Home > Risk > Excellent advice for all of us involved in managing risk

Excellent advice for all of us involved in managing risk

The International Federation of Accountants (IFAC) has published a first class document, Enabling the accountant’s role in effective enterprise risk management.

While it is focused on accountants, primarily in Finance, the explanation of the value and purpose of enterprise risk management should be required reading for boards, executives, and practitioners as well.

Frankly, I wanted to excerpt half the booklet, but here are some of the more valuable portions with highlights by me.

To add value, accountants [and the rest of us – ndm] need to be seen as risk experts who are outward-looking and provide valuable insights to manage risk in a way that supports their organizations in responding to uncertainty and achieving their objectives.

Business requires taking risks and seizing opportunities to achieve success.

The accountant’s [and everybody else – ndm] primary role in ERM is not solely to mitigate risk, but to promote and facilitate effective risk and opportunity management in support of value creation and preservation over time. This involves being focused on the benefits of intelligent risk-taking in addition to the need to mitigate and control risk.

ERM requires information and analysis that may indicate success or failure, and support decisions around potential courses of action.

The need for effective ERM has never been greater as organizations navigate complex and interconnected risks to their business models and operations.

The reality is that risk management is underdeveloped in many organizations; a reactive approach to risk management is currently the norm. Risk management is typically siloed rather than seen as a core competence and strategic asset. Consequently, risk management processes are ineffective and inefficient and not seen as adding value to decision making and responding to uncertainty.

To be effective partners and contributors to an organization, accountants need to understand the principles of risk management and how they can be implemented to manage opportunities and threats as part of the existing planning and control management cycle.

A challenge in effectively managing risk is that risk oversight and management are poorly understood, resulting in different interpretations and approaches, which depend on personal experiences, organizational role, and sector. For example, in financial services, or in managing financial performance, the measurement and assessment of risk has been a predominantly quantitative exercise designed to avoid loss or fraud. Since the financial crisis, this approach is recognized as being too narrow to adequately inform decisions and manage uncertainty. In other sectors, specific challenges such as health and safety or digital and cyber risk are predominant risk areas which ultimately shape the overall approach to managing risk.

The challenge that arises with applying risk management activities solely through a lens of risk mitigation is that it increases cost with little benefit to the organization’s resilience and success.

Risk management should sit at the heart of every organization. Effective risk management requires different parts of an organization and multiple processes to come together to understand collectively how the organization is exposed to uncertainty, and how this uncertainty may undermine the achievement of business objectives, and the opportunities for growth and innovation. It is about ensuring an organization is safe and resilient, but that it also continues to thrive.

Risk management is therefore fundamentally about making decisions in the context of uncertainty. It involves understanding the past, present and possibilities for the future. ERM processes involve identifying, assessing, and treating uncertainty and related risks and opportunities that could affect the outcomes of an organization’s objectives.

Ultimately, ERM gives the board and managers a better understanding of how risk affects the voice of strategy. It also provides confidence that all levels of the organization are attuned to the risks that can impact strategy and performance, and that these are proactively being managed.

An effective contribution to ERM involves enabling decisions and driving insights to decision makers. There are various elements to better supporting decisions in risk management. More informed risk-taking and decision-making requires high quality information about opportunities and risks and their implications. Ultimately, high-quality information is crucial to good decision making as it reduces uncertainty – and can support a higher risk appetite where appropriate.

The guidance misses one important piece of advice that I would share with any CFO (or board member, CEO, and practitioner).

That advice is that leaders of the organization, such as the CFO, need to lead everybody to understand risk management the way it is discussed by IFAC.


I welcome your thoughts.

  1. January 9, 2019 at 5:17 PM

    I am very surprised you think this is good. This thinking is so old.

    • Norman Marks
      January 9, 2019 at 5:43 PM

      Old stuff can still be good – and its way ahead of practices!

    • January 10, 2019 at 1:34 AM

      Michael, The thinking may be old – but look around you in business. It is far from the standard application of risk management. Hence, there is still a need to promote this to elevate the intelligent risk-taking and hence competitiveness of companies.

      There is stil a significant “first mover advantage” to be captured.

  2. Gary Lim
    January 9, 2019 at 8:31 PM

    Hi Norman, I think it is good stuff, maybe not in a developed countries where there is constant changes to terminology etc, in my view can be confusing for beginners. Developing countries should go for this “old stuff” and it would be a good start. In Malaysia all Public Listed Companies must declare in the Annual Report their Risk Management activities, what is written for the public is very different at the back end, nothing done at all. If yes, it is the Internal Controls under Audit Com which is well entrenched inherited from the colonial days.

  3. January 10, 2019 at 12:53 AM

    Excellent summary Norman and good document. A bit odd that there is still focus on risk and opportunity management, as opposed to just management, pretending that we somehow need to manage risks and opportunities separately. And no idea why they cling to ERM instead of just management or just decision making, but I guess one step at the time.

  4. January 10, 2019 at 10:06 PM

    Hi, good read definitely, can you suggest some best practices to ensure the high quality information gathering at the beginning of the risk management process please !

    • Norman Marks
      January 11, 2019 at 5:39 AM

      My advice is to figure out what decision-makers, including but not limited to the board, need. In my experience, they manage to objectives and need to know what might happen and how it would affect their achievement. It’s not about developing a Si-called list of top risks

  5. Stathis Gould
    January 11, 2019 at 4:23 AM

    Thank you Norman for highlighting this report and the key messages, it is most helpful also in facilitating a continuing debate on good practice. It is interesting to see that there are other perspectives of what good looks like and we welcome the continued learnings from other professionals who are working to integrate and further risk management in the way organizations manage themselves from the board to ops. I could not agree more that effective risk management is ultimately good governance and management practice; the reality is that there are many folks whether professional accountants, risk experts or others working in risk related functions or processes – so I think the guidance around integration and directing such activities towards how an organization achieves their objectives continues to be relevant. Thank you to you all for your willingness to openly share your perspectives.

  6. Gregory Sosbee
    January 14, 2019 at 7:28 AM

    I appreciate the way Norman substitutes “[and the rest of us – ndm]” wherever accountants are mentioned. The article is written by accountants as “propaganda” for increasing the accounting profession’s contributions beyond the transactional and policies and procedures. Such propaganda worked once when the accounting profession convinced the SEC and NYSE that the accounting profession was the risk evaluators in the financial services industry. All that did was to codify the term “Chief Risk Officer” for the group that allocates capital and has nothing to do with the other 75% plus risks facing that industry. The truth is there is no one “group” that perfectly fits the risk management requirement. Each group has its strengths and weaknesses, but those who are experienced in seeing and quantifying risk (and not capital allocation) do have an edge. (As a side those who wish to eliminate risk from the title are well intentioned but wrong as, for better or worse, a title confers authority within a described group.) Education of the fact that risk has two sides that require management is what is needed. The benefits of a proper risk management effort result in a profile of the strengths and weaknesses of the organization. This profile can then be used to document the effects of organizational changes, additions, and subtractions.

  7. February 5, 2019 at 4:51 AM

    Reblogged this on pipayfreemind and commented:
    Very interesting topic

  1. January 12, 2019 at 11:25 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: