Professional Documents
Culture Documents
Built in Not Bolt On PDF
Built in Not Bolt On PDF
The mission of IFAC is to serve the public interest by: contributing to the development of high-quality
standards and guidance; facilitating the adoption and implementation of high-quality standards and
guidance; contributing to the development of strong professional accountancy organizations and
accounting firms and to high-quality practices by professional accountants, and promoting the value of
professional accountants worldwide; and speaking out on public interest issues.
The IFAC Professional Accountants in Business (PAIB) Committee serves IFAC member bodies and
professional accountants worldwide who work in commerce, industry, financial services, education, and
the public and not-for-profit sectors. Its aim is to promote and contribute to the value of professional
accountants in business. To achieve this objective, its activities focus on:
• increasing awareness of the important roles professional accountants play in creating, enabling,
preserving, and reporting value for organizations and their stakeholders; and
• supporting member bodies in enhancing the competence of their members to fulfill those roles. This is
achieved by facilitating the communication and sharing of good practices and ideas.
The PAIB Committee extends its appreciation and thanks to Grant Purdy, Associate Director, Broadleaf
Capital International, and Matthew Leitch, Tutor, Researcher, Author, and Consultant, for assisting the
committee in developing this paper.
For questions or comments about this thought paper, please contact Vincent Tophoff (vincenttophoff@ifac.
org) or see the Risk Management and Internal Control section of the IFAC Global Knowledge Gateway.
Exposure Drafts, Consultation Papers, and other IFAC® publications are published by, and copyright of,
IFAC.
IFAC does not accept responsibility for loss caused to any person who acts or refrains from acting in reliance
on the material in this publication, whether such loss is caused by negligence or otherwise.
The IFAC logo, ‘International Federation of Accountants®’, and ‘IFAC’ are registered trademarks and service
marks of IFAC.
Copyright © May 2015 by the International Federation of Accountants (IFAC). All rights reserved.
Permission is granted to make copies of this work to achieve maximum exposure and feedback provided
that each copy bears the following credit line: “Copyright © May 2015 by the International Federation of
Accountants (IFAC). All rights reserved. Used with permission of IFAC. Permission is granted to make copies
of this work to achieve maximum exposure and feedback.”
ISBN: 978-1-60815-230-8
Published by:
Table of Contents
INTRODUCTION4
THE ROLES OF PROFESSIONAL ACCOUNTANTS IN BUSINESS 5
THE IMPORTANCE OF MANAGING RISK EFFECTIVELY 6
THE IMPORTANCE OF INTEGRATING RISK MANAGEMENT 7
CONSIDERATIONS FOR INTEGRATING THE MANAGEMENT OF RISK 11
MANAGING RISK AS AN INTEGRAL PART OF MANAGING AN ORGANIZATION 15
APPENDIX A: DEFINITIONS 22
APPENDIX B: RESOURCES 23
Introduction
With the increased volatility in the modern business adverse impact of a poorly implemented risk
environment and the financial and economic crises, management framework or an overemphasis on
the effective management of risk in organizations— internal control is that employees may become
including good internal control—has taken on even so risk adverse that they no longer advance their
greater importance. Effective risk management organization.
facilitates the achievement of an organization’s This Thought Paper positions risk management
objectives, while complying with legal, regulatory, and internal control as it was originally intended in
and societal expectations, and enables the the organization—as a highly relevant and useful
organization to better respond and adapt to process for decision and execution support, and as
surprises and disruptions. a process that boards and management naturally
In some organizations the approach to management use to ensure their organization makes the best
of risk and internal control has deviated from decisions and achieves its objectives. This Thought
its original purpose: to support decision making Paper is, therefore, applicable to all organizations,
and reduce uncertainty associated with achieving regardless of their size or structure, private or public,
objectives. Instead, risk management in these that want to improve how they manage risk.
organizations has become an objective in itself, This Paper: a) demonstrates the benefits of properly
for example, through the institution of a non- integrating the management of risk, including
integrated, stand-alone risk management internal control, into the governance, management,
function.1 This typically removes responsibility for and operations of an organization; b) provides
the management of risk from where it primarily ideas and suggestions on how such integration can
belongs: incorporated into line management. A be achieved; and c) furnishes practical examples
separate risk management function, even though of how professional accountants in business can
established with the best intentions, may hamper support their organizations with this integration.
rather than facilitate good decision making
and subsequent execution. Managing risk in an This Paper is intended for professional accountants
organization is everyone’s responsibility. in business and other participants in the
governance, management, and operations of an
This Paper contends it is time to recognize that organization who are responsible for:
managing risk and establishing effective control
form natural parts of an organization’s system • Establishing, evaluating, or improving risk
of management that is primarily concerned with management in an organization;
setting and achieving its objectives. Effective risk • Managing risk as integral part of managing an
management and internal control, if properly organization; or
implemented as an integral part of managing an
• Overseeing the strategic direction and
organization, is cost effective and requires less
management of an organization, including the
effort than dealing with the consequences of a
effective management of risk.
detrimental event. It also generates value from the
benefits gained through identified and realized
opportunities. On the other hand, a potential
Worldwide, more than one million professional and what might happen in the future under
accountants support organizations in commerce, alternative plans. They can also link risk to business
industry, financial services, education, and the performance indicators, providing relevant
public and not-for-profit sectors, making those information from risk assessments that can help
organizations more successful and sustainable. manage sources of risk in the internal and external
They form a very diverse constituency, and can be environment.
found working as employees, consultants, and self- Evaluating and improving risk management and
employed owner-managers or advisors. internal control are among the core competencies
As further explained in Competent and Versatile— of professional accountants in business. This
How Professional Accountants in Business Drive Thought Paper supports professional accountants in
Sustainable Organizational Success (2011), the business in integrating the management of risk as
roles professional accountants in business perform an inseparable part of their organization’s system of
can broadly be described as creators, enablers, management.
preservers, and reporters of sustainable value Some professional accountants in business might
creation for organizations. find themselves in an organization with poor risk
Professional accountants in business are also management and/or internal control. Embarking
generally concerned with the collection, analysis, on a journey toward integration contributes to
interpretation, and provision of information for enhancing the effectiveness of risk management
decision-making processes in setting and achieving and internal control while simultaneously improving
the organization’s objectives. In this way, they the performance of the organization.
are helping internal and external stakeholders to
understand and influence drivers of performance,
Organizations face a wide range of internal and This Paper is predicated on the basis that internal
external sources of uncertainty, both positive control is best achieved when it is considered to
(opportunities) and negative (threats), that may be part of the risk management process. This is
affect achievement of their objectives. Risk—the in line with the widely-accepted definition of risk
effect of uncertainty on objectives—can, of course, management—“coordinated activities to direct and
be viewed as beneficial or detrimental depending control an organization with regard to risk”—from
on how the organization’s objectives are affected. the International Organization for Standardization
For example, agricultural businesses may regard (ISO)’s standard 31000 on risk management that
extreme weather events as detrimental, while firms incorporates internal control as part of the risk
who specialize in rebuilding roads and repairing management process.
buildings after storms may see them as beneficial. The Committee of Sponsoring Organizations of
Organizations face inherent risk in all their activities, the Treadway Commission’s (COSO) publication
including their strategy setting, operations, and Enterprise Risk Management (ERM)—Integrated
financial management. Risk management provides Framework (2004) makes a similar point by arguing
a systematic way to manage such risk more that as the ERM framework “incorporates the
effectively. internal control framework within it, companies may
Risk management assists organizations in making decide to look to this enterprise risk management
informed decisions about: framework both to satisfy their internal control
• objectives they want to achieve; needs and to move toward a fuller risk management
process.”
• the level, nature, and amount of risk that they
want to assume in pursuit of those objectives; Risk management should never be implemented in
and isolation; it should always be fully integrated into
the organization’s overall system of management.
• the controls required to support achieving their This system should include the organization’s
objectives. processes for good governance, including those
However, neither risk management nor internal for strategy and planning, making decisions in
control are objectives in themselves; instead, they operations, monitoring, reporting, and establishing
are an integral part of setting and achieving the accountability.
organization’s objectives.
“At Unilever, we believe that effective risk management is fundamental to good business management
and that our success as an organization depends on our ability to identify and then exploit the key
risks and opportunities for the business. Successful businesses take/manage risks and opportunities in
a considered, structured, controlled, and effective way. Our risk management approach is embedded in
the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of
everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to
others.”
—Unilever, one of the world’s leading suppliers of fast-moving consumer goods with operations in 100
countries and sales in more than 190 countries
Information provided by Unilever for a case study in Integrating Governance for Sustainable Success (IFAC
2012).
SERIOUS FLAWS
Some organizations have not yet established a some sort of framework, but it may be plagued by
formal framework for the management of risk, serious flaws (see Serious Risk Management Flaws
nor integrated it into their overall system of and Additional Examples). Both instances may
management. In these cases, organizations may result in missed benefits or larger than necessary
rely on ad-hoc crisis management that attempts to detrimental consequences.
recover the status quo after an event. Others have
Standalone or poorly implemented risk management, or internal control, usually leads to higher costs
and sub-optimal performance. Examples of poorly integrated and ineffective risk management in
organizations and how to counter these include:
A. Having a compliance-only mentality in covering issues such as formal roles and responsibilities,
prevention and detection of fraud, and compliance with laws and regulations, but ignoring the need
to address both the compliance and performance aspects of risk management.
B. Treating risk as only negative and overlooking the idea that organizations need to take risks
in pursuit of their objectives. Effective risk management enables an organization to exploit
opportunities and take on additional risk while staying in control and, thereby, creating and
preserving value.
C. Internal control that is overly focused on external financial reporting. Providing control in
relation to financial reporting is important in the detection and prevention of fraud, as well as
ensuring financial reports are accurate, and may be a major focus of corporate regulators. However,
effective controls should address all material organizational risk to help it achieve its objectives, create
value, and avoid loss.
MATURITY
Effective risk management supports management’s to, and not necessarily in tandem with, an
attempts to make all parts of an organization more organization’s management system; and
cohesive, integrated, and aligned with its objectives, 4. Integrated risk management—risk
while operating more effectively, efficiently, ethically, management, including internal control, as a
and legally. Figure 1 shows a typical pathway of natural and integral part of an organization’s
the development stages of risk management that system of management.
many organizations have followed. Ideally, however,
organizations should integrate risk management, Integrating effective management of risk across
including internal control, from the start. all of an organization’s decision making processes
and subsequent execution will help ensure
The maturity stages of risk management and that its objectives are achieved and maximum
internal control in organizations can be summarized value is created for all stakeholders. Various risk
as: management standards, frameworks, or guidelines
1. Non-existent or ad hoc—often characterized can support organizations in this process (see
by reactive crisis management once something appendix B).
has gone wrong; The following section provides a number of
2. Internal control only—formal internal guiding principles for effective management of
controls, often mainly focused on external risk as part of the organization’s overall system of
financial reporting; management. The final section provides a practical
3. Stand-alone risk management and internal model for how organizations can effectively
control—functioning as a siloed system next integrate the management of risk into their system
of management.
Crisis management
Level 1:
Non-existent
or ad hoc
It is not always easy to get governing bodies should be considered at all stages of the
and top management, and sometimes even risk objective setting process, as well as in the
committees and risk management functionaries, to subsequent planning, execution, monitoring,
consistently implement a framework and processes and review stages.
that ensures risk is managed effectively. And in Also, because most people in an
cases where they do so, the attention to risk may organization, especially those in line
weaken over time, particularly when crucial people functions, are primarily focused on doing
rotate in or out their function. The following their job well and achieving their objectives,
considerations provide guidance for effectively establishing an explicit connection between
integrating the management of risk as an integral how risk affects their jobs and their objectives
part of managing an organization. makes them more inclined to manage the
A. Organizations should primarily focus on related risk as well.
setting and achieving their objectives B. Risk should always be identified,
to create sustainable value and growth; assessed, treated, reported, monitored,
managing risk is an integral part. and reviewed in relation to the
objectives an organization wants to
The main objective of an organization is not achieve, while giving consideration to
to have effective controls, nor to effectively the organization’s ever changing internal
manage risk, but to properly set and achieve and external context.
its goals; to be in compliance and capable
of managing surprises and disruptions along As risk is the effect of uncertainty on
the way; and to create sustainable value. achieving objectives, it would be inadvisable
A useful example is the case of JC Penney, an American chain of mid-range department stores, which
almost toppled after a disastrous reorganization. “One of the big mistakes was perhaps too much
change too quickly without adequate testing on what the impact would be,” according to Bill Ackman,
the principal shareholder of JC Penney’s.
The management of risk in pursuit of these to manage risk without taking into account
objectives should be an inseparable and the effect on objectives. Unfortunately, in
integral part of all these activities. some organizations the linkage between
In some organizations, the risk management the risks periodically reported to the board
process is applied only after objectives are and the strategic objectives that are most
set, overlooking that setting objectives critical to the long-term success of the
itself can be one of the greatest sources company is at best opaque and at worst,
of risk. This may apply both to strategic missing completely. As a consequence, risk
objective setting and to all other decision- is insufficiently understood or controlled,
making processes within the organization, even though the organization devotes some
from the board level down. In addition, attention and resources to the management
not all organizations perform formal risk of risk. Risk management without taking
assessments to stress test their top strategic into account the effects on objectives is thus
objectives while in draft. Therefore, risk ineffective.
Risk is also best dealt with before a decision of good risk management to be properly
has been made or actions have been started integrated.
to achieve a certain objective in the place D. Those responsible for setting and
and by the people where it originated, achieving the organization’s objectives
irrespective or their position in the business. should also be responsible for effectively
Last but not least, as the context in which managing the related risk.
an organization sets its objectives and tries
to achieve them is continuously changing, As an organization’s risk is inextricably
so does risk. Therefore, organizations connected to its objectives, the responsibility
should constantly evaluate progress and, for managing risk cannot lie with anyone
if necessary, adjust their objectives or their other than the person who is responsible for
planning—including risk treatment—in light setting and achieving those objectives. Good
of the changed circumstances. risk management is, in this sense, everybody’s
responsibility in the organization as everyone
C. While risk management is a body of is, in one way or another, responsible for
knowledge with global frameworks, ensuring the organization achieves its
standards, and guidance, the application objectives.
of risk management needs to be tailored
to the organization. The governing body and senior management
should formulate, approve, and implement
Because effective risk management is the organization’s strategy for governance
inextricably linked with the organization’s and any particular policies with respect to
strategy and operations, it follows that the risk management and internal control. The
approach to risk management is as individual governing body should also ensure that
as that organization. And just as the everyone in the organization, including
organization’s strategy should be tailored to themselves, acts accordingly.
its specific organizational circumstances, so Line management needs to accept its
should its risk management strategy. responsibility and not delegate risk
An organization’s risk to setting and management and internal control to
achieving its objectives is influenced by many specialized staff departments. Placing
factors, such as its size, structure, business responsibility within the line also implies that
model, IT systems, financial flexibility, its staff or support functions should not, or no
employees, and its environment—that longer, be the “owner” of risk management
is, its customers, suppliers, competitors, in organizations. However, these support
and regulators as well as political, social, functions nevertheless play a crucial role in
economic, and technical drivers of change, supporting line management in the effective
etc. Ergo, it is all of these factors together management of risk.
that determine how the management of risk Where risk management is an integral part
can be applied most effectively for a specific of the organization’s system of management,
organization at a specific point of time. the risk management function plays a
Most guidelines explicitly pay attention to number of important roles, such as:
some of these characteristics, for example, • facilitator of good risk management
by pointing out that application of risk and internal control processes in the
management in smaller organizations can be organization;
less formal and less structured—even though
smaller organizations also need all elements
• custodian of the overall risk practices are tolerated.2 This inevitably results
management and internal control in decisions lower down in the organization
framework; and also being made without adequate risk
• internal assurance provider on the assessment, despite whatever official policy
effectiveness of risk management and there might exist.
internal control in the organization. F. High-quality information is crucial to
E. Decisions should be informed by an good decision making as it reduces
appropriate assessment of risk. uncertainty.
Sustainable organizational success can The organization must ensure that it has
only be achieved through informed and access to timely, reliable data on which to
structured decision making while setting base the decision, as well as the technical
the organization’s objectives and planning, resource/expertise to analyze data and turn
implementing, executing, evaluating, and them into useful information, including a
improving the organizations strategy. note of any limitations in the data or analysis.
Decision making needs to consider risk Often, there is a need to use professional
from both external and internal sources judgment in reaching a decision. Perhaps
as organizations and their objectives are there is not enough data, evaluation
affected by many factors, often outside their techniques provide contradictory answers,
direct control. Risk management should, or there are multiple risk responses available.
therefore, be an integral part of these However, professional judgment must always
decision making processes at every level of be professional—meaning, exercised by
an organization and across all operations those who are suitably trained, qualified, and
(“built-in”). experienced to use it and based on the best
Special attention should be given to decision available information.
making by the governing body, as some of G. Effective management of risk is equally
the biggest risk management failures have important to all managerial steps
been caused by emotion, greed, or fear. In following the decision-making process.
such cases boards often forget about the
basics of sound decision making, including Once a decision has been made, numerous
adequate risk assessment. This also sets a follow-up steps need to be taken to actually
bad example for the rest of the organization achieve the desired outcomes, such as
(“tone at the top”). For example, an designing, planning, executing, monitoring
organization might have a policy explicitly and reviewing, and providing accountability
requiring all decisions be supported by risk to the various stakeholders. Obviously,
assessments. However, if top management is all these steps require additional decision
prepared to make significant decisions—such making. However, as internal and external
as those involving organizational change, circumstances change—or additional
investments, or acquisitions—without a information becomes available—so does
proper risk assessment, a clear signal is sent risk. The effects of these changes in risk
to the organization that leadership is not subsequently need to be taken into account.
committed to its own policy and substandard
Integrating risk management should mean adopting How does a managerial planning and control cycle
ways to influence the managerial processes that work? Suppose we want to shoot an arrow at a
already exist—to enhance and improve them moving target. Risk is the effect of uncertainty
but not necessarily replace or increase them. To on hitting the target and is larger if the target
that end we have to work from the inside out by is further away or moving faster. Control helps
first understanding how decisions are made and the organization modify that risk so the arrow is
implemented, and then determining how the launched in the right direction, at the right speed,
management of risk should be integrated therein. and on the right course—and/or returns to course
This section first provides a technical underpinning or is redirected at a target that has shifted (see
and then a practical model of how organizations figure 2).
effectively integrate the management of risk into
their system of management. For this purpose, a
simple representation of an organization’s system of
management is chosen as the starting point, based
on the managerial planning and control (or “Plan-
Do-Check-Act”3) cycle:
A: Pre
p
ing makin arin
arn ga g
Le d
be sion
E:
ec
fo
i
re B
ing and
: Decisi
on wing
itor
o
M ie
n
D: rev
ma
kin
g
C: Figure 2: Balance between objectives,
A ctin g after
t h e d ecisi o n risk, and controls
The course from setting an objective to achieving including many more operational planning and
an objective is typically managed through a series control cycles. In addition, most organizations work
of interconnecting planning and control cycles, with rolling planning and control cycles in which,
each with its own interval and informed by the for example, a four-year strategy is being updated
progress of the activities and the changes in the annually to reflect the revised objectives and
environment. Think, for example, of an overall activities in light of the changes in the circumstances
strategic planning and control cycle, consisting of (see figure 3).
several tactical planning and control cycles and
Typically, initial strategic planning and control cycles objectives.4 Consequently, the number of steps will
in which the objectives are set and the course to also be significantly less and more of an operational
achievement is charted must handle the maximum nature (see figure 4).
level of uncertainty, and, therefore, consist of many
more steps than subsequent cycles. Through a
series of iterative planning and control processes,
an organization progressively reduces its level of
uncertainty as it gets closer to achieving its specific
4 This is not to say that a significant risk event can also thwart/
cross achievement of objectives in the later stages of the pro-
cess, like a ship wrecking in sight of the harbor.
Figure 4: Combination of Planning & Control Cycles and Risk Management Triangle
This is not to say that a significant risk event can also thwart/
4
MODEL
Once the management of risk is fully embedded that good intuitive decisions and actions are
as an integral part of managing an organization, it underpinned by sound decision making, which
becomes virtually invisible—so implicit in everything equals good risk management. The model below
the organization does, and no longer identifiable as does not serve as a “checklist” for every planning
separate steps (see example below). and control cycle. Rather, it demonstrates how risk
In practice, many of the activities in these steps will can be managed as an integral part of managing an
be executed intuitively. The point is, however, organization.
• Understand broad scope and purpose of what we are trying to achieve. What will it involve?
• Define what outcomes we are trying to achieve and their relation to the organization’s overall
E A
objectives. Define how we will measure them.
D B • Consider who will need to be involved in the decision and the actions that follow. Will they be inside or
C outside the organization?
• Consider the major sources of uncertainty for what we are trying to achieve. Are they internal or
external to the organization? What are their implications for our overall objectives?
• Determine the criteria we will use to make the decision. What is the basis and how we will know if it is
the correct decision in the light of our overall objectives?
• Decide how we will make the decision—the process and steps. What will be considered and what will
be irrelevant?
B: Decision making
• Clarify and agree on key assumptions and presumptions about the decision and the outcomes.
• Consider the range of things that might occur or are already present that would prevent us from E A
achieving the outcomes we require.
• Consider the range of things that might occur or are already present that would enhance achieving the D B
outcomes we require. C
• Consider—in all cases—the effect of those things that might occur or are already present on our overall
objectives.
• Consider our recent performance in the area under discussion. What does it say about the effectiveness
of the existing controls that are intended to enable the achievement of the organization’s objectives?
• Consider the results of any recent reviews that are pertinent to what we are trying to achieve. What
lessons can be learned?
• Once the decision to act has been made, decide what actually needs to be done, by whom, and by
when.
• Consider what other things need to be done, including implementing controls, to limit uncertainty E A
associated with the outcomes we wish to achieve.
D B
• Consider the costs and benefits of alternative courses of action and decide which create the most value
C
and provide the highest chance that the outcomes we desire will be achieved.
• Consider the sequence of all actions and the critical path to achieving outcomes.
• Record and communicate the outcomes of the decision-making and planning processes and ensure
that everyone involved knows what they are responsible for.
• Set up the process for monitoring progress and completion of all actions.
• Track progress and actions and provide management oversight. Question any delays in actions that fall
on the critical path to achieving outcomes. Provide or re-allocate resources if required.
E A
• Monitor the previously identified major sources of uncertainty and asses the environment for new
sources of uncertainty. Understand the implications of any changes on what we are trying to achieve
D B
and on our overall objectives.
C
• Monitor the existing controls that are intended to enable the achievement of the organization’s
objectives.
• Conduct periodic reviews of those controls by management and propose appropriate evolution.
• Monitor decision making and implementation as part of each employee’s performance evaluation,
emphasizing and encouraging sound decision making.
• Validate the continuous monitoring and periodic reviews using competent and sufficiently independent
assurance providers (such as internal audit).
E: Learning
• Agree on whether the outcomes were successes or failures in terms of the organization’s objectives.
E A
• Agree on whether any consequential effects were successes or failures.
D B • Agree on the causes of the successes or failures and the role of the existing controls.
C
• Consider the implications for future decisions and define what the organization should learn.
• Codify and capture the learnings in policies and procedures and cycle into management processes.
Appendix A: Definitions
Governance: the set of responsibilities and “coordinated activities to direct and control an
practices exercised by the governing body with organization with regard to risk.”
the goal of: a) providing strategic direction; b) Risk management framework: ISO Standard
ensuring that objectives are achieved; c) ascertaining 31000:2009—Risk Management defines risk
that risks are managed appropriately; and d) management framework as a “set of components
verifying that the organization’s resources are used that provide the foundations and organizational
responsibly. This is aligned with the definition of arrangements for designing, implementing,
governance in Board Briefing on IT Governance, 2nd monitoring, reviewing and continually improving
Edition (IT Governance Institute, 2003). risk management throughout the organization.”
Governing body: the person(s) or body (e.g., a Risk management process: ISO Standard
board of directors) with primary responsibility for 31000:2009—Risk Management defines the risk
overseeing the strategic direction, operations, and management process as the “systematic application
accountability of the organization, including the of management policies, procedures and practices
financial reporting process. Governing bodies can to the activities of communicating, consulting,
be made up of independent and non-independent establishing the context, and identifying, analyzing,
directors and can have various subcommittees, such evaluating, treating, monitoring, and reviewing
as the audit, remuneration, and ethics committees. risk.”
In some entities in some jurisdictions, the governing
body may include management personnel, executive Stakeholder: any person, group, or entity that has
members of a governance board of a private or an interest in an organization’s activities, resources,
public sector entity, or an owner-manager. or output, or that is affected by that output.
Stakeholders can include regulators, shareholders,
Integrated governance system: the governing debt holders, employees, customers, suppliers,
body and subsequent levels of management advocacy groups, governments, and society as a
integrating governance into strategy, management, whole.
oversight, and accountability in order to achieve
sustainable organizational success. Stakeholder value: organizational value
that is generated for stakeholders by creating,
Internal control: IFAC recognizes that the term implementing, and managing effective strategies,
“internal control” can have multiple meanings, processes, activities, assets, etc. Sustainable value
including: creation for stakeholders occurs when the benefits
1. A system or process: the entirety of an to them are greater than the resources they expend.
organization’s internal control system, i.e., an Value is generally measured in financial terms,
organization’s internal control system. as in the case of shareholders, but it can also be
2. An activity or measure: the actual measure to measured as a societal or environmental benefit,
treat risk and to effectuate internal control, i.e., as in the case of both shareholders and other
individual controls. stakeholders.
3. A state or outcome: the outcome of the Tone at the top: the words and deeds of
internal control system or process, i.e., an organization’s governing body and senior
an organization achieving or sustaining management that determine its values, culture, and
appropriate or effective internal control. the behavior and actions of individuals; synonymous
with “leading by example.”
Risk: ISO Standard 31000:2009—Risk Management
defines risk as “effect of uncertainty on objectives.”
Risk management: ISO Standard 31000:2009—
Risk Management defines risk management as
Appendix B: Resources
Risk management is a dynamic area and no list Organizational Success (IFAC, 2011) outlines
can cater for all needs; therefore, these resources the diverse roles of professional accountants in
may not be sufficient for the needs of all users. business and the many ways they serve their
Additional resources from IFAC, its member bodies, employers and the public interest.
and third parties can be found through the IFAC • Evaluating and Improving Internal Control
Global Knowledge Gateway. in Organizations (IFAC, 2012), establishes a
benchmark for good practice in maintaining
effective internal control in response to risk, and
help professional accountants in business and
their organizations create a cycle of continuous
improvement for their internal control systems.
• Integrating Governance for Sustainable
Success (IFAC, 2012) analyzes how professional
accountants in business can support their
organizations and increase performance by
www.ifac.org/Gateway
integrating governance into the key drivers
of sustainable organizational success. Using
IFAC Resources case studies from around the world, the report
• Defining and Developing an Effective Code of illustrates that good governance is about more
Conduct for Organizations (IFAC, 2007) helps than the protection of stakeholders’ interests or
organizations encourage an ethics-based culture compliance with regulatory requirements.
and define and develop a code of conduct. It Third Party Resources
also refers to the most significant resources in • Enterprise Risk Management—Integrated
this area. Framework (COSO, 2004) expands on internal
• Internal Control from a Risk-Based Perspective control and provides key principles and concepts
(IFAC, 2007) includes ten senior-level on the broader subject of enterprise risk
professional accountants in business who share management.
their experiences and views on establishing • Internal Control—Integrated Framework and
effective internal control systems. companion documents (COSO, 2013) help
• Evaluating and Improving Governance organizations design and implement internal
in Organizations (IFAC, 2009) includes control in light of many changes in business and
a framework—consisting of a series of operating environments.
fundamental principles, supporting guidance, • Standard 31000:2009—Risk Management
and references—for how professional (International Organization for Standardization,
accountants can contribute to evaluating and 2009) sets out principles, a framework, and a
improving governance in organizations. process for the management of risk that are
• Global Survey on Risk Management and Internal applicable to any type of organization in the
Control—Results, Analysis, and Proposed Next public or private sector.
Steps (IFAC, 2011) contains over 600 responses • King Code of Governance for South Africa (King
from around the globe and provides an analysis III) recommends companies maintain effective
of survey results and summarizes respondents’ governance, risk management, and internal
recommendations for the next steps in this area. control; it came into effect in 2010.
• Competent and Versatile: How Professional • Risk Management Guidelines—Companion to
Accountants in Business Drive Sustainable AS/NZS ISO 31000:2009 (Standards Australia,