Accountants Enabling Effective Enterprise Risk Management

Stathis Gould | May 6, 2019 | 1

The recent IFAC report Enabling the Accountant's Role in Effective Enterprise Risk Management (ERM) highlighted the importance of risk management being a core competency for accountants. For CFOs and finance teams, ERM provides a platform for delivering additional value in business by improving decision making and enhancing the insights and information available to boards and management as they respond to uncertainty. At its recent meeting in March, the IFAC Professional Accountants in Business (PAIB) Committee recommended IFAC further engage with its membership on the implications of the report findings for their role in enhancing risk competence among accountants, such as through a targeted ERM webinar for professional accountancy organizations.

At the meeting, Paul Sobel of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) also provided an update on COSO ERM activities and priorities, and Francis Nicholson of the Institute of Internal Auditors (IIA) on the potential areas of improvement to the IIA’s Three Lines of Defense Model. Highlights from these presentations are summarized below.


In a presentation to the committee, Paul Sobel, Chair of COSO, and Vice President - Chief Risk Officer Georgia-Pacific LLC, highlighted how IFAC’s recent work in risk management, also including From Bolt-on to Built-in Managing Risk as an Integral Part of Managing an Organization, effectively complement the COSO ERM framework and enable a good understanding of how CFOs and finance functions should contribute to effective ERM both in terms of value creation and preservation. The CFO and finance function role have become critical in enabling good ERM practices centered on ensuring an ERM approach drives insights, underpins good decisions and facilitates integration and interconnectivity across the organization. The recommendations for the professional accountant skillset would be useful for those involved in ERM.

Paul Sobel also highlighted that board and management feedback on the revised COSO ERM framework and principles issued in 2017, Integrating with Strategy and Performance, has been generally positive with feedback suggesting that the 20 principles are intuitive. The main areas of increasing attention in many organizations include:

  • Governance and culture – given that most problems begin with governance weakness and problems with the overall corporate culture. The new framework addresses the growing focus of culture in effective risk management, and explores culture within the broader context of overall core values.
  • Strategy and objective-setting – linking risk management to strategy and planning is increasingly becoming accepted good practice. Effective risk management begins with understanding the business environment, formulating objectives, evaluating alternate strategies and risk appetite. Risk appetite and tolerance are commonly misunderstood. The former is a critical part of a strategic discussions, and risk tolerance provides guidance for the execution of ERM. Risk aligned to strategy will more quickly identify the possibility of strategy and business objectives not aligning with mission, vision and values, and risk to executing strategy
  • Performance – ensuring risks are not treated as individual events and that risks are typically interconnected and a risk event can have multiple risk outcomes – this makes the portfolio view of risk an important feature of the Framework
  • Review and revision – moving away from a static risk management process to assessing substantial change. The Framework encourages a dynamic risk process that involves understanding and connecting to the changing world and business environment
  • Information, communication and reporting – particularly on risk culture and performance to board and management. The quality of reporting to those charged with governance is key to ensuring they can exercise their oversight responsibilities.

COSO Next Steps

Although there are no planned updates to the ERM Framework, or the Internal Control – Integrated Framework (2013), which continues to be widely used to enable compliance with the Sarbanes-Oxley Act, COSO has released a compendium of ERM examples and is working on providing additional guidance in various areas.

COSO and World Business Council for Sustainable Development recently issued comprehensive and practical guidance on Applying ERM to Environmental, Social and Governance (ESG) Related Risks to reflect the increasing demand for information on ESG performance.

Potential new guidance is being considered in the following areas:

  • ERM for cloud computing and the cyber age
  • Blockchain and its impact on internal controls and implications for ERM
  • Psychology and sociology of fraud
  • Assessment tools for risk
  • Robotic process automation and artificial intelligence.

Three Lines of Defense Review Project

Francis Nicholson of the IIA, reported on the IIA’s review of The Three Lines of Defense in Effective Risk Management and Control. The IIA is assessing whether there is a shortfall between what organizations and their stakeholders need and what the current three lines model delivers.

Their aim is to issue a new position paper covering the key elements of governance, including the importance and role of internal audit in an organization’s activities to enhance and protect value.

The model is widely applied in larger companies, and particularly financial institutions. While some like the simplicity of the model, the IIA is seeking to address perceived deficiencies in the approach particularly focused on delivering organizational success, incorporating the structures and processes of governance, a more interconnected and integrated approach between the “lines”, and more widely applicable approach.


Potential areas of improvement to the model being considered include:

  • Ensure the focus is more broadly on governance rather than risk management and control functions in isolation
  • Combine the performance governance responsibilities of value creation and protection with the conformance responsibilities. This might require a re-labelling of the model
  • Emphasize the need for collaboration and a coordinated approach across the lines and provide more detail on the distinctive contribution made by each function to organizational governance
  • Focus on activities and accountabilities as well as structure
  • Recognize where there is scope for flexibility in the application of the model, for example to the public sector
  • Alignment to other standard and Frameworks, for example from COSO.


The IIA will issue a public consultation on a revised position paper in May 2019.



Stathis Gould

Director, Advocacy, IFAC

Stathis Gould heads up the development of international services for professional accountants working in business and industry at IFAC. A key element of his work is developing thought leadership and guidance in support of finance professionals and their roles facilitating sustainable organizational performance. Before moving to IFAC, he was at the Chartered Institute of Management Accountants (CIMA) responsible for planning and overseeing a program of policy and research. Prior to serving the accountancy profession, Mr. Gould worked in various roles in the private and public sectors in the UK. See more by Stathis Gould


Join the Conversation (1)

To leave a comment below, login or register with


Alvaro Fonseca Vivas May 14, 2019

Gracias por su información, me gustaría saber si también se contempla para el control interno y el manejo de la administración y gestión del riesgo con el manejo del COCO, el CADBURY, que también fortalecen el manejo del control y en la presentación de los informes como de la calidad de los mismos.//////Thanks for your information, I would like to know if it is also contemplated for internal control and management of risk management and management with the management of the COCO, the CADBURY, which also strengthen the management of control and in the presentation of reports as of the quality of them.


Thank you for your interest in our publications. These valuable works are the product of substantial time, effort and resources, which you acknowledge by accepting the following terms of use. You may not reproduce, store, transmit in any form or by any means, with the exception of non-commercial use (e.g., professional and personal reference and research work), translate, modify or create derivative works or adaptations based on such publications, or any part thereof, without the prior written permission of IFAC.

Our reproduction and translation policies, as well as our online permission request and inquiry system, are accessible on the Permissions Information web page.

For additional information, please read our website Terms of Use. ALL RIGHTS RESERVED.