Presentation by Vincent Tophoff, Senior Technical Manager, IFAC, at the 2015 General Audit Management Conference in Las Vegas, NV, March 9-11, 2015

1. Risk Management is Dead,
Long Live Risk Management!
Vincent Tophoff
International Federation of Accountants (IFAC)

2. International Federation of Accountants
• Global organization of the accountancy profession
• Supports professional accountants in following areas:
– Governance and ethics
– Risk management and internal control (RM/IC)
– Sustainability and corporate responsibility
– Financial and performance management
– Business reporting
– Promoting and contributing to the value of professional
accountants
• All areas of critical importance to internal auditors

3. Today’s Agenda
• Determining the Cause of Death
• Reviving Risk Management
• Progressing the Maturity Ladder

4. Relation Governance, RM & IC

5. Determining the Cause of Death

6. Why Is Risk Management Dead?
• Having a compliance-only mentality
• Treating risk as only negative and overlooking idea that entities
need to take risk in pursuit of their objectives
• Risk management & internal control that is overly focused on
external financial reporting
• Regarding risk management & internal control as a separate
function or process

7. Additional Causes of Death
• RM/IC as objective in itself
• Auditor / staff driven
• Rules-based
• Off-the-shelf systems
• Focused on loss minimization
• Mainly hard controls
• Imposed
• Stand-alone / “bolt-on”
• Static, out-of-date
• Seen as overhead
• Abandoned

8. Post Mortem Examination
Q: How does your entity address uncertainty in achieving its
strategic objectives?
A: Through our strategic management system
– Line management engaged in plan-do-check-act cycle
– Focused on achieving the entity’s objectives
Q: How does your entity address risk?
A: Through our risk management system
– (Separate) risk and control system, staff functionaries, risk
register
– Focused on mitigating risk

9. What does this example tell us?
• That we, risk management professionals, have made great
progress in the area of risk management & internal control…
• ..But that we, in the process, lost the other people in our entity!

10. Effective Risk Management:
• Facilitates the achievement of an organization’s objectives
• While complying with legal, regulatory and societal expectations
and
• Enables the organization to better respond and adapt to
surprises, disruptions, and changes in its environment
How?
• From bolt-on to built-in: by fully integrating risk management into
your organization's overall system of management!

11. Reviving Risk Management

12. Tip 1: Focus on Your Organization’s Objectives
Objective of your organization:
• Is not to have effective
controls…
• Is not to effectively manage
risk…
but to
• Properly set & achieve its
objectives
• Better adapt to surprises and
disruptions
• And create sustainable value

13. For that reason…
• Identify, assess, treat, report, monitor, and review risk
• Always in relation to the objectives your organization wants to
achieve
• While giving consideration to the organization’s ever changing
internal and external context

14. Tip 2: Make Objective Owner Also the Risk Owner
• Make those responsible for setting & achieving your entity’s
objectives also responsible for effectively managing related risk
• Line management needs to accept its responsibility and not
delegate risk management and internal control to specialized
staff departments

15. Rethink Your Five Lines of Defense Offense

16. Rethink Your Five Lines of Defense Offense
1. Players (Operational Staff)
2. Captain (Supervisor /Line Manager)
3. Coach (Risk Manager)
4. Referee (Internal Auditor)
5. USSF/ FIFA (GAO/External Auditor)
Support
Line

17. Tip 3: Tear Down the Risk Management Silo!
• Instead of imposing typical risk
management tools and processes onto
people and processes…
• We should try to adapt them to suit the
needs of the non-risk management
specialists in our organization
and
• Integrate them in their existing
approaches to decision making and
subsequent execution

18. Tip 4: Use Frameworks, Standards & Guidance
… Biggest challenge is that concepts are not aligned
COSO ISO 31000
Lengthy vs. Short
Focused on ERM vs. General approach to managing risk
One cube vs. Principles, framework & process
Skewed to negative vs. Risk can be positive or negative
Risk already exists vs. Risk tied to achieving objectives
Risk & opportunities vs. Opportunities also source of risk
More sequential process vs. More iterative process

19. Tip 5: Manage Risk from the Start
• (Strategic) objective setting is activity that involves most risk
• So, don’t wait until after objectives have been established
• But, instead, make risk management an integral part of the
(decision making) process to establish those objectives!

20. Tip 6: Make Informed Decisions
• High quality information is crucial to good decision making as it
reduces uncertainty
– Ensure access to timely, reliable data
– Arrange for expertise to analyze those data and turn them
into useful information
• Professional judgment must always be
professional

21. Tip 7: Remain Sufficiently Agile
• Organizations need to build both resilience and agility in all their
activities
• Enabling them to adequately respond to changes in circumstances
and
• Deal with the consequences of unforeseen events

22. Tip 8: Communicate and Consult!

23. More Tips:
• Eliminate the risk management jargon and use plain English
• Provide more “how to” recommendations, as well as practical
examples on how to apply good risk management

24. Treatment For Effective Risk Management
From RM/IC as objective in itself to RM/IC to help achieve objectives
From Auditor / staff driven to Driven from top down
From Rules-based to Performance & principles-based
From Off-the-shelf systems to Tailored to the entity
From Focused on loss minimization to Also focused on value creation
From Mainly hard controls to Recognizing culture & attitude
From Imposed to Implemented organically
From Stand-alone / “bolt-on” to Integrated / ”built-in”
From Static, out-of-date to Dynamic, evolving
From Seen as overhead to Seen as a sound investment
From Abandoned to Integrated in governance

25. Progressing the Maturity Ladder

26. Thoughts on Progressing Maturity
• Consult and communicate!
• Consider good practice developments
• Use the Frameworks
• Perform gap analysis
• Determine performance
• Look at audit results
• Analyze serious flaws
• …
• Continuously move to improvement!

27. Internal Auditor “Call to Action”
• Build RM/IC subject-matter-expertise (IIA standards & guidance,
COSO, ISO 31000, & IFAC guidance)
• Educate the governing bodies, audit committees, management
teams & staff of your organization
• Champion full integration of RM/IC in your organization’s overall
system of management
• Support your organization through the provision of high-quality
advice, insight, and assurance

28. Key Take Aways
• There are many flaws in current RM/IC practices
• Achieving the entity’s objectives is the overall goal
• Risk management should be fully integrated in the entity’s system
of management
• Internal auditor support RM/IC in various ways in the public sector
entities they oversee
• IFAC supports professional accountants / internal auditors
• However, no matter the guidance provided…

29. There will always be some …
… who keep on doing it the old way!