by Lori Sexton, CPA, CGMA, Senior Technical Manager – Management Accounting, Association of International Certified Professional Accountants
Boards want it. Management needs it. But most organizations still don’t have a complete enterprise risk management (ERM) process in place, according to a recent survey of more than 400 CFOs and finance leaders.
Most finance leaders agree that the volume and complexity of risks is increasing extensively. In fact, 65% of those surveyed by the American Institute of CPAs (AICPA) in partnership with North Carolina State University’s ERM Initiative said they recently experienced an operational surprise from a risk they didn’t anticipate.
Though risk/reward calculations exist and are quite simple, ERM is not that easy. The ERM process begins with identification and assessment. This includes some forecasting and evaluation of all types of risks, which includes the likelihood of the risk occurring and the potential impact. ERM looks at mitigations in light of market uncertainty, your organization’s strategy, stakeholder expectations and many other internal and external factors.
As complicated as it is, a successful ERM program is fully attainable. Management accountants are uniquely positioned to lead this effort because of their expertise in risk assessment, business strategy, communications and business partnering.
After more than two decades of experience as a management accountant and risk management professional, I’ve seen five common mistakes organizations make as well as ways to create a successful ERM process:
- Trying to create their own risk management framework. Yes, ERM is complicated, so don’t be afraid to see what others have done. There are great frameworks and tools available to address risk. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework is one of the most popular and is used by organizations worldwide. The AICPA also recently published this framework to help organizations communicate about the effectiveness of their cybersecurity risk management programs.
- Not leveraging the expertise of their IT department. View IT as a partner, rather than an operational group. Although IT departments are generally not situated to lead ERM efforts, they should be involved in the process. IT can provide key metrics for your risk analysis, help mine the data and assist in SWOT (strengths, weaknesses, opportunities and threats) analysis.
- Mistaking list management for risk management. Although you’ve got to identify risks to manage them, this is the start rather than the end of risk management. A key role of ERM — one that less than 20% of organizations reported doing successfully — is using the risk management process to your organization’s strategic advantage. Sometimes ERM gets mired in excessive detail. Senior management and boards should aim to focus on a maximum of 20 risks at a time. ERM can roll up subsets of risks and corresponding mitigations into the key ones that relate directly to strategic plans and objectives. Risks change constantly and need to be continually reevaluated. Check out these CGMA tools, including heat maps and a cybersecurity tool, which can help.
- Not setting correct expectations. ERM is not a perfect science. There will always be something unknown: a forecast that doesn’t pan out as expected or a mitigating factor not considered. A key message to communicate to boards is that the ERM planning process should not be judged solely by its accuracy. The ERM process reduces the number — and cost — of surprises and increases the speed and effectiveness of mitigating unexpected events.
Mistaking risk management for internal audit’s job.
Management accountants understand the necessity of audit
independence. Risk management is owned by the board, executives,
management and employees. Internal audit can provide oversight and
input. However, placing ERM responsibility within internal audit
introduces an unacceptable risk.
Regardless of whether you have formal ERM responsibilities or support the ERM initiative in your organization, it’s important to stay abreast of developments within the risk management field and share them at your organization. The Association of International Certified Professional Accountants, the unified voice of the AICPA and the Chartered Institute of Management Accountants (CIMA), has resources to help you on this journey.