The accountants’ role in risk management
The International Federation of Accountants (IFAC) has published an interesting and useful piece, Enabling the Accountant’s Role in Effective Enterprise Risk Management. My thanks go to Tim Leech for pointing it out.
The paper makes a number of good points, but I think it misses a major and highly critical one.
Looking at the good first:
- Enterprise risk management (ERM) needs to be part of the professional accountant mindset and makeup.
- To add value, accountants need to be seen as risk experts who are outward-looking and provide valuable insights to manage risk in a way that supports their organizations in responding to uncertainty and achieving their objectives.
- Business requires taking risks and seizing opportunities to achieve success. The accountant’s primary role in ERM is not solely to mitigate risk, but to promote and facilitate effective risk and opportunity management in support of value creation and preservation over time. This involves being focused on the benefits of intelligent risk-taking in addition to the need to mitigate and control risk. ERM requires information and analysis that may indicate success or failure, and support decisions around potential courses of action.
- The reality is that risk management is underdeveloped in many organizations; a reactive approach to risk management is currently the norm. Risk management is typically siloed rather than seen as a core competence and strategic asset. Consequently, risk management processes are ineffective and inefficient and not seen as adding value to decision making and responding to uncertainty.
- Finance and accounting professionals in the finance function are not, in many instances, adequately advancing ERM processes and outcomes in their organizations.
- There is a gap between the risk management knowledge and skills professional accountants in business require and the skills they acquire from their initial professional training.
- To be effective partners and contributors to an organization, accountants need to understand the principles of risk management and how they can be implemented to manage opportunities and threats as part of the existing planning and control management cycle.
- A challenge in effectively managing risk is that risk oversight and management are poorly understood, resulting in different interpretations and approaches, which depend on personal experiences, organizational role, and sector. For example, in financial services, or in managing financial performance, the measurement and assessment of risk has been a predominantly quantitative exercise designed to avoid loss or fraud. Since the financial crisis, this approach is recognized as being too narrow to adequately inform decisions and manage uncertainty. In other sectors, specific challenges such as health and safety or digital and cyber risk are predominant risk areas which ultimately shape the overall approach to managing risk.
- The challenge that arises with applying risk management activities solely through a lens of risk mitigation is that it increases cost with little benefit to the organization’s resilience and success.
- Risk management should sit at the heart of every organization. Effective risk management requires different parts of an organization and multiple processes to come together to understand collectively how the organization is exposed to uncertainty, and how this uncertainty may undermine the achievement of business objectives, and the opportunities for growth and innovation. It is about ensuring an organization is safe and resilient, but that it also continues to thrive.
- To avoid a narrow mindset, risk management is defined by leading thinkers as the “effect of uncertainty on objectives” rather than as a specific event. Risk management is therefore fundamentally about making decisions in the context of uncertainty. It involves understanding the past, present and possibilities for the future. ERM processes involve identifying, assessing, and treating uncertainty and related risks and opportunities that could affect the outcomes of an organization’s objectives.
- Ultimately, ERM gives the board and managers a better understanding of how risk affects the voice of strategy. It also provides confidence that all levels of the organization are attuned to the risks that can impact strategy and performance, and that these are proactively being managed.
IFAC goes on to discuss specific roles for accountants.
While IFAC mentions the two points I am going to make now, they are not sufficiently emphasized.
The first is that the CFO and his or her team are generally seen as responsible for providing leadership with information on whether enterprise objectives will or will not be achieved.
They not only provide information on the current level of performance, but forecasts that indicate what is likely to happen over the next period.
This information is used to make decisions, both strategic and tactical, that are fundamental to success.
The CFO and team need to:
- Understand this role and the need to base their forecasts and projections on the best, reliable, current information available about what might happen (which I refer to as ‘risk’).
- Take responsibility for ensuring that the processes used to deliver the information used in forecasts are of sufficient quality.
- Recognize that for each anticipated event or situation (including closing a major customer sale, completion of a major project, and so on) there is a range of potential outcomes and likelihoods.
- Provide what have been called ‘risk-adjusted’ forecasts and projections, or at least the likelihood of achieving them, not simply a set of numbers where nobody knows the level of confidence in them.
- Help leadership make informed and intelligent decisions, considering what can be done to positively affect the future path and the achievement of objectives.
The second is that Finance is generally responsible for the quality and timeliness of the financial (at least) information used by management at all levels to understand where they are, so they can make the decisions necessary for success.
If that information does not enable operating management to make effective and informed decisions, success is significantly impaired.
I will add one more point. Finance cannot be an obstacle to success. They need to work with operating management to make the right decisions, take the right risks, to achieve enterprise goals.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
One area where accountants and the board meet is the pack of information provided to the regular board meetings. The Institute of Chartered Accountants in England and Wales (ICAEW) has recently issued a publication on this (Information Overload: https://www.icaew.com/technical/financial-services/inspiring-confidence-in-financial-services/information-overload-effective-boards-and-committees-in-financial-services). One reason it gives for the increase in pack size is the inclusion of risks.
I’ve only skimmed the publication at present and it makes some useful points (‘Emphasise future events, exposures and high risk areas like IT and cyber risk. As well as
looking at the past, boards need to look ahead. Every paper needs a focus on the future.’). I think it could have emphasised more the need to concentrate on the future. Decisions can’t change the past, so why do most board packs have a high percentage of historical information?
The ICAEW publication, taken alongside the IAFC piece should be a starting point for an internal audit of the board pack. Is it relevant, accurate (including complete) and timely?
I love the question: does [insert area] meet the needs of the organization – in this case, does the information provided to the board meet their needs, enabling them to provide effective and efficient oversight?