Risk management’s traditional focus on adversity is changing. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2017 Enterprise Risk Management (ERM)–Integrating With Strategy and Performance framework now refers to risk holistically as “the possibility that events will occur and affect the achievement of strategy and business objectives.” With “adversely” removed from the definition, a risk is no longer something that must be prevented from happening. In addition, the framework no longer speaks of risk management as a separate process, but defines it in terms of “culture, capabilities, and practices.”
The updated COSO ERM framework and the International Organization for Standardization’s ISO 31000: Risk Management standard present great opportunities to replace the term risk management with value management. According to both standards, managing risk is all about creating and protecting value. However, they retain the term risk management.
Business activities always involve uncertainty. To increase success, leadership teams have to take advantage of opportunities and limit threats. Ultimately, they want to increase the certainty they will achieve their objectives and will not get what they do not want. For that reason, organizations need a pragmatic approach to keep key stakeholders satisfied by realizing value for them.
The value management approach offers intriguing opportunities for internal auditors because it focuses on the quality of decision-making within the organization. Internal audit can help the organization by assessing to what extent decision-makers possess the right competence and integrity to reconcile dilemmas caused by the conflicting interests of stakeholders.
Being future-proof requires an organization to continually create and protect value for its core stakeholders. However, terms such as value, result, success, and improvement only gain substance through the meaning that stakeholders attach to them. Stakeholders look at an organization from their own perspective. Based on their interests, they find certain things valuable such as innovation, punctuality, privacy, safety, compliance, integrity, efficiency, and continuity.
Future viability is about anticipating what might happen. The leadership team wants to know where the organization is expected to end up and to what extent this differs from what the organization’s core stakeholders expect. Is the organization on the right track? Or is there a real chance that it will not achieve its objectives? In that case, is the organization taking appropriate measures? Conversely, the organization may be exceeding expectations, because it is able to deal well with uncertainty.
Bringing Experts Together
Strategic, tactical, and operational decisions imply making choices and balancing potential pros and cons. Working standards and methods are intended to guide the decision-makers in the right direction. Determining these rules is the domain of specialized departments such as business continuity, compliance, control, information security, privacy, quality, and safety. Typically, all these functions conduct risk assessments, build control frameworks, and produce management reports, which easily can lead to functional silos and value destruction in practice.
Value Management and Internal Audit
Embracing the value management approach is different from advocating conventional risk management practices. Here are examples of what will change for internal auditors:
- Instead of focusing on the organization’s biggest vulnerabilities, internal audit holistically focuses on assessing the quality of management. Decisions made when planning, executing, monitoring, and improving business activities always have potential positive and negative effects on the interests of key stakeholders.
- Instead of believing the organization should have a separate risk management process, function, or system, internal audit focuses on the organization’s capabilities to become future-proof. Propagating lots of separate risk terms, such as risk manager, risk culture, risk appetite, and risk report, may not lead to the realization of business objectives.
- Instead of seeking to assess whether what COSO’s 2017 ERM framework calls the second line of accountability fulfills its responsibilities for overseeing performance and conformance, internal audit assesses the competence and integrity of decision-makers at all levels of the organization.
- Instead of unilaterally focusing on money, internal audit recognizes that value implies more than cash, profit, stock price, and dividend. Key stakeholders have different interests and attach value to divergent matters.
- Instead of embracing in-control statements oriented to the past, internal audit realizes that the key question is to what extent decision-makers at all levels of the organization are capable of creating and preserving value for key stakeholders in the future.
- Instead of assuming that the future is makeable and perfectible through risk analyses, risk and control matrices, and control testing, internal audit acknowledges that the world is volatile, unpredictable, complex, and ambiguous, requiring a considerable degree of agility and flexibility.
- Instead of assuming that risk management should be a separate item on the agenda for team meetings, internal audit emphasizes that each of the items is about effectively dealing with opportunities and threats.
Conventional risk management is a flawed concept (see “Value Management and Internal Audit,” right). Instead of having a separate program, function, or committee for managing risks, organizations should focus on connecting the functional experts. Generating and preserving value is dependent on these specialists collaborating to assist decision-makers at all levels with seizing opportunities and limiting threats. As an independent advisor, internal audit can help reduce organizational complexity and silo-thinking.
To connect the experts effectively, leadership teams should seek answers to five key questions. These basic business questions are the building blocks for the practical analyses that leaders can carry out for a separate business process, project, department, branch, division, value chain, or the entire organization.
Answering each of these questions requires making choices and balancing opportunities and threats. For example, implementing extensive control frameworks (part of the “how” question) may send the message to those involved that they have flawed judgment or lack integrity. Internal audit should independently assess to what extent leaders answer the questions satisfactorily.
Who Can Decide? Value management hinges on the effectiveness of governance: Who is authorized to make which choices? This applies to allocating resources both to daily operations and continuous transformation. The individual responsible for achieving formulated objectives also should be able to decide how best to deal with relevant opportunities and threats. This can be done by optimizing the associated business processes and controls.
A prominent and practical issue concerns the mandate of the experts in the organization’s staff departments. To what extent are they allowed to prescribe working standards to their colleagues or are they only expected to provide advice? How does the leadership team ensure that the staff specialists keep the line managers in focus? On the other hand, how can leaders prevent the experts from exaggeration caused by enthusiasm? An example is information security specialists who produce unworkable policies and procedures.
What Do We Do? Each leadership team benefits from having an integrated overview of the clustered activities of everyone involved within their entity. This structured summary of current tasks shows the organization’s common playing field. The overview of managerial, primary, and supporting processes provides insight into all relevant transaction flows and volumes. It also forms the basis for the IT application landscape for processing the transactions. Hence, it is the foundation for information management, business intelligence, and forecasting. Do those in charge have the right information for making balanced decisions? The advantages of better insight into who does what are evident in initiatives such as integration projects.
Why Do We Do What We Do? The organization’s success is determined by the extent to which its core stakeholders are satisfied. They are primarily interested in how the leadership team’s performance affects their interests. That is why the stakeholder analysis is essential. If all goes well, the team’s ambitions fit in with the value that the organization wants to create and protect for specific stakeholders. This value is expressed in the organization’s mission, vision, and strategy, and is translated into concrete success factors, objectives, and indicators. Using clear tolerances for the key indicators and preparing regular forecasts provide ample input for timely adjustment. If the estimated outcomes are not within the bandwidths, the two options are to adjust the controls or to inform key stakeholders that they must accept revised tolerances.
How Do We Do What We Do? To apply judgment, decision-makers need a framework and rules such as working standards and methods. The practical details of these rules are laid down in the charters, policies, guidelines, procedures, protocols, and work instructions. Clear working arrangements streamline decision-making, facilitate work hand-off among colleagues, and provide a clear reference for audits. The “how” question is about autonomy. For example, to what extent are subsidiaries allowed to make their own rules?
The decisive factor in the “how” is the organization’s culture. Is it characterized by managers setting the examples? Are decision-makers willing to face the possible consequences of their choices? Is it acceptable to challenge the assumptions in overly ambitious plans?
What Can We Improve? A continuous improvement program helps the leadership team focus on what really matters. When asked about the “best improvements,” people typically mention situations where the risk exposure is bigger or the chance taking is smaller than desired. The necessary improvements are usually about better designing, implementing, applying, and monitoring the organization’s working methods and standards. These renovations explicitly deal with the competencies of those involved — not only their professional knowledge and skills, but especially their personal leadership qualities.
A continuous improvement program can enable the team to identify, prioritize, and realize improvement initiatives. The better the information management is and the more that employees feel free to report issues, the sooner trends can be identified.
Value for Stakeholders
Conventional risk management can easily turn into a separate, illusory, and compliance-driven system. Alternatively, value management is an integrated approach that can give leadership teams a single platform for all common types of management. It can help decision-makers identify, prioritize, and realize relevant improvements that are needed to satisfy their core stakeholders.