The document discusses the importance of integrating risk management and internal control (RM/IC) in public sector governance to achieve strategic objectives effectively. It highlights common pitfalls in current practices and promotes frameworks like COSO and ISO 31000 for better RM/IC maturity. The role of the Contraloría General de la República (CGR) is to champion good RM/IC practices and support public sector entities in achieving their goals.

1. Page 1 | Confidential and Proprietary Information
Risk Management and Internal Control
in the Public Sector
Vincent Tophoff, International Federation of
Accountants (IFAC)
Contraloría General de la República (CGR)
Seminario Unidades de Control Interno:
Gestión de Riesgos y Control Interno en el
Sector Público
Santiago, Chile, January, 2015

2. Page 2 | Confidential and Proprietary Information
International Federation of Accountants
• Global organization of the accountancy profession
• Supports professional accountants in following areas:
– Governance and ethics
– Risk management and internal control (RM/IC)
– Sustainability and corporate responsibility
– Financial and performance management
– Business reporting
– Promoting and contributing to the value of professional accountants
• All areas of critical importance to professional accountants
(and for CGRs & public sector entities too…)

3. Page 3 | Confidential and Proprietary Information
Relation of Public Sector Governance, Risk
Management & Internal Control
• How do you think that
governance, risk
management & internal
control are related to
each other?

4. Page 4 | Confidential and Proprietary Information
Relation of Public Sector Governance, RM & IC

5. Page 5 | Confidential and Proprietary Information
Today’s Agenda
 The Pitfalls – Setting the Scene
 Current Thinking
 COSO /ISO 31000 Standards
 Risk Management & Internal
Control Maturity
 CGR “Call to Action”
 Q&A

6. Page 6 | Confidential and Proprietary Information
The Pitfalls – Setting the Scene

7. Page 7 | Confidential and Proprietary Information
Serious Risk Management & Internal Control Flaws
• Having a compliance-only mentality
• Treating risk as only negative and overlooking idea that
entities need to take risk in pursuit of their objectives
• Risk management & internal control that is overly focused
on external financial reporting
• Regarding risk management & internal control as a
separate function or process
• Viewing risk management & internal control as
predominantly important for operations

8. Page 8 | Confidential and Proprietary Information
Bad vs. Good RM/IC Practices
RM/IC as objective in itself vs. RM/IC to help achieve objectives
Auditor / staff driven vs. Driven from top down
Rules-based vs. Performance & principles-based
Off-the-shelf systems vs. Tailored to the entity
Focused on loss minimization vs. Also focused on value creation
Mainly hard controls vs. Recognizing culture & attitude
Imposed vs. Implemented organically
Stand-alone / “bolt-on” vs. Integrated / ”built-in”
Static, out-of-date vs. Dynamic, evolving
Seen as overhead vs. Seen as a sound investment
Abandoned vs. Integrated in governance

9. Page 9 | Confidential and Proprietary Information
Global Crisis
Global Crisis, according to IFAC research, was caused by:
 Ethical flaws
 Governance, risk management in name, but not in spirit
 Regulatory overload, leading to legalistic compliance
 Risk & control systems too narrowly focused on only financial
reporting controls
Conclusions from the crisis:
 Entities should take a broader approach in risk management &
internal control
 Appropriate application of risk management & internal control
standards and principles is often the problem

10. Page 10 | Confidential and Proprietary Information
Current Thinking

11. Page 11 | Confidential and Proprietary Information
Current Thinking About Risk
The safest place for a ship…
… is to stay in the harbor
But that’s not what ships were made for…

12. Page 12 | Confidential and Proprietary Information
… Instead, ships were made to transport people &
goods to other destinations…
… And that involves risk…
So, what is risk?
• Risk is nowadays defined as “the effect of uncertainty
on (setting and achieving) the entity’s objectives” (ISO
31000)
• No Objectives = No Risk. Therefore, risk should
always be assessed in light of (setting and achieving)
the entity’s objectives!
Current Thinking About Risk

13. Page 13 | Confidential and Proprietary Information
Current Thinking About Risk Management
Q: “How does your entity address uncertainty in
achieving its strategic objectives?”
A: “Through our strategic management system;”
– Line management engaged in plan-do-check-act cycle
– Focused on achieving the entity’s objectives
Q: “How does your entity address risk?”
A: “Through our risk management system;”
– (separate) risk and control system, staff functionaries,
risk register
– Focused on mitigating risk

14. Page 14 | Confidential and Proprietary Information
What does this example tell us?
• That we, risk management professionals, have made
great progress in the area of risk management &
internal control…
• …But that we, in the process, lost the other people in
our entity!
Risk Management
Rest of the entity
Current Thinking About Risk Management

15. Page 15 | Confidential and Proprietary Information
Five lines of defense:
Current Thinking About Risk Management

16. Page 16 | Confidential and Proprietary Information
Five lines of defense:
Current Thinking About Risk Management
1. Players
2. Captain
3. Coach
4. Referee
5. FIFA

17. Page 17 | Confidential and Proprietary Information
Five lines of defense:
Current Thinking About Risk Management
1. Players (Operational Staff)
2. Captain (Supervisor /Line Manager)
3. Coach (Risk Manager)
4. Referee (Internal Auditor)
5. FIFA (SAI / External Auditor)
Line
Support

18. Page 18 | Confidential and Proprietary Information
Current Thinking About the Risk Manager
Biggest risk facing an entity:
Disconnect between those
responsible for achieving
strategic objectives vs. those
responsible for managing risk
Solution:
Making those responsible for
achieving strategic objectives
also responsible for managing
related risks!
Key objective for risk manager is to ensure that risk
management is fully integrated in line management!

19. Page 19 | Confidential and Proprietary Information
Current Thinking About Internal Control
Hindering the entity Enabling the entity
Good internal control = The Invisible Hand
From To

20. Page 20 | Confidential and Proprietary Information
COSO Frameworks
(also adopted by INTOSAI)

21. Page 21 | Confidential and Proprietary Information
2013 COSO Internal Control Cube

22. Page 22 | Confidential and Proprietary Information
2004 COSO ERM Cube
Will be revised
soon!

23. Page 23 | Confidential and Proprietary Information
COSO IC vs. COSO ERM

24. Page 24 | Confidential and Proprietary Information
ISO 31000 Risk Management Standard

25. Page 25 | Confidential and Proprietary Information
ISO 31000 Principles, Framework & Process

26. Page 26 | Confidential and Proprietary Information
ISO 31000 Risk Management Principles
• Creates Value
• Integral Part of Organizational Processes
• Part of Decision-Making
• Explicitly Addresses Uncertainty
• Systematic, Structured & Timely
• Based on “Best Available Information”
• Tailored
• Considers Human & Cultural Factors
• Transparent & Inclusive
• Dynamic, Iterative & Responsive to Change
• Facilitates Continuous Improvement

27. Page 27 | Confidential and Proprietary Information
ISO 31000 Risk Management Framework

28. Page 28 | Confidential and Proprietary Information
ISO 31000 Risk Management Process
To be applied in
every decision
making process
and subsequent
execution!

29. Page 29 | Confidential and Proprietary Information
COSO ERM vs. ISO 31000
Many entities use both COSO ERM & ISO 31000…
… Biggest challenge is that concepts are not aligned
COSO ISO 31000
Lengthy vs. Short
Focused on ERM vs. General approach to managing risk
One cube vs. Principles, framework & process
Skewed to negative vs. Risk can be positive or negative
Risk already exists vs. Risk tied to achieving objectives
Risk & opportunities vs. Opportunities also source of risk
More sequential process vs. More iterative process

30. Page 30 | Confidential and Proprietary Information
Risk Management & Internal Control
Maturity

31. Page 31 | Confidential and Proprietary Information
RM/IC Maturity Levels

32. Page 32 | Confidential and Proprietary Information
• Is not to have effective
controls…
• Is not to effectively manage
risk…
But to
• Properly set & achieve its
objectives
• Avoid too many surprises
along the way
• And create sustainable value
Main Objective of a Public Sector Entity

33. Page 33 | Confidential and Proprietary Information
Argument for Integrating Risk Management & IC
• So, risk management & internal control are not objectives in
themselves, but means to an end…
… Making sound (SWOT) decisions and execute
subsequent actions to achieve the entity’s objectives
without surprises!
… Risk management & internal control should therefore be
fully integrated into a public sector entity's overall
system of management, including governance, strategy
development and planning, operations, reporting, and
accountability

34. Page 34 | Confidential and Proprietary Information
Risk Is Inherent to Setting Your Objectives

35. Page 35 | Confidential and Proprietary Information
Achieving Your Objectives Through Planning & Control 1

36. Page 36 | Confidential and Proprietary Information
Achieving Your Objectives Through Planning & Control 2
Strategic, tactical, and
operational planning & control
cycles
A
P
D
C

37. Page 37 | Confidential and Proprietary Information
Achieving Your Objectives Through Planning & Control 3

38. Page 38 | Confidential and Proprietary Information
RM/IC Integral to Achieving Your Objectives

39. Page 39 | Confidential and Proprietary Information
• Use the Frameworks
• Consider good practice developments
• Perform gap analysis
• Determine performance
• Look at audit results
• Analyze serious flaws
• …
• Continuously move to improvement!
Thoughts on Assessing RM/IC Maturity

40. Page 40 | Confidential and Proprietary Information
CGR “Call to Action”

41. Page 41 | Confidential and Proprietary Information
CGR “Call to Action”
CGRs play important roles in implementing good risk
management & internal control in public sector entities:
• Build subject-matter-expertise regarding RM/IC (incl. INTOSAI
standards & guidance, COSO Frameworks, ISO 31000)
• Educate the governing bodies, audit committees, management
teams & staff of the relevant public sector entities
• Champion the importance of good RM/IC: fully integrated in the
entity’s overall system of management
• Support public sector entities through the provision of high-quality
assurance, advice & insight

42. Page 42 | Confidential and Proprietary Information
CGR’s Role - #1
Champion importance of good risk management:
• CGRs communicate with public sector entity’s leadership
• Attitude and actions of CGR sets tone for good risk
management in public sector entities
• Promote integrating risk management into line
management of a public sector entity!
• Most important element: making RM/IC part of every
decision making process and subsequent execution in
the entity!

43. Page 43 | Confidential and Proprietary Information
CGR’s Role - #2
Support line management by providing high-
quality assurance, advice & insight:
• Decisions should only be taken with explicit understanding
of related risks and their potential consequences for
achieving an entity’s objectives
• Therefore, decision makers require relevant and reliable
information for their decision making and control processes

44. Page 44 | Confidential and Proprietary Information
Key Take Aways
• There are many flaws in current risk management and internal
control practice
• Achieving the entity’s objectives is the overall goal; risk is
inherent part of that
• Risk management should, therefore, be fully integrated in the
entity’s system of management
• CGRs support RM/IC in various ways in the public sector entities
they oversee
• IFAC supports professional accountants / CGRs
• However, no matter the guidance provided…

45. Page 45 | Confidential and Proprietary Information
There will always be some …
… who do it their own way!