• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Leveraging ISO 31000 for Effective Integration of Risk Management and Internal Control
 

Leveraging ISO 31000 for Effective Integration of Risk Management and Internal Control

on

  • 1,156 views

Presentation given by Vincent Tophoff, IFAC Senior Technical Manager, on risk management and internal control at the Second International ISO 31000 Conference in Toronto, May 2013.

Presentation given by Vincent Tophoff, IFAC Senior Technical Manager, on risk management and internal control at the Second International ISO 31000 Conference in Toronto, May 2013.

Statistics

Views

Total Views
1,156
Views on SlideShare
991
Embed Views
165

Actions

Likes
3
Downloads
0
Comments
0

2 Embeds 165

http://www.ifac.org 164
https://www.google.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Leveraging ISO 31000 for Effective Integration of Risk Management and Internal Control Leveraging ISO 31000 for Effective Integration of Risk Management and Internal Control Presentation Transcript

    • 1 Leveraging ISO 31000 for Effective Integration of Risk Management and Internal Control Presenter: Vincent Tophoff International Federation of Accountants (IFAC) Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • Overview • Role and domain of IFAC • Maturity of risk management and internal control (RM/IC) • Broader approach in RM/IC • Broader approach in RM/IC standards, frameworks & guidelines • Remaining pitfalls in RM/IC: application failures • IFAC supports further improvements in RM/IC 2 Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 3 The International Federation of Accountants (IFAC) • The global organization of the accountancy profession • 172 member bodies and associates in 129 countries • 2.5 million professional accountants in public practice, commerce, industry, financial services, the public sector, education, and the not-for-profit sector • Public interest focused Second international ISO 31000 conference – Toronto, 28-31 May 2013 More than half are in this box
    • 4 The International Federation of Accountants (IFAC) • Supports accountants in following areas: Auditing and accounting Governance and ethics Risk management and internal control Sustainability and corporate responsibility Financial and performance management Business reporting Promoting and contributing to the value of accountants • All areas of critical importance to the organizations they work for! Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 5 Second international ISO 31000 conference – Toronto, 28-31 May 2013 • Crisis management • Internal control now complemented with risk management • But performed in a silo… • Integrating risk management and internal control in the governance & management of organization Level 1: Non-existent or ad hoc Level 2: Internal control only Level 3: RM/IC as a silo Level 4: Integrated RM/IC •Formal internal control •Mainly focused on external financial reporting Integration of RM/IC Here we are now
    • 6 IFAC survey on risk management & internal control • Received over 600 responses from around the globe Main conclusions: • More awareness of the benefits of risk management and internal control systems should be created • Risk management and internal control should be better integrated into organizations’ overall governance, strategy, and operations • Risk management and internal control requirements and guidelines should be further aligned internationally Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 7 Global Survey on Risk Management & Internal Control > Proposed Next Steps • Emphasizing the benefits of (more integrated) risk management and internal control • Bringing various risk management and internal control standard setting organizations (such as COSO, ISO 31000 & Risk Oversight & Governance Board) and their guidelines closer together • Collaborating with experts on development of practical application guidance for (integration of) risk management and internal control Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 8 Global crisis According to IFAC research caused by: • Ethical flaws • Governance, risk management & internal control in name but not in spirit • Regulatory overload, leading to legalistic compliance • Risk & control systems too narrowly focused on only financial reporting controls • However, many, if not most, of the risks that affected organizations derived from areas other than financial reporting Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 9 Conclusions from survey and global crisis A. Organizations should take a broader approach in risk management and internal control B. Risk management and internal control standards and principles should better enable taking a broader approach C. Appropriate application of risk management and internal control standards and principles is often the problem Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 10 A. Taking a broader approach in RM/IC Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 11 Broader approach in risk management (1) • Q: “How does your organization address uncertainty in achieving its strategic objectives?” • A: “Through our strategic management system;” Line management engaged in plan-do-check-act cycle Focused on achieving the organization’s objectives • Q: “How does your organization address risk?” • A: “Through our risk management system;” (separate) risk and control system, staff functionaries, risk register Focused on mitigating risk Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 12 Broader approach in risk management (2) What does this example tell us? • That we, finance & accounting folks, have made great progress in the area of risk management and internal control… • …But that we, in the process, lost the other people in our organization! Risk Management Rest of the Organization Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 13 Broader approach in risk management (3) Biggest risk facing an organization: Disconnect between those responsible for achieving strategic objectives vs. those responsible for managing risk Solution: Making those responsible for achieving strategic objectives also responsible for managing related risks! Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 14 Broader approach in risk management (4) • Line management is accountable for (achieving) the organization’s objectives, • This also includes responsibility for managing the effects of risk on those objectives Key objective for management accountants in this regard: • Ensure that risk management and internal control are fully integrated in the line management of an organization! Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 15 Broader approach in internal control (1) • Internal control not as an objective in itself • But as a response to modify risk • (In order to achieve the organization’s objectives) • And… Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 16 Broader approach in internal control (2) Hindering the organization Enabling the organization • Good internal control: invisible hand From To Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 17 B. Collaborating with standard setters • IFAC collaborates with regulators and standard setters in area of governance, risk management, and internal control Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 18 IFAC collaboration with Canadian ROGB • IFAC also participates in the Canadian Risk Oversight and Governance Board (ROGB) • Offers guidance to directors and senior managers to fulfill their responsibility for governance and the oversight of risk management • Freely available from the ROGB website Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 19 IFAC collaboration with COSO • Committee of Sponsoring Organizations of the Treadway Commission (COSO) • Providing thought leadership through the development of frameworks and guidance on risk management and internal control • Revised Framework issued in May 2013 and available at www.coso.org Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 20 IFAC collaboration with ISO 31000 • International Standards Organization (ISO) developed the standard ISO 31000:2009 Risk Management • Can be used by any public, private or community enterprise, association, group, or individual • Can be applied to any type of risk, whatever its nature, whether having positive or negative consequences (so broader than ERM) Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 21 Comparison COSO ERM vs. ISO 31000 COSO ISO 31000 • Lengthy vs. Short • Focused on ERM vs. General approach to managing risk • One cube vs. Framework and process • Skewed to negative vs. Risk can be positive or negative • Risk already exists vs. Risk tied to achieving objectives • Risk & opportunities vs. Opportunities also source of risk • More sequential process vs. More iterative process • However… many organizations use both COSO ERM and ISO 31000 • Biggest challenge is that concepts and terminology are not aligned! Second international ISO 31000 conference – Toronto, 28-31 May 2013 Too short, however, to really understand
    • 22 Bringing together COSO, ISO, ROGB and others • Best opportunity to further align concepts and terminology by bringing together the various issuers of standards, guidance & frameworks • To discuss how the terminology, various concepts & guidelines could be better aligned • IFAC facilitates first meeting of COSO, ISO 31000, and ROGB boards in September 2013 in Chicago • Including representatives from RIMS and other organizations • Should all work together to produce globally-aligned terminology, concepts, and guidelines that are relevant to all users. • IFAC looks forward to continue contributing to this collaborative effort Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 23 C. Encouraging better application of RM/IC guidelines Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 24 Bad practice vs. good practice in RM/IC Second international ISO 31000 conference – Toronto, 28-31 May 2013 Overwhelming load of bad practice: • RM/IC as objective in itself vs. RM/IC to achieve objectives • Auditor / staff driven vs. Board and management driven • Rules-based vs. Principles-based • Of the shelf systems vs. Tailor made • Focused on threats only vs. Also focused on opportunities • Mainly hard controls vs. Social / human aspects • Artificially implemented vs. Organically implemented • Stand-alone / “bolt-on” vs. Integrated / ”built-in” • Static, out-of-date vs. Dynamic, evolving • Creates costs vs. Creates results / value • Abandoned vs. Supported
    • 25 IFAC risk management & internal control publications • Evaluating and Improving Governance in Organizations • Evaluating and Improving Internal Control in Organizations • Integrating Governance in for Sustainable Success • All IFAC Publications free-of-charge at www.ifac.org Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 26 Evaluating and Improving IC in Organizations • Highlighting areas where practical application of internal control standards often fails in many organizations • Designed to establish a benchmark for good practice in maintaining effective internal control in response to risk • For all types of organizations, as all organizations—whether private or public—should have appropriate internal control Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 27 Guidance to avoid or overcome pitfalls Good internal control should: • Support the organization’s objectives • Define clear roles and responsibilities • Foster a motivational culture • Link to individual performance • Ensure sufficient competency • Respond to risk • Be communicated regularly • Be monitored and evaluated regularly • Provide for accountability and transparency Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 28 Next steps > guidance in integration of risk & control • Risk management and internal control are a means to an end: making sound (SWOT) decisions to achieve the organization’s objectives without surprises! • Principles on how risk managers can support their organization integrating risk management and internal control into the organization’s overall governance and management system Second international ISO 31000 conference – Toronto, 28-31 May 2013
    • 29 Second international ISO 31000 conference – Toronto, 28-31 May 2013 Key takeaway’s • Risk management and internal control have matured • Still many flaws • IFAC supports: further integration of RM/IC Further alignment of RM/IC standards Better application of RM/IC principles and concepts • However, no matter the guidance provided…
    • • …There will always be some who do it their own way! 30 Second international ISO 31000 conference – Toronto, 28-31 May 2013