Recently, there have been several new studies and articles released on Risk Management. COSO published a paper on using its ERM framework to help with Sustainability reporting which can be found at http://www.coso.org/. KPMG released a study on ERM capabilities which can be found here.
The more I’ve read the more I come to the conclusion that Enterprise Risk Management is in incorrectly named. It seems that the more we look at it ERM is really something else. The purpose of business is to take risk. If Investors and owners didn’t want to take risk they would simply leave their money in the bank earning a paltry half percent these days. Instead they decide to put their money at risk in the hopes the risks the business takes will result in a greater return.
So if a business’ purpose in life is to take risk, why do we spend so much time taking about managing risk? Part of it comes from the conflicting requirements a business faces. Certainly they have to take risk in order to try to make a profit, but there are risks a business wants to avoid. Financial reporting risk is one many CPAs are familiar with, but there are others such as regulatory compliance risk and certain legal risks that are also to be avoided or minimized. The problem is when that “minimize the risk” mindset sinks into the regular business decision making process.
I think the whole ERM process is unfortunately bringing that minimize or eliminate risk mindset to the rest of the business. Maybe this is because ERM efforts are often lead by Financial or compliance professionals that bring that negative view of risk from their discipline. Or maybe it’s just that word ‘risk.’ What if we called it Enterprise Opportunity Management? That certainly gives it a different connotation and makes you think differently about what the process should be. So, here is to looking for those EOM studies and how to articles.
The past week really brought home to me how international the profession of accounting is becoming. I attended the International Federation of Accountants, Professional Accountants in Business committee meeting in New York and the Regional AICPA Council meeting in Atlanta.
The IFAC meeting really brought home that no matter where you work in the world, the U.S., Canada, Europe, India or Australia, the issues we are dealing with as PAIBs are the same. We are dealing with investor demands for more information being fulfilled through standard setters and regulators. We are dealing with risk management and internal control and the realization that as a business we have been organized to take risks – but as PAIBs we are being asked to monitor that risk taking to make sure the risks are known and within the corporate plans. PAIBs across the world are being asked to be more than just good accountants; we are being asked to be strategic leaders in the business to deliver on business plans and ultimately the return to all stakeholders in the business.
The internationalization of the issues facing the profession was made even more apparent at the AICPA Regional Council meeting. We spent half the meeting hearing updates about and talking about potential implications to the AICPA and our members of the various impacts of Internationalization. Mandatory auditor rotation is just one such issue. It is a purported solution to all the ills related to audits around the world. Some areas see it as the solution to an apparent lack of competition among the audit firms. Others see it as the way to give auditors backbones to stand up to unreasonable requests from the companies they audit – the theory is it is easier to say no if you know your going to lose the relationship after a few years anyway. But whatever the problem, mandatory auditor rotation as the solution is gaining momentum due to an interesting dynamic – that everyone else is “doing it” so it must be good and we need to do it too.
This last point brings out the reason why it is important to talk with an be part of the international professional accountant community. Some solutions are good and worth emulating. Others, however, are not good at all and the misinformation being spread can only be combated by hearing the real story from our fellow professionals in those countries. I for one am glad the AICPA is focused on the internationalization of the profession and opening the lines of communications around the world.
I have written several blogs on controls and the internal control process, but I want to use this blog to cover one of the basic tenants of internal control that I have not spent sufficient time on in the past – the concept of three lines of defense. ISO 31000 and the COSO Internal Control Integrated Framework both incorporate this concept; it is part of the very foundation of internal control. So, what are the three lines of defense?
2) Risk Management & Compliance Functions – also known as Monitoring
3) Internal Audit
Management is everyone in the business or organization. They have to set the tone, implement the controls and actually perform them. If management does not embrace the idea of an appropriately controlled environment, then the second and third lines of defense are meaningless.
The risk management and compliance functions of the business are there to monitor the practices of management. Monitoring requires more than just checking on the controls. It also encompasses looking for new and emerging risks that had not previously been contemplated by the business and getting that information back to management so it can be incorporated into the first line of defense. Done right, there is a constant feedback loop between the second line and the first line of defense.
Internal Audit is the final line of defense. They provide objective assurance about the first and second lines of defense to those responsible for governance. They have to have a full understanding of the business and its risk management processes. This certainly isn’t the stereotypical check the box, numbers driven auditor that all too many people associate with the Internal Audit function.
While, as stated, the first line of defense must be in place for the other two lines to have any meaning, that doesn’t mean you can let the second and third lines of defense lag. The financial crisis was at least partially due to a lack of ability to think about what might happen (housing prices going down) and how that would impact a business. The second line of defense deals with those and many other issues. The third line of defense is also critical because those governing the organization are depending on the third line’s expertise and integrity to make sure the first and second lines of defense are appropriately working.
I know some businesses are too small to have internal audit departments, but no business is too small to not have the functions performed by internal audit. That’s where professional accountants, such as CPAs, CGMAs and others can step in to help. We bring that objectivity and integrity to any work we do which helps insure that three lines of defense are always there.