While organisations already have processes and controls in place to manage risk, it is now time to reassess their risk framework and to make any modifications that are needed to stay current with changing industry trends and organisational needs. These improvements need to address the institution’s risks in a more comprehensive manner while enhancing the ability to anticipate risk.
KPMG believes organisations need:
- An organisational response to assess their risk
- An operational response to improve their risk-assessment and risk-management processes
- A governance response to improve risk oversight
KPMG’s approach to enterprise risk management involves:
- Creating content. Profiling risks and leveraging existing risk-assessment documents.
- Creating process. Building and maintaining a dynamic risk-management process.
- Conduct a more comprehensive risk assessment inventory and prioritise key risks. This needs to be led top-down by the MD / CEO to engage the entire organisation. Tone at the top is critical to successful risk management.
- Identify and prioritise key financial reporting processes and controls. These include the revenue cycle, closing the books, regulatory compliance and budgeting and forecasting. This step should be led by the FD/CFO and the controller.
- Develop a current-year plan for documenting, self-assessing and testing
internal controls. This should be led by the controller and supported by
internal audit, with the aim of linking the key risks with the controls that the organisation seeks to strengthen. If the organisation documents, assesses and tests the controls on the 20 per cent of its processes that are linked to the highest risk areas, this will probably cover about 80 per cent of the risks. And the organisation can deal with the other 80 per cent of their processes (and related controls) by strong monitoring at the corporate level.
This focus on the fewer areas that matter most – rather than taking a more comprehensive and less selective view – also creates an opportunity to improve these controls, including addressing gaps and deleting redundancies. - Create a
risk committee to look beyond financial reporting risks to the strategic,
operational compliance, and regulatory risks.
Because the root causes of financial reporting “surprises”, as well as other impairments to the institution’s reputation, lie in all of those areas. - Link
the oversight of risk to the audit committee and individual risks to the audit
committee and other committees. So that their insights into enterprise risk and
the process for managing risk can be shared at the highest levels. Directors
must be able to provide oversight of the most significant and likely risks and
the manner in which they are being handled.
Key benefits of ERM
Improved risk management provides a more explicit, comprehensive and enterprise-wide understanding of its risks based on insight into its potential consequences. By improving risk management processes, the organisation can better identify who is accountable for managing specific risks, and not only those risks that lie in the financial realm. Strategic, operational and compliance risks may become more visible to the entire organisation.
Further, such a view helps educate the audit committee, as well as the full board and its committees, to help them better anticipate and mitigate financial risks. In addition, the collegial process of identifying and prioritising risks facilitates a more integrated, anticipatory and preventive approach to managing risks.
As the management guru Peter Drucker observed: “Neither the quantity of output nor the ‘bottom line’ is by itself an adequate measure of the performance of management and enterprise. Market standing, innovation, productivity, development of people, quality and financial results – all are crucial to an organisation’s performance and its survival. Performance has to be built into the enterprise and its management; it has to be measured – or at least judged – and it has to be continually improved.”
At the end of the day, it is important to have:- A more comprehensive risk assessment and risk management framework.
- A risk-based, time-released approach to documenting, self-assessing and testing internal controls over financial reporting as well as key operational and compliance processes.
- And a new reporting model for organisations that goes beyond traditional financial reporting models currently in place.
David Leahy is a Partner in Advisory Services at KPMG in East Africa
responsible for Internal Audit, Risk and Compliance. For further information contact him on davidleahy@kpmg.co.ke, Tel:
+254–20-2806000/191
For a printer friendly version, click here.
improving_risk_management_in_your_organisation.pdf, Size: 75.8 KB© 2009 KPMG East Africa Limited, a Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
