We understand the specialized markets in which you operate and provide tailored solutions to meet your unique business needs.
Our comprehensive suite of business services combines industry expertise, market knowledge and professional insights.
MNP is a leading national accounting, tax and business consulting firm in Canada.
Suite 2000, 330 5th Ave. S.W.
MNP careers are Different by Design. As an entrepreneurial firm, we truly believe there are no limits to where your career can go.
MNP's TAKE: As you can see below, risk management and corporate governance considerations are vast and ongoing. It is particularly critical for the board and management to work together to ensure risk is not put on the back burner, but rather, is part of day-to-day operations and considerations.
If the development and management of a risk program feels overwhelming or is beyond the capacity of your organization's leadership, you may want to consider bringing in outside support. A third party can help assess management's attempts at enterprise risk planning to date, identify shortfalls and provide peace-of-mind to the board and other stakeholders. In addition, working with a third party allows for a more streamlined approach to developing your risk strategy. Enterprise risk is not a one-size-fits-all operational approach - it's important to right-size your plan for your organization and industry.
To learn more about how MNP can help your organization and board better manage their business risks, contact Gordon Chan, CPA, CA, CFE, CRMA, Enterprise Risk Services National Leader, at 403.537.8429 or [email protected], or your local MNP Enterprise Risk Services Advisor.
BY NORMAN MARKS FROM BUSINESS2COMMUNITY
Oversight by the board of this critical area is an essential element of effective governance. With this in mind, many organizations have provided guidance – but while some is good, others are likely to lead boards astray; they may even lead to errors in the implementation of risk management such as a failure to recognize that risk management is a dynamic process that needs to be integrated across the organization and made part of strategy-setting, performance management, and daily decision-making. It is not a periodic exercise.
Just as the management of risk is a dynamic, iterative process, the board needs continued assurance that management has an effective process in place.
Let’s take some of the guidance and see what is good and not so good.
COSO, in its Enterprise Risk Management – Integrated Framework, says that “through the risk oversight process, the board should":
This tells some but not all the story:
[A 2010 COSO report, Board Risk Oversight: A Progress Report from Protiviti, makes interesting reading, together with a 2009 report: Effective Enterprise Risk Oversight, The Role of the Board of Directors].
The problem with many guides from so-called thought leaders and experts on risk oversight is that they talk about the board reviewing a list of top risks from management, seeing if they agree that they are the top risks, validating management’s assessment of each risk, and discussing the actions management is taking in response.
This constitutes a periodic review of a list of risks. It may provide some level of comfort but it is limited to that list of risks and is only at that point in time.
One influential internal audit thought leader believes that internal audit should provide assurance that the board receives an accurate report of [residual] risk levels. I don’t believe that is sufficient because (a) it remains a point in time activity while risk is managed continuously, and (b) it involves internal audit second-guessing management’s assessment of risk levels. Internal audit should ensure management has effective processes for managing risk every day, which includes but is certainly not limited to periodic reporting to executives and the board.
The Canadian Institute of Chartered Accountants produced a thoughtful guide: A Framework for Board Oversight of Enterprise Risk. In the Introduction, you will find this excellent section:
“What is the appropriate role of the board in corporate risk management? Traditional governance models support the notion that boards cannot and should not be involved in day-to-day risk management. Rather, through their risk oversight role, directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively. The risk management system should allow management to bring to the board’s attention the company’s material risks and assist the board to understand and evaluate how these risks interrelate, how they may affect the company, and how these risks are being managed. To meaningfully assess those risks, directors require experience, training and knowledge of the business.”
I recommend a read of this interesting document.
I also recommend listening to my friend Jim DeLoach talk about risk oversight in this video. Note how he discusses the need for the board to satisfy itself that management has an effective risk management program in place.
The board relies on the system of internal control, with assurance from external and internal audit on its effectiveness, to produce periodic financial reports. It then reviews and asks appropriate questions of the financial statements before they are filed.
In the same way, it should seek to rely on an effective set of processes for managing risks to the achievement of objectives and creation of value. Board members should similarly review periodic risk reports and ask appropriate questions of management.
When the board knows that it can rely on management’s processes for managing risk, will be informed on a timely basis on changes in risk that merit its attention, and reviews and questions reports produced by the risk management process (not only at scheduled meetings but when the board is notified of significant changes), it is providing full-time oversight.
This is my advice for directors in discharging their responsibilities for oversight of risk management (see my prior blog):
1. The responsibility of the board is to ensure that management has appropriate processes for risk management. It is not the directors who identify and assess risk (with the exception of the point below), but management.
2. Some risks should be the remit of directors, such as:
3. Directors should understand that risk management is not just about protecting value but creating it. When risk information is provided to decision-makers and considered in the making of business decisions, better decisions are likely and this will drive better performance. When we are talking about risk, we are talking about uncertainties (potential events or situations) that lie in the path to the organization’s objectives. The effect of those uncertainties can be positive, creating value (often referred to as opportunities), as well as negative, impeding progress. Risk management is, at its core, about understanding those uncertainties (both those with positive and negative effects on objectives) and taking actions to optimize outcomes.
4. Directors should also understand that it is essential that the risk management process be dynamic, iterative, and responsive to change because (a) business conditions, including risks, are changing at an accelerating pace, (b) the volatility of risk seems to be increasing, (c) the time to respond to those changes is diminishing, and (d) business decisions have to be made at speed. Assessing and responding to risk at periodic intervals is unlikely to be sufficient; the understanding and consideration of risk has to be embedded into how the business is run – every day.
5. Risk management should not be a separate activity; it should be embedded in the processes for establishing objectives and setting strategies; managing major projects; monitoring and optimizing performance; reporting of results, both financial and operational; reviewing executive compensation; and daily decision-making.
6. As business conditions change, not only external to the business but also internal – such as organization changes – management should consider updating its risk framework (including approved risk appetite or criteria) and processes
7. Reviewing the effectiveness of risk management and internal control is an essential part of the board’s responsibilities and should be performed at least annually. The board will need to form its own view on effectiveness based on the information and assurances provided to it (see #10, below), and in doing so it must exercise the standard of care generally applicable to directors in carrying out their duties. Management is accountable to the board for implementing and monitoring the system of risk management and internal control and for providing assurance to the board that it has done so.
8. Neither risk management nor internal control processes provide perfect assurance. Rather, the board should assess whether management’s processes provide reasonable assurance that the more significant risks to the company’s objectives and strategies are within levels appropriate to the company’s business and approved by the board.
9. When assessing the adequacy of risk management, the board should consider:
10. The board should solicit a formal opinion on the adequacy of risk management and internal control from the head of the internal audit function at least annually, which should be considered in the board’s own assessment. The board should also solicit the observations of the independent auditor, recognizing that such observations will generally be limited to risks and controls related to the preparation of the external financial statements. If the organization has a chief risk officer, their opinion should be obtained of the adequacy of risk management processes and practices, including the organization’s risk culture, the adequacy of resources for the management of risk, and the integration of risk into strategy-setting, major project management, performance management, etc.
11. The board should ensure that its members have sufficient collective understanding of risk management practices and techniques to effectively question and assess management’s risk management framework and processes.
12. The board should ensure it receives sufficient useful, reliable, complete, timely, and current information to provide effective oversight of the organization’s performance, including risk management.
Earlier this year, I suggested 5 questions board members should ask management:
I welcome your comments.
This article was written by Norman Marks from Business2Community and was legally licensed through the NewsCred publisher network.
Related Topics:Board; Corporate Governance
Suite 2000, 330 5th Ave. S.W.
Find an office near me