Presentation given by Vincent Tophoff, IFAC Senior Technical Manager, on risk management and internal control at the Second International ISO 31000 Conference in Toronto, May 2013.

1. 1
Leveraging ISO 31000 for Effective Integration
of Risk Management and Internal Control
Presenter:
Vincent Tophoff
International Federation of Accountants (IFAC)
Second international ISO 31000 conference – Toronto, 28-31 May 2013

2. Overview
• Role and domain of IFAC
• Maturity of risk management and internal control
(RM/IC)
• Broader approach in RM/IC
• Broader approach in RM/IC standards, frameworks &
guidelines
• Remaining pitfalls in RM/IC: application failures
• IFAC supports further improvements in RM/IC
2
Second international ISO 31000 conference – Toronto, 28-31 May 2013

3. 3
The International Federation of Accountants (IFAC)
• The global organization of the accountancy profession
• 172 member bodies and associates in 129 countries
• 2.5 million professional accountants in public practice,
commerce, industry, financial services, the public sector,
education, and the not-for-profit sector
• Public interest focused
Second international ISO 31000 conference – Toronto, 28-31 May 2013
More than half
are in this box

4. 4
The International Federation of Accountants (IFAC)
• Supports accountants in following areas:
Auditing and accounting
Governance and ethics
Risk management and internal control
Sustainability and corporate responsibility
Financial and performance management
Business reporting
Promoting and contributing to the value of accountants
• All areas of critical importance to the organizations they
work for!
Second international ISO 31000 conference – Toronto, 28-31 May 2013

5. 5
Second international ISO 31000 conference – Toronto, 28-31 May 2013
• Crisis
management
• Internal
control now
complemented
with risk
management
• But performed
in a silo…
• Integrating risk
management
and internal
control in the
governance &
management
of organization
Level 1:
Non-existent
or ad hoc
Level 2:
Internal
control only
Level 3:
RM/IC
as a silo
Level 4:
Integrated
RM/IC
•Formal
internal
control
•Mainly
focused on
external
financial
reporting
Integration of RM/IC
Here we are now

6. 6
IFAC survey on risk management & internal control
• Received over 600 responses from around the globe
Main conclusions:
• More awareness of the benefits of risk management and
internal control systems should be created
• Risk management and internal control should be better
integrated into organizations’ overall governance, strategy,
and operations
• Risk management and internal control requirements and
guidelines should be further aligned internationally
Second international ISO 31000 conference – Toronto, 28-31 May 2013

7. 7
Global Survey on Risk Management & Internal Control
> Proposed Next Steps
• Emphasizing the benefits of (more integrated) risk
management and internal control
• Bringing various risk management and internal control
standard setting organizations (such as COSO, ISO 31000
& Risk Oversight & Governance Board) and their guidelines
closer together
• Collaborating with experts on development of practical
application guidance for (integration of) risk management
and internal control
Second international ISO 31000 conference – Toronto, 28-31 May 2013

8. 8
Global crisis
According to IFAC research caused by:
• Ethical flaws
• Governance, risk management & internal control in name but
not in spirit
• Regulatory overload, leading to legalistic compliance
• Risk & control systems too narrowly focused on only financial
reporting controls
• However, many, if not most, of the risks that affected
organizations derived from areas other than financial reporting
Second international ISO 31000 conference – Toronto, 28-31 May 2013

9. 9
Conclusions from survey and global crisis
A. Organizations should take a broader approach in risk
management and internal control
B. Risk management and internal control standards and
principles should better enable taking a broader approach
C. Appropriate application of risk management and internal
control standards and principles is often the problem
Second international ISO 31000 conference – Toronto, 28-31 May 2013

10. 10
A. Taking a broader approach in RM/IC
Second international ISO 31000 conference – Toronto, 28-31 May 2013

11. 11
Broader approach in risk management (1)
• Q: “How does your organization address uncertainty in
achieving its strategic objectives?”
• A: “Through our strategic management system;”
Line management engaged in plan-do-check-act cycle
Focused on achieving the organization’s objectives
• Q: “How does your organization address risk?”
• A: “Through our risk management system;”
(separate) risk and control system, staff functionaries,
risk register
Focused on mitigating risk
Second international ISO 31000 conference – Toronto, 28-31 May 2013

12. 12
Broader approach in risk management (2)
What does this example tell us?
• That we, finance & accounting folks, have made great
progress in the area of risk management and internal control…
• …But that we, in the process, lost the other people in our
organization!
Risk Management
Rest of the Organization
Second international ISO 31000 conference – Toronto, 28-31 May 2013

13. 13
Broader approach in risk management (3)
Biggest risk facing an
organization:
Disconnect between those
responsible for achieving
strategic objectives vs.
those responsible for
managing risk
Solution:
Making those responsible
for achieving strategic
objectives also responsible
for managing related risks!
Second international ISO 31000 conference – Toronto, 28-31 May 2013

14. 14
Broader approach in risk management (4)
• Line management is accountable for (achieving) the
organization’s objectives,
• This also includes responsibility for managing the effects of
risk on those objectives
Key objective for management accountants in this regard:
• Ensure that risk management and internal control are fully
integrated in the line management of an organization!
Second international ISO 31000 conference – Toronto, 28-31 May 2013

15. 15
Broader approach in internal control (1)
• Internal control not as an objective in itself
• But as a response to modify risk
• (In order to achieve the organization’s objectives)
• And…
Second international ISO 31000 conference – Toronto, 28-31 May 2013

16. 16
Broader approach in internal control (2)
Hindering the
organization
Enabling the
organization
• Good internal control: invisible hand
From To
Second international ISO 31000 conference – Toronto, 28-31 May 2013

17. 17
B. Collaborating with standard setters
• IFAC collaborates with regulators and standard setters in
area of governance, risk management, and internal control
Second international ISO 31000 conference – Toronto, 28-31 May 2013

18. 18
IFAC collaboration with Canadian ROGB
• IFAC also participates in the Canadian Risk Oversight and
Governance Board (ROGB)
• Offers guidance to directors and senior managers to fulfill
their responsibility for governance and the oversight of risk
management
• Freely available from the ROGB website
Second international ISO 31000 conference – Toronto, 28-31 May 2013

19. 19
IFAC collaboration with COSO
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
• Providing thought leadership through the development of
frameworks and guidance on risk management and internal
control
• Revised Framework issued in May 2013 and available at
www.coso.org
Second international ISO 31000 conference – Toronto, 28-31 May 2013

20. 20
IFAC collaboration with ISO 31000
• International Standards Organization (ISO) developed the
standard ISO 31000:2009 Risk Management
• Can be used by any public, private or community enterprise,
association, group, or individual
• Can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences (so
broader than ERM)
Second international ISO 31000 conference – Toronto, 28-31 May 2013

21. 21
Comparison COSO ERM vs. ISO 31000
COSO ISO 31000
• Lengthy vs. Short
• Focused on ERM vs. General approach to managing risk
• One cube vs. Framework and process
• Skewed to negative vs. Risk can be positive or negative
• Risk already exists vs. Risk tied to achieving objectives
• Risk & opportunities vs. Opportunities also source of risk
• More sequential process vs. More iterative process
• However… many organizations use both COSO ERM and ISO 31000
• Biggest challenge is that concepts and terminology are not aligned!
Second international ISO 31000 conference – Toronto, 28-31 May 2013
Too short, however,
to really understand

22. 22
Bringing together COSO, ISO, ROGB and others
• Best opportunity to further align concepts and terminology by bringing
together the various issuers of standards, guidance & frameworks
• To discuss how the terminology, various concepts & guidelines could
be better aligned
• IFAC facilitates first meeting of COSO, ISO 31000, and ROGB boards
in September 2013 in Chicago
• Including representatives from RIMS and other organizations
• Should all work together to produce globally-aligned terminology,
concepts, and guidelines that are relevant to all users.
• IFAC looks forward to continue contributing to this collaborative effort
Second international ISO 31000 conference – Toronto, 28-31 May 2013

23. 23
C. Encouraging better application of RM/IC guidelines
Second international ISO 31000 conference – Toronto, 28-31 May 2013

24. 24
Bad practice vs. good practice in RM/IC
Second international ISO 31000 conference – Toronto, 28-31 May 2013
Overwhelming load of bad practice:
• RM/IC as objective in itself vs. RM/IC to achieve objectives
• Auditor / staff driven vs. Board and management driven
• Rules-based vs. Principles-based
• Of the shelf systems vs. Tailor made
• Focused on threats only vs. Also focused on opportunities
• Mainly hard controls vs. Social / human aspects
• Artificially implemented vs. Organically implemented
• Stand-alone / “bolt-on” vs. Integrated / ”built-in”
• Static, out-of-date vs. Dynamic, evolving
• Creates costs vs. Creates results / value
• Abandoned vs. Supported

25. 25
IFAC risk management & internal control publications
• Evaluating and Improving Governance in Organizations
• Evaluating and Improving Internal Control in Organizations
• Integrating Governance in for Sustainable Success
• All IFAC Publications free-of-charge at www.ifac.org
Second international ISO 31000 conference – Toronto, 28-31 May 2013

26. 26
Evaluating and Improving IC in Organizations
• Highlighting areas where practical application of internal
control standards often fails in many organizations
• Designed to establish a benchmark for good practice in
maintaining effective internal control in response to risk
• For all types of organizations, as all organizations—whether
private or public—should have appropriate internal control
Second international ISO 31000 conference – Toronto, 28-31 May 2013

27. 27
Guidance to avoid or overcome pitfalls
Good internal control should:
• Support the organization’s objectives
• Define clear roles and responsibilities
• Foster a motivational culture
• Link to individual performance
• Ensure sufficient competency
• Respond to risk
• Be communicated regularly
• Be monitored and evaluated regularly
• Provide for accountability and transparency
Second international ISO 31000 conference – Toronto, 28-31 May 2013

28. 28
Next steps > guidance in integration of risk & control
• Risk management and internal control are a means to an
end: making sound (SWOT) decisions to achieve the
organization’s objectives without surprises!
• Principles on how risk managers can support their
organization integrating risk management and internal
control into the organization’s overall governance and
management system
Second international ISO 31000 conference – Toronto, 28-31 May 2013

29. 29
Second international ISO 31000 conference – Toronto, 28-31 May 2013
Key takeaway’s
• Risk management and internal control have matured
• Still many flaws
• IFAC supports:
further integration of RM/IC
Further alignment of RM/IC standards
Better application of RM/IC principles and concepts
• However, no matter the guidance provided…

30. • …There will always be some who do it their own way!
30
Second international ISO 31000 conference – Toronto, 28-31 May 2013