When does a company pull the trigger on an acquisition or investment? When is expanding into a new market a prudent choice? And when is the right time to hire additional personnel or change employee benefits?
These are among the many questions organisations consider through a lens of strategic opportunities and risks. James DeLoach, CPA, co-author of a new report, said that five lines of defence can help organisations achieve a healthy tension between risk and value protection.
“Opportunity pursuit is the name of the game in any successful organisation,” DeLoach said in an interview. “At the same time, you have control mechanisms. You have limit structures. You have boundaries. You have a risk appetite.”
Achieving the proper balance between entrepreneurial risk and enterprise value protection is the most difficult task of risk management and internal control, according to a new report from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The American Institute of CPAs, one of the partners in the CGMA designation, is a member of COSO.
The report describes how COSO’s enterprise risk management (ERM) and internal control frameworks can be used to improve organisational performance and governance. DeLoach said the frameworks help underpin every one of the five lines of defence that help maintain the proper tension between entrepreneurial risk and protecting value.
The five lines of defence identified by DeLoach, a managing director for global consulting firm Protiviti, are:
- Tone of the organisation. Tone at the top is not enough, DeLoach said. He said the tone at the middle and bottom of organisations – as established by middle managers instructing their employees – must be aligned with the tone at the top. “A proper tone of the organisation sets a strong risk culture, which is foundational to the other lines of defence,” DeLoach said.
- Primary risk owners. These include business owners and process leaders whose activities create risk. DeLoach said they need to take ownership in managing and mitigating risk.
- Independent risk-management and compliance management functions. The titles of these functions vary across organisations, but DeLoach said their duties are to create a framework for identifying, measuring, evaluating and monitoring risk, and to ensure that the framework is applied across the organisation in a robust manner.
- Assurance functions. This role is typically filled by internal audit, DeLoach said.
- Escalation process. This involves reporting of status, progress and problems all the way up to executive management and the board of directors. “They are the last line of defence,” DeLoach said.
The report suggests that organisations strengthen their risk culture by focusing on improving the internal environment component of COSO’s ERM framework or the control environment component of COSO’s internal control framework – or both.
Organisations should consider using surveys, focus groups and other assessment techniques to evaluate the state of their risk culture and identify opportunities for improvement, the report says. DeLoach said it’s important to consider physical mechanisms that drive risk culture – such as risk appetite, limit structures, policies and procedures, committee oversight activities and incentive programmes.
Internal attributes such as attitudes, belief systems and core values also are important to consider. DeLoach said they manifest themselves in the way people clear audit issues, address control weaknesses and escalate and resolve issues reported.
“The timeliness with which such activities are carried out, they provide powerful [indicators] regarding an organisation’s risk culture,” DeLoach said. “If people are not addressing control weaknesses, if they couldn’t care less about the warning signs reported by the risk-management function, that is a powerful [indicator] about the risk culture.”
—Ken Tysiac (firstname.lastname@example.org) is a CGMA Magazine senior editor.