IFAC Senior Technical Manager Vincent Tophoff presentation during the Institute of Chartered Accountants of Pakistan's CFO Conference 2013, CFO: Meeting Future Challenges! Mr. Tophoff discusses current trends and thinking in risk management and best practices.

1. Strategic Risk Management in
the Face of Uncertainty and
Unexpected Risks
Vincent Tophoff, International
Federation of Accountants (IFAC)
ICAP CFO Conference
Karachi, Pakistan
March 12, 2013
Page 1 | Confidential and Proprietary Information

2. ICAP CFO Conference 2013
Overview
• IFAC and its PAIB Committee
• Current thinking in risk management
• Bad practice vs. good practice in risk management
• Role of CFO / PAIB in risk management
• Useful standard and guidelines
• IFAC’s work on risk management and internal control
Page 2 | Confidential and Proprietary Information

3. ICAP CFO Conference 2013
The International Federation of Accountants (IFAC)
• The global organization of the accountancy profession
• 173 member bodies and associates in 129 countries
• 2.5 million professional accountants in public practice,
commerce, industry, financial services, the public
sector, education, and the not-for-profit sector
• Public interest focused
More than half are
in this box. We call
them PAIBs and
IFAC’s PAIB
Committee exists to
support them
Page 3 | Confidential and Proprietary Information

4. ICAP CFO Conference 2013
What IFAC Does
• Establish and promote adherence to high quality
professional standards
• Further adoption and implementation of standards
• Support the global development of the accountancy
profession
• Provides a global voice and promotes the value of
professional accountants worldwide
• Supports professional accountants in business / CFOs
and small and medium practices
Page 4 | Confidential and Proprietary Information

5. ICAP CFO Conference 2013
IFAC’s PAIB Committee >Topic Areas of Importance
• Governance and ethics
• Risk management and internal control
• Sustainability and corporate responsibility
• Financial and performance management
• Business reporting
• Promoting and contributing to the value of PAIBs/CFOs
All areas of critical importance to professional accountants
in business and CFOs
Page 5 | Confidential and Proprietary Information

6. ICAP CFO Conference 2013
Global Crisis, Caused by:
• Ethical flaws
• Governance, risk & control in name but not in spirit
• Regulatory overload, leading to legalistic compliance
• Risk & control systems too narrowly focused on only
financial reporting controls
Conclusions:
• Appropriate application of risk management and internal
control standards and principles is often the problem
• Organizations should take a broader approach in risk
management and internal control.
Page 6 | Confidential and Proprietary Information

7. ICAP CFO Conference 2013
Current thinking about risk (1)
• The safest place for a ship…
• … is to stay in the harbor
• But that’s not where ships are made for…
Page 7 | Confidential and Proprietary Information

8. ICAP CFO Conference 2013
Current thinking about risk (2)
• Instead, ship are used to transport people and goods to
other destinations
• And that involves risk
So, what is risk?
• Risk is nowadays defined as ―the effect of uncertainty on
(achieving) the organization’s objectives‖ (ISO 31000)
• No objectives => no risk. Therefore, risk should always
be assessed in light of the organization’s objectives
Page 8 | Confidential and Proprietary Information

9. ICAP CFO Conference 2013
Current thinking about risk management (1)
• Q: “How does your organization address uncertainty in
achieving its strategic objectives?”
• A: ―Through our strategic management system;‖
– Line management engaged in plan-do-check-act cycle
– Focused on achieving the organization’s objectives
• Q: “How does your organization address risk?”
• A: ―Through our risk management system;‖
– (separate) risk and control system, staff functionaries, risk register
– Focused on mitigating risk
Page 9 | Confidential and Proprietary Information

10. ICAP CFO Conference 2013
Current thinking about risk management (2)
What does this example tell us?
• That we, CFOs / PAIBs, have made great progress in the
area of risk management and internal control…
• …But that we, in the process, lost the other people in our
organization!
Risk Management
Rest of the Organization
Page 10 | Confidential and Proprietary Information

11. ICAP CFO Conference 2013
Current thinking about risk management (3)
Biggest risk facing an
organization: Disconnect
between those responsible for
achieving strategic objectives
vs. those responsible for
managing risk
Solution: making those
responsible for achieving
strategic objectives also
responsible for managing
related risks!
Page 11 | Confidential and Proprietary Information

12. ICAP CFO Conference 2013
Current thinking about risk management (4)
• Line management is accountable for (achieving) the
organization’s objectives,
• This also includes responsibility for managing the effects of
risk on those objectives
Key objective for CFOs / PAIBs in this regard:
• Ensure that risk management and internal control are fully
integrated in the line management of an organization!
Page 12 | Confidential and Proprietary Information

13. ICAP CFO Conference 2013
Bad Practice vs. Good Practice in Risk Management
Overwhelming load of bad practice
• RM/IC as objective in itself vs. RM/IC to achieve objectives
• Auditor / staff driven vs. Board and management driven
• Rules-based vs. Principles-based
• Of the shelf systems vs. Tailor made
• Focused on threats only vs. Also focused on opportunities
• Mainly hard controls vs. Social / human aspects
• Artificially implemented vs. Organically implemented
• Stand alone / ―bolt-on‖ vs. Integrated / ‖built-in‖
• Static, out-of-date vs. Dynamic, evolving
• Creates costs vs. Creates results / value
• Abandoned vs. Supported
Page 13 | Confidential and Proprietary Information

14. ICAP CFO Conference 2013
Bad Practice vs. Good Practice in Risk Management (2)
or
Hindering the Enabling the
organization organization
• Good risk management & internal control: invisible hand
Page 14 | Confidential and Proprietary Information

15. ICAP CFO Conference 2013
Role of the PAIB / CFO in Risk Management (1)
PAIB / CFO plays many important roles in implementing
good risk management in organizations:
A. Championing the importance of good risk management
B. Supporting line management through the provision of
high-quality information
C. Establishing risk management for the finance function
Page 15 | Confidential and Proprietary Information

16. ICAP CFO Conference 2013
Role of the PAIB / CFO in Risk Management (2)
A. Championing the importance of good risk management
• CFOs and many PAIBs are in leadership positions
• Attitude and behavior of the CFO / PAIB sets tone for good
risk management and internal control in the organization
• Integrating risk management and internal control into the
line management of an organization!
• Most important element: making risk management part of
every decision making process in the organization (SWOT)
Page 16 | Confidential and Proprietary Information

17. ICAP CFO Conference 2013
Role of the PAIB / CFO in Risk Management (3)
B. Supporting line management through the provision of
high-quality information
• Decisions should not be taken without explicit understanding
of the related risks and their potential consequences for
achieving an organization’s objectives
• Therefore, decision makers require relevant and reliable
information for their decision making and control processes
• CFO / PAIB responsible for provision of high-quality
information produced through the finance & control system
Page 17 | Confidential and Proprietary Information

18. ICAP CFO Conference 2013
Role of the PAIB / CFO in Risk Management (4)
C. Establishing risk management for the finance function
• CFOs / PAIBs usually are specifically accountable for
finance and control
• Therefore, CFOs / PAIBs should make risk management
part of every decision related to achieving the
organization’s finance objectives
• CFOs / PAIBs usually also involved in analyzing of and
reporting on the organization’s (risk management and
internal control) achievements
Page 18 | Confidential and Proprietary Information

19. ICAP CFO Conference 2013
ICAP and IFAC Supporting the PAIB / CFO
Together, ICAP and IFAC’s PAIB Committee support
PAIBs / CFOs through:
• Collaborating with regulators and standard setters in area
of governance, risk management, and internal control
• Developing additional guidance for PAIBs / CFOs
• Bringing together resources for PAIBs / CFOs
• Levering knowledge for PAIBs / CFOs through various
channels, such as this CFO conference
Page 19 | Confidential and Proprietary Information

20. ICAP CFO Conference 2013
IFAC Collaboration with COSO
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
• Providing thought leadership through the development of
frameworks and guidance on risk management and
internal control
• Revised Framework expected in April 2013 and available
at www.coso.org
Page 20 | Confidential and Proprietary Information

21. ICAP CFO Conference 2013
COSO Framework
Page 21 | Confidential and Proprietary Information

22. ICAP CFO Conference 2013
IFAC Collaboration with ISO 31000
• International Standards Organization (ISO) developed the
standard ISO 31000:2009 Risk Management
• Can be used by any public, private or community
enterprise, association, group, or individual
• Can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences
Page 22 | Confidential and Proprietary Information

23. ICAP CFO Conference 2013
ISO 31000 Risk Management Principles
• Creates value
• Integral part of organizational processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured and timely
• Based on the best available information
• Tailored
• Takes human and cultural factors into account
• Transparent and inclusive
• Dynamic, iterative and responsive to change
• Facilitates continuous improvement
Page 23 | Confidential and Proprietary Information

24. ICAP CFO Conference 2013
ISO 31000 Risk Management Framework
Mandate and Commitment
Design of Framework
Continual Improvement Implementing Risk
of Framework Management
Monitoring and review of
Framework
Page 24 | Confidential and Proprietary Information

25. ICAP CFO Conference 2013
ISO 31000 Risk Management Process
Establishing the Context
Communication and Consultation
Risk Assessment
Monitoring and Review
Risk Identification
Risk Analysis
To be applied in
every decision
Risk Evaluation making process
and subsequent
Risk Treatment execution!
Page 25 | Confidential and Proprietary Information

26. ICAP CFO Conference 2013
IFAC Risk Management & Internal Control
> Publications
• Evaluating and Improving Governance in Organizations
• Evaluating and Improving Internal Control in Organizations
• Integrating Governance in for Sustainable Success
• All IFAC Publications free-of-charge at www.ifac.org
Page 26 | Confidential and Proprietary Information

27. ICAP CFO Conference 2013
Evaluating and Improving Internal Control in
Organizations
• Highlighting areas where practical application of internal
control standards often fails in many organizations
• Designed to establish a benchmark for good practice in
maintaining effective internal control in response to risk
• For all types of organizations, as all organizations—whether
private or public—should have appropriate internal control
Page 27 | Confidential and Proprietary Information

28. ICAP CFO Conference 2013
Guidance Principles
> Good Internal Control Should:
• Support the organization’s objectives
• Define clear roles and responsibilities
• Foster a motivational culture
• Link to individual performance
• Ensure sufficient competency
• Respond to risk
• Be communicated regularly
• Be monitored and evaluated regularly
• Provide for accountability and transparency
Page 28 | Confidential and Proprietary Information

29. ICAP CFO Conference 2013
Next steps
> Guidance in integration of risk & control
• Risk management and internal control are a means to an
end: making sound (SWOT) decisions to achieve the
organization’s objectives without surprises!
• Principles on how CFOs / PAIBs can support their
organization integrating risk management and internal
control into the organization’s overall governance and
management system
Page 29 | Confidential and Proprietary Information

30. ICAP CFO Conference 2013
Conclusions (1)
• Risk is the effect of uncertainty on (achieving) the
organization’s objectives
• Strategic (risk) management is primarily about achieving
the organization’s objectives, while addressing risk
• Many flaws in current risk management practice
• PAIBs / CFOs support strategic (risk) management in their
organizations in various ways
• ICAP and IFAC support PAIBs / CFOs
• However, no matter the guidance provided…
Page 30 | Confidential and Proprietary Information

31. ICAP CFO Conference 2013
Conclusions (2)
• …There will always be some who do it their own way!
Page 31 | Confidential and Proprietary Information

32. ICAP CFO Conference 2013
Strategic Risk Management in the Face of Uncertainty
and Unexpected Risks
Questions?
• Many thanks for your interest
• Happy to answer your questions
Page 32 | Confidential and Proprietary Information

33. • For further information please contact:
• Vincent Tophoff at vincenttophoff@ifac.org
• Visit www.ifac.org
Page 33 | Confidential and Proprietary Information