Following positive reviews and requests for an encore after our 2013 appearance, we recently gave a presentation at the Institute of Management Accountants (IMA)’s 2014 Annual Conference in Minneapolis, Minnesota, US, “Upgrading Risk Management and Internal Control in Your Organization.” This year’s presentation used our 2013 overview presentation, “Leveraging Effective Risk Management and Internal Control for your Organization,” as a starting point but focused on the specifics of improving risk management and internal control (RM/IC) in organizations.
Our presentation started with a brief introduction on current RM/IC considerations, highlighting the serious RM/IC flaws in many organizations, such as having a compliance-only mentality (“RM/IC in form only”), and what should be done to get it right. For example, we discussed the appropriate application (“RM/IC in spirit”) of various guidelines, such as the RM/IC frameworks issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the standard 31000:2009, Risk Management–Principles and Guidelines issued by the International Organization for Standardization (ISO).
Next, we discussed the maturity stages of RM/IC in organizations, which can be summarized as follows:
- Non-existent or ad hoc—often characterized by reactive crisis management once something has gone wrong;
- Internal control only—formal internal controls, often mainly focused on external financial reporting;
- Stand-alone risk management and internal control—functioning as a siloed system next to, and not necessarily in tandem with, an organization’s management system; and
- Integrated risk management—including internal control, being a natural and integral part of an organization’s system of management.
We then presented some thoughts on how professional accountants can assess RM/IC maturity in their organization.
Next we presented a case study on how a company can assess the RM/IC arrangements of its North American co-manufacturing operations. The case study demonstrated that the organization’s game plan and subsequent execution was fairly aligned with the risk management process and approach as described in the COSO frameworks and ISO 31000 standard. However, there are subtle differences between the COSO and ISO approach, which may be an interesting topic for a follow-up conversation.
We concluded our presentation with a call to action for professional accountants to further good RM/IC in their organizations, for example by:
- Building subject-matter-expertise regarding RM/IC frameworks, standards, and other guidance;
- Educating their audit committee, C-suite, operating unit, and functional management on RM/IC;
- Supporting their line management colleagues through provision of high-quality information;
- Establishing good RM/IC for the finance function; and
- Championing the importance of continuous RM/IC improvement.
Our session was chaired by IMA’s President and CEO Jeff Thomson, who actively contributes to the global discussion on how RM/IC should be positioned in an organization. See, for example, his recent article, co-authored by James DeLoach, Improving Organizational Performance and Governance: How the COSO Frameworks Can Help. The article relates the COSO Risk Management and Internal Control frameworks to an overall business model and describes how the key elements of each framework contribute to an organization’s long-term success.
All in all, the feedback on our second presentation was very positive and we are glad that we were able to provide some useful insights and specific examples. This leaves us with the following questions for your consideration:
- What other examples do you have of “good” and “bad” practice in RM/IC?
- How mature are the RM/IC arrangements in your organization and what is or should be done to further improve their performance?
- What else could professional accountants do to further good RM/IC in their organization?
- What should be the topic for our next RM/IC presentation?
We are looking forward to hearing from you!