The recent IFAC report Enabling the Accountant's Role in Effective Enterprise Risk Management (ERM) highlighted the importance of risk management being a core competency for accountants. For CFOs and finance teams, ERM provides a platform for delivering additional value in business by improving decision making and enhancing the insights and information available to boards and management as they respond to uncertainty. At its recent meeting in March, the IFAC Professional Accountants in Business (PAIB) Committee recommended IFAC further engage with its membership on the implications of the report findings for their role in enhancing risk competence among accountants, such as through a targeted ERM webinar for professional accountancy organizations.
At the meeting, Paul Sobel of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) also provided an update on COSO ERM activities and priorities, and Francis Nicholson of the Institute of Internal Auditors (IIA) on the potential areas of improvement to the IIA’s Three Lines of Defense Model. Highlights from these presentations are summarized below.
COSO ERM Update
In a presentation to the committee, Paul Sobel, Chair of COSO, and Vice President - Chief Risk Officer Georgia-Pacific LLC, highlighted how IFAC’s recent work in risk management, also including From Bolt-on to Built-in Managing Risk as an Integral Part of Managing an Organization, effectively complement the COSO ERM framework and enable a good understanding of how CFOs and finance functions should contribute to effective ERM both in terms of value creation and preservation. The CFO and finance function role have become critical in enabling good ERM practices centered on ensuring an ERM approach drives insights, underpins good decisions and facilitates integration and interconnectivity across the organization. The recommendations for the professional accountant skillset would be useful for those involved in ERM.
Paul Sobel also highlighted that board and management feedback on the revised COSO ERM framework and principles issued in 2017, Integrating with Strategy and Performance, has been generally positive with feedback suggesting that the 20 principles are intuitive. The main areas of increasing attention in many organizations include:
- Governance and culture – given that most problems begin with governance weakness and problems with the overall corporate culture. The new framework addresses the growing focus of culture in effective risk management, and explores culture within the broader context of overall core values.
- Strategy and objective-setting – linking risk management to strategy and planning is increasingly becoming accepted good practice. Effective risk management begins with understanding the business environment, formulating objectives, evaluating alternate strategies and risk appetite. Risk appetite and tolerance are commonly misunderstood. The former is a critical part of a strategic discussions, and risk tolerance provides guidance for the execution of ERM. Risk aligned to strategy will more quickly identify the possibility of strategy and business objectives not aligning with mission, vision and values, and risk to executing strategy
- Performance – ensuring risks are not treated as individual events and that risks are typically interconnected and a risk event can have multiple risk outcomes – this makes the portfolio view of risk an important feature of the Framework
- Review and revision – moving away from a static risk management process to assessing substantial change. The Framework encourages a dynamic risk process that involves understanding and connecting to the changing world and business environment
- Information, communication and reporting – particularly on risk culture and performance to board and management. The quality of reporting to those charged with governance is key to ensuring they can exercise their oversight responsibilities.
COSO Next Steps
Although there are no planned updates to the ERM Framework, or the Internal Control – Integrated Framework (2013), which continues to be widely used to enable compliance with the Sarbanes-Oxley Act, COSO has released a compendium of ERM examples and is working on providing additional guidance in various areas.
COSO and World Business Council for Sustainable Development recently issued comprehensive and practical guidance on Applying ERM to Environmental, Social and Governance (ESG) Related Risks to reflect the increasing demand for information on ESG performance.
Potential new guidance is being considered in the following areas:
- ERM for cloud computing and the cyber age
- Blockchain and its impact on internal controls and implications for ERM
- Psychology and sociology of fraud
- Assessment tools for risk
- Robotic process automation and artificial intelligence.
Three Lines of Defense Review Project
Francis Nicholson of the IIA, reported on the IIA’s review of The Three Lines of Defense in Effective Risk Management and Control. The IIA is assessing whether there is a shortfall between what organizations and their stakeholders need and what the current three lines model delivers.
Their aim is to issue a new position paper covering the key elements of governance, including the importance and role of internal audit in an organization’s activities to enhance and protect value.
The model is widely applied in larger companies, and particularly financial institutions. While some like the simplicity of the model, the IIA is seeking to address perceived deficiencies in the approach particularly focused on delivering organizational success, incorporating the structures and processes of governance, a more interconnected and integrated approach between the “lines”, and more widely applicable approach.
Potential areas of improvement to the model being considered include:
- Ensure the focus is more broadly on governance rather than risk management and control functions in isolation
- Combine the performance governance responsibilities of value creation and protection with the conformance responsibilities. This might require a re-labelling of the model
- Emphasize the need for collaboration and a coordinated approach across the lines and provide more detail on the distinctive contribution made by each function to organizational governance
- Focus on activities and accountabilities as well as structure
- Recognize where there is scope for flexibility in the application of the model, for example to the public sector
- Alignment to other standard and Frameworks, for example from COSO.
The IIA will issue a public consultation on a revised position paper in May 2019.