The financial crisis placed a new emphasis on effective risk management for company boards, according to the International Federation of Accountants (IFAC).
This has led to criticism that boards pay too much attention to risk leading to cautious decision-making.
Elsewhere regulators have turned their attention to risk too. The UK’s Financial Reporting Council reviewed and then revised its combined code stressing risk as a central concern for the board.
Internationally risk is also a big issue and now IFAC has issued its own guide to effective integration of risk management into company procedures and systems. Its motive? The realisation that many companies are still failing to impose effective risk management.
IFAC says: “Some organisations have not yet established a formal framework for the management of risk, nor integrated it into their overall system of management.
“In these cases, organisations may rely on ad-hoc crisis management that attempts to recover the status quo after an event. Others have some sort of framework but it may be plagued by serious flaws.”
The flaws that worry IFAC include a compliance-only mentality; seeing risk only as negative and failing to view risk management as a means of supporting the pursuits of objectives; a preoccupation with applying internal controls to external reporting when it should be applied to all material risk; and regarding risk management as a separate discipline or process when all line managers should be looking at risk.
IFAC has provided these insights for boards:
Managing risk is an integral part of setting and achieving an organisation’s objectives. Managing risk, or having a tough set of controls, is not the end, only a means to business ambitions. But managing risk should be an integral part of reaching those ambitions.
“In some organisations, the risk management process is applied only after objectives are set, overlooking that setting objectives itself can be one of the greatest sources of risk,” says IFAC. Risk, therefore, “should be considered at all stages of the objective setting process, as well as in the subsequent planning, execution, monitoring and review stages”.
Boards must make the connection between risks that are reported and company aims. “As a consequence, risk is insufficiently understood or controlled, even though the organisation devotes some attention and resources to the management of risk. Risk management without taking into account the effect on objectives is thus ineffective.”
Risk management is not a one-size-fits-all process. Because risks are so closely related to a company’s individual aims, then a risk-management approach should be equally bespoke.
“An organisation’s risk to setting and achieving its objectives is influenced by many factors such as its size, structure, business model, IT systems, financial flexibility, its employees and its environment—that is, its customers, suppliers, competitors and regulators, as well as political, social, economic and technical drivers of change, etc.
“Ergo, it is all of these factors together that determine how the management of risk can be applied most effectively for a specific organisation.”
Follow the leader
Those responsible for defining aims and objectives should also be in charge of managing the risk.
“Line management needs to accept its responsibility and not delegate risk management internal control to specialised staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer be, the owners of risk management in organisations.”
Emotion, greed, fear
Decision should be informed by risk information up and down an organisation.
“Special attention should be given to decision making by the governing body, as some of the biggest risk management failures have been caused by emotion, greed or fear.
“In such cases boars often forget about the basics of sound decision making, including adequate risk assessment.”
Reliable data for effective risk management is essential. Professional judgement can be used, but it must be just that: “… exercised by those who are suitably trained, qualified, and experienced to use it and based on the best available information.”
Step by step
Decisions made by using risk management include the subsequent steps—design, planning, execution, monitoring and reviewing—need to apply risk management.
Organisations need to remain on their toes, able to respond to the “consequences of unforeseen events”.
“After all, over the long term it is not the strongest of the species that survives, or the most intelligent, but rather the one most adaptable to change.”
The full report from IFAC is here.