The document presents insights from the IFAC's second international ISO 31000 conference, focusing on the integration of risk management (RM) and internal control (IC) within organizations. It highlights the need for a broader approach that aligns RM and IC with organizational objectives and emphasizes the collaboration among standard-setting entities to enhance guidelines and practices. The findings suggest improving awareness of RM and IC benefits, fostering their integration into governance, and addressing existing flaws in application across various sectors.

1. 1
Leveraging ISO 31000 for Effective Integration
of Risk Management and Internal Control
Presenter:
Vincent Tophoff
International Federation of Accountants (IFAC)
Second international ISO 31000 conference – Toronto, 28-31 May 2013

2. Overview
• Role and domain of IFAC
• Maturity of risk management and internal control
(RM/IC)
• Broader approach in RM/IC
• Broader approach in RM/IC standards, frameworks &
guidelines
• Remaining pitfalls in RM/IC: application failures
• IFAC supports further improvements in RM/IC
2
Second international ISO 31000 conference – Toronto, 28-31 May 2013

3. 3
The International Federation of Accountants (IFAC)
• The global organization of the accountancy profession
• 172 member bodies and associates in 129 countries
• 2.5 million professional accountants in public practice,
commerce, industry, financial services, the public sector,
education, and the not-for-profit sector
• Public interest focused
Second international ISO 31000 conference – Toronto, 28-31 May 2013
More than half
are in this box

4. 4
The International Federation of Accountants (IFAC)
• Supports accountants in following areas:
Auditing and accounting
Governance and ethics
Risk management and internal control
Sustainability and corporate responsibility
Financial and performance management
Business reporting
Promoting and contributing to the value of accountants
• All areas of critical importance to the organizations they
work for!
Second international ISO 31000 conference – Toronto, 28-31 May 2013

5. 5
Second international ISO 31000 conference – Toronto, 28-31 May 2013
• Crisis
management
• Internal
control now
complemented
with risk
management
• But performed
in a silo…
• Integrating risk
management
and internal
control in the
governance &
management
of organization
Level 1:
Non-existent
or ad hoc
Level 2:
Internal
control only
Level 3:
RM/IC
as a silo
Level 4:
Integrated
RM/IC
•Formal
internal
control
•Mainly
focused on
external
financial
reporting
Integration of RM/IC
Here we are now

6. 6
IFAC survey on risk management & internal control
• Received over 600 responses from around the globe
Main conclusions:
• More awareness of the benefits of risk management and
internal control systems should be created
• Risk management and internal control should be better
integrated into organizations’ overall governance, strategy,
and operations
• Risk management and internal control requirements and
guidelines should be further aligned internationally
Second international ISO 31000 conference – Toronto, 28-31 May 2013

7. 7
Global Survey on Risk Management & Internal Control
> Proposed Next Steps
• Emphasizing the benefits of (more integrated) risk
management and internal control
• Bringing various risk management and internal control
standard setting organizations (such as COSO, ISO 31000
& Risk Oversight & Governance Board) and their guidelines
closer together
• Collaborating with experts on development of practical
application guidance for (integration of) risk management
and internal control
Second international ISO 31000 conference – Toronto, 28-31 May 2013

8. 8
Global crisis
According to IFAC research caused by:
• Ethical flaws
• Governance, risk management & internal control in name but
not in spirit
• Regulatory overload, leading to legalistic compliance
• Risk & control systems too narrowly focused on only financial
reporting controls
• However, many, if not most, of the risks that affected
organizations derived from areas other than financial reporting
Second international ISO 31000 conference – Toronto, 28-31 May 2013

9. 9
Conclusions from survey and global crisis
A. Organizations should take a broader approach in risk
management and internal control
B. Risk management and internal control standards and
principles should better enable taking a broader approach
C. Appropriate application of risk management and internal
control standards and principles is often the problem
Second international ISO 31000 conference – Toronto, 28-31 May 2013

10. 10
A. Taking a broader approach in RM/IC
Second international ISO 31000 conference – Toronto, 28-31 May 2013

11. 11
Broader approach in risk management (1)
• Q: “How does your organization address uncertainty in
achieving its strategic objectives?”
• A: “Through our strategic management system;”
Line management engaged in plan-do-check-act cycle
Focused on achieving the organization’s objectives
• Q: “How does your organization address risk?”
• A: “Through our risk management system;”
(separate) risk and control system, staff functionaries,
risk register
Focused on mitigating risk
Second international ISO 31000 conference – Toronto, 28-31 May 2013

12. 12
Broader approach in risk management (2)
What does this example tell us?
• That we, finance & accounting folks, have made great
progress in the area of risk management and internal control…
• …But that we, in the process, lost the other people in our
organization!
Risk Management
Rest of the Organization
Second international ISO 31000 conference – Toronto, 28-31 May 2013

13. 13
Broader approach in risk management (3)
Biggest risk facing an
organization:
Disconnect between those
responsible for achieving
strategic objectives vs.
those responsible for
managing risk
Solution:
Making those responsible
for achieving strategic
objectives also responsible
for managing related risks!
Second international ISO 31000 conference – Toronto, 28-31 May 2013

14. 14
Broader approach in risk management (4)
• Line management is accountable for (achieving) the
organization’s objectives,
• This also includes responsibility for managing the effects of
risk on those objectives
Key objective for management accountants in this regard:
• Ensure that risk management and internal control are fully
integrated in the line management of an organization!
Second international ISO 31000 conference – Toronto, 28-31 May 2013

15. 15
Broader approach in internal control (1)
• Internal control not as an objective in itself
• But as a response to modify risk
• (In order to achieve the organization’s objectives)
• And…
Second international ISO 31000 conference – Toronto, 28-31 May 2013

16. 16
Broader approach in internal control (2)
Hindering the
organization
Enabling the
organization
• Good internal control: invisible hand
From To
Second international ISO 31000 conference – Toronto, 28-31 May 2013

17. 17
B. Collaborating with standard setters
• IFAC collaborates with regulators and standard setters in
area of governance, risk management, and internal control
Second international ISO 31000 conference – Toronto, 28-31 May 2013

18. 18
IFAC collaboration with Canadian ROGB
• IFAC also participates in the Canadian Risk Oversight and
Governance Board (ROGB)
• Offers guidance to directors and senior managers to fulfill
their responsibility for governance and the oversight of risk
management
• Freely available from the ROGB website
Second international ISO 31000 conference – Toronto, 28-31 May 2013

19. 19
IFAC collaboration with COSO
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
• Providing thought leadership through the development of
frameworks and guidance on risk management and internal
control
• Revised Framework issued in May 2013 and available at
www.coso.org
Second international ISO 31000 conference – Toronto, 28-31 May 2013

20. 20
IFAC collaboration with ISO 31000
• International Standards Organization (ISO) developed the
standard ISO 31000:2009 Risk Management
• Can be used by any public, private or community enterprise,
association, group, or individual
• Can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences (so
broader than ERM)
Second international ISO 31000 conference – Toronto, 28-31 May 2013

21. 21
Comparison COSO ERM vs. ISO 31000
COSO ISO 31000
• Lengthy vs. Short
• Focused on ERM vs. General approach to managing risk
• One cube vs. Framework and process
• Skewed to negative vs. Risk can be positive or negative
• Risk already exists vs. Risk tied to achieving objectives
• Risk & opportunities vs. Opportunities also source of risk
• More sequential process vs. More iterative process
• However… many organizations use both COSO ERM and ISO 31000
• Biggest challenge is that concepts and terminology are not aligned!
Second international ISO 31000 conference – Toronto, 28-31 May 2013
Too short, however,
to really understand

22. 22
Bringing together COSO, ISO, ROGB and others
• Best opportunity to further align concepts and terminology by bringing
together the various issuers of standards, guidance & frameworks
• To discuss how the terminology, various concepts & guidelines could
be better aligned
• IFAC facilitates first meeting of COSO, ISO 31000, and ROGB boards
in September 2013 in Chicago
• Including representatives from RIMS and other organizations
• Should all work together to produce globally-aligned terminology,
concepts, and guidelines that are relevant to all users.
• IFAC looks forward to continue contributing to this collaborative effort
Second international ISO 31000 conference – Toronto, 28-31 May 2013

23. 23
C. Encouraging better application of RM/IC guidelines
Second international ISO 31000 conference – Toronto, 28-31 May 2013

24. 24
Bad practice vs. good practice in RM/IC
Second international ISO 31000 conference – Toronto, 28-31 May 2013
Overwhelming load of bad practice:
• RM/IC as objective in itself vs. RM/IC to achieve objectives
• Auditor / staff driven vs. Board and management driven
• Rules-based vs. Principles-based
• Of the shelf systems vs. Tailor made
• Focused on threats only vs. Also focused on opportunities
• Mainly hard controls vs. Social / human aspects
• Artificially implemented vs. Organically implemented
• Stand-alone / “bolt-on” vs. Integrated / ”built-in”
• Static, out-of-date vs. Dynamic, evolving
• Creates costs vs. Creates results / value
• Abandoned vs. Supported

25. 25
IFAC risk management & internal control publications
• Evaluating and Improving Governance in Organizations
• Evaluating and Improving Internal Control in Organizations
• Integrating Governance in for Sustainable Success
• All IFAC Publications free-of-charge at www.ifac.org
Second international ISO 31000 conference – Toronto, 28-31 May 2013

26. 26
Evaluating and Improving IC in Organizations
• Highlighting areas where practical application of internal
control standards often fails in many organizations
• Designed to establish a benchmark for good practice in
maintaining effective internal control in response to risk
• For all types of organizations, as all organizations—whether
private or public—should have appropriate internal control
Second international ISO 31000 conference – Toronto, 28-31 May 2013

27. 27
Guidance to avoid or overcome pitfalls
Good internal control should:
• Support the organization’s objectives
• Define clear roles and responsibilities
• Foster a motivational culture
• Link to individual performance
• Ensure sufficient competency
• Respond to risk
• Be communicated regularly
• Be monitored and evaluated regularly
• Provide for accountability and transparency
Second international ISO 31000 conference – Toronto, 28-31 May 2013

28. 28
Next steps > guidance in integration of risk & control
• Risk management and internal control are a means to an
end: making sound (SWOT) decisions to achieve the
organization’s objectives without surprises!
• Principles on how risk managers can support their
organization integrating risk management and internal
control into the organization’s overall governance and
management system
Second international ISO 31000 conference – Toronto, 28-31 May 2013

29. 29
Second international ISO 31000 conference – Toronto, 28-31 May 2013
Key takeaway’s
• Risk management and internal control have matured
• Still many flaws
• IFAC supports:
further integration of RM/IC
Further alignment of RM/IC standards
Better application of RM/IC principles and concepts
• However, no matter the guidance provided…

30. • …There will always be some who do it their own way!
30
Second international ISO 31000 conference – Toronto, 28-31 May 2013