«Enterprise Risk Management – Aligning Risk with Strategy and Performance A public exposure draft issued by the Committee of Sponsoring ...»
Enterprise Risk Management – Aligning Risk with Strategy and Performance
A public exposure draft issued by the Committee of Sponsoring Organizations of
the Treadway Commission
Comments from ACCA to Chair Robert Hirth
30 September 2016
ACCA is the global body for professional accountants. We aim to offer business-relevant, first-choice
qualifications to people around the world who seek a rewarding career in accountancy, finance and
ACCA has 188,000 members and 480,000 students in 181 countries and works to help them to develop successful careers in accounting and business, with the skills required by employers. We work through a network of 100 offices and centres and more than 7,110 Approved Employers worldwide, who provide high standards of employee learning and development. Through our public interest remit, we promote appropriate regulation of accounting and conduct relevant research to ensure the accountancy profession continues to grow in reputation and influence.
The expertise of our senior members and in-house technical experts allows ACCA to provide informed opinion on a range of financial, regulatory, public sector and business areas, including: taxation (business and personal); small business; pensions; education; and corporate governance and corporate social responsibility.
The update to the COSO framework is an important development and is particularly relevant to professional accountants. ACCA believes professional accountants have an important role to play in helping the business manage risk and create value for the organisation. By working in collaboration with other business functions, professional accountants can bring appropriate skills and experiences to support more effective integrated risk management processes in the business. They are well placed through business planning, performance management and decision support activities, as well as financial reporting activities to support the achievement of organisation objectives and to support as part of collaborative approach, the inherent related management of risk in the business. It is for this reason that ACCA sincerely welcomes the opportunity to comment on this exposure draft.
Further information about ACCA’s comments on the matters discussed here can be requested from:
Jamie Lyon Jo Iwasaki Head of Corporate Governance Head of Corporate Sector firstname.lastname@example.org email@example.com +44 (0)20 7059 5674 + 44 (0) 207 059 5513 ACCA +44 (0)20 7059 5000 firstname.lastname@example.org www.accaglobal.com The Adelphi 1/11 John Adam Street London WC2N 6AU United Kingdom
SUMMARYACCA would like to take the opportunity to comment on the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s ExposureDraft of the update to its Enterprise Risk Management– Integrated Framework (“ERM Framework”). The timing for revisions to the ERM framework cannot be better. With significant uncertainty and volatility ever present in the external environment, boards are under significant pressure to be more accountable for their stewardship, including managing risks. The effective management of risk is essential to ensuring the delivery of the organisation’s strategic objectives, as well as meeting its regulatory and compliance requirements.
We need to recognise that effective risk management improves the overall governance of the organisation and should result in better enterprise decision making, helping manage both downside risks as well as taking advantage of new opportunities that may arise. This is particularly relevant in an environment where the complexity of risks has increased and where new risks are emerging. New guidance on enterprise risk management is also relevant for the constituency that we primarily represent – professional accountants. ACCA’s members are employed in a wide variety of roles around the world and through these various domains and areas of responsibility make a strong contribution to supporting sustainable enterprise growth and ensuring effective financial stewardship of the organisation. They also have a part to play, working with colleagues across the organisation, in supporting the business to help manage risk and create value. It should be clear - we do not see professional accountants or indeed any other function as having “ownership” for the risk agenda. The ownership of effective risk management in the organisation ultimately rests with the board, and cannot sit within any one designated function.
Professional accountants can and should play their part in this initiative but in reality everyone employed by the business has a role to play in helping manage risk.
ACCA conducts its own programme of research on risk. We have previously considered issues such as the quality and value of risk reporting, the development of a risk challenge culture within the organisation, board structures and the inter-relationship between good corporate governance and effective risk management in the past. Looking forward we expect to extend our research on enterprise risk further to specifically explore the integration of risk management practices.
COMMENTSA focus on integrated risk management
ACCA fully supports the emphasis of the COSO Public Exposure draft which gives renewed focus to the concept of integrated risk management practices. The importance of aligning risk management practices to the performance of the organisation is essential. Risk management practices have fallen short in this regard, treating risk management as a separate process or a specialist approach within for example a risk or internal audit function and not always as an integral part of the strategy setting and business decision making process.
It is critical for the COSO revision to reiterate that it is the board’s responsibility to provide the appropriate direction to senior management on managing risk in the business, as well as setting the appropriate risk appetite for the organisation, clearly aligned to the strategy of the organisation. The senior management team must provide leadership for all employees in helping manage risk appropriately, ensuring the management of risk is integrated effectively into the running of the business; effective communication is particularly important here. The boards’ responsibility must also be to gain on-going assurance that executives are responding effectively to the management of risk. This clarity ensures that the responsibility of managing risk is a collective responsibility, and one which is not delegated to designated functions such as the risk team. It is our firm view that everyone has a role to play in helping the business manage risk (this is consistent with the three lines of defence rationale). The COSO draft needs to be clear on this.
ACCA’s review of the COSO draft however raises concerns. The tone of the subsequent chapters beyond the executive summary appear to fail in pursuing the ethos of integration outlined in the executive summary. The biggest issue is with Section 5 Components and Principles which outlines the revised
enterprise risk management framework and the five interrelated components of:
1) Risk Governance and Culture;
2) Risk, Strategy and Objective Setting;
3) Risk in Execution;
4) Risk information, communication and reporting; and
5) Monitoring Enterprise Risk Management Performance.
The language used in the exposure document (including the headings which are risk centric) convey the sense that risk management is first and foremost considered through the lens of “risk” rather than being seen as an integral part of setting strategy and delivering performance as “business as usual”. This detracts potentially from the main point.
We need to reframe the discussion on enterprise risk management as an integral part of delivering the strategy and business objectives of the enterprise throughout the document. This can also significantly drive a change in the mindset and behaviours of employees and how they both perceive and deal with managing risk.
The model depicts enterprise risk management as visibly “wrapped around” strategy and business objectives which may still be seen to remain as a “Bolt – On” separate process. Anchoring the foundation and language of the model on these rather isolated risk management processes may increase the possibility that in practice these risk activities would remain outside the achievement of business objectives. Furthermore, it could create an additional “layer” of risk governance, adding to, and not becoming a part of, reporting and performance management processes and activities, ending up as an additional non value adding burden to the enterprise. In fact if the enterprise risk structure becomes overly cumbersome its becomes a barrier and not an aid to effective risk management. This is the goal we should be absolutely trying to avoid.
In our view, the critical issue is about striking the right balance and challenging thinking upfront in and across the business cycle; organisations are constantly thinking about their key strategic objectives essential to creating sustainable growth and performance; developing processes to meet these objectives should be accompanied by thinking through risks from every angle at the same time, involving those who are executing processes across the organisation. In this way, the management and reporting of risks associated to business objectives are undertaken efficiently and effectively as part of core strategic planning, performance reporting and decision making processes.
The “risk centric” way in which the model is currently framed in the exposure draft may not be helping in changing the mind-set of those tasked with completing risk registers as they are likely to view “risk management” as a separate process or worse, a compliance exercise. It is detracting readers from the good intentions set out in the executive summary of ensuring risk management processes are “part and parcel” of managing uncertainty in the context of strategy setting, performance management and decision taking.
In the light of the heightened strategic risk awareness at the board level, the model risks missing an important further opportunity to trigger a wider change on risk management in practice. At the board level, risk is increasingly better integrated into the mind-set: board members now better understand that there would be risk in whatever decision they make; they also know that not making any decision can also pose risk. In our view, developing a similar mind-set right across the organisation should be a key step.
Other comments identified through our review:
The draft is too long and the language used is not helpful The full public exposure draft is 132 pages long. One of the essential objectives of the COSO review should be to drive practical adoption of emerging best practices in this area. To this end the content must be accessible and easily digestible. It must also be consistent in its ethos and logic. At times the language used is not entirely consistent or readily understandable, limiting its potential uses for management in the enterprise. We would strongly recommend that consideration is given to reducing the length of the paper, as well as more accessible alternative communication channels, content choices and the use of the language consistent with the objective should be explored. Making it more accessible means management across the business (rather than just risk experts) can digest appropriately.
The draft does not give sufficient consideration to upside risk. Good risk management practices enable organisations to take more risks to drive growth and create competitive advantage, as well as ensuring adverse risks impacting the achievement of business objectives are managed appropriately and minimised. Whilst we recognise the positive side of risk management is referred to in the section entitled “Benefits of Risk Management” near the outset of the document, it could be further explored and emphasised in the main body of the document.
The draft should recognise other existing frameworks and help drive convergence ACCA notes that other frameworks also exist to support organisations in driving effective risk management practices.
In particular ISO 31000: 2009 Risk Management Principles and Guidelines is a well-established source of best practice information for many businesses. In the spirit of coordination and harmonization, COSO should ensure that its guidance, terminology and approach is consistent and dovetails where appropriate rather than contradicts other reputable reference frameworks. This would drive confidence in the practical application of these tools and methodologies. A consistent definition on what enterprise risk management is would be a sound starting point. More practical examples would be valuable too.
The draft could better explain the relationship between internal control and risk management. In practice, one of the difficulties that many organisations face is their understanding on the “interplay” between risk management and internal control activities. It is our view that the document could better explain these inter-relationships as part of a more integrated approach to risk management. This also relates to the concept of combined assurance and how organisations can drive more effective collaboration.
The draft could include specific guidance for smaller organisations. We also note that this revision is most suited to larger organisations. As risk management is equally relevant to small and medium sized enterprises that are also a large constituency of ACCA, we would welcome further guidance in the framework on the application of these tools and practices to smaller entities. This point could also apply to not for profit organisations and other sectors. The document in its entirety is quite prescriptive and consideration should be given to how we make it more principles based and flexible to suit different business’ contexts. Here we see the further use of practical examples where organisations have successfully integrated risk management into the business as particularly valuable.