Most people in an organization are primarily focused on doing their job well. And this is how it should be, as the main objective of an organization is not to manage risk, nor to have controls, but to ensure that it makes the best decisions and achieves its objectives. If employees were obliged to implement a risk management and internal control system around their activities it would merely be seen as a distraction. Establishing an explicit connection between how risk affect their jobs and their objectives, however, makes them more inclined to manage the related risk as well.
Unfortunately, most standards, frameworks, and guidelines still treat risk management as a separate process or a non-integrated, stand-alone function, rather than as an integral part of managing an organization, including strategic and operational planning and decision making, execution, monitoring, review, and continuous improvement.
As a first step in filing this gap, IFAC has developed a thought paper, with the support and guidance of our Professional Accountants in Business Committee, From Bolt-on to Built-in—Managing Risk as an Integral Part of Managing an Organization. The paper demonstrates the benefits of properly integrating the management of risk and provides guiding principles and a practical example on how such integration can be achieved.
This paper is timely, as both risk practitioners and others are now more open to integration (for example, see the outcomes of this UK survey on integration of risk management) and also because some of the major global guidelines for risk management are currently being revised.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is currently updating its Enterprise Risk Management (ERM) Integrated Framework. IFAC is actively involved in that update—see my previous article for more details.
- The International Organization for Standardization (ISO) recently decided to turn its planned limited revision of Standard 31000:2009—Risk Management into a full technical revision. IFAC also participates in the technical committee for this revision—see my previous article for additional details.
Do you agree that the mood in your organization or country now is getting ready to transform stand-alone risk management arrangements into a more integrated form of risk management? Would additional guidance on how to establish such a transformation be useful, (for example, more explicitly in already existing risk management guidelines)? What else could or should IFAC and the accountancy profession do to further those objectives? Please read our thought paper and let us know!