Proposed Change Drivers

Change Driver #1: Global escalation of expectations for boards/governing bodies to oversee risk in private and public sectors

Since the 2008 global financial crisis there have been increasing calls on private sector boards, and what the IIA calls “governing bodies” in public and not-for-profit sectors, to better oversee processes for creating and overseeing value creation strategies and objectives and for identifying and assessing risks that create uncertainty about whether strategies and objectives will be achieved. There is growing recognition governing bodies should be responsible for overseeing effectiveness of strategic planning, ERM, and internal audit. The UK Governance Code update⁴, just released in January 2024, illustrates this trend.

The IIA, in its 2020 Three Lines Model⁵, defines “governing body” roles as follows:

Principle 2: Governing body roles

The governing body ensures:

• Appropriate structures and processes are in place for effective governance.
• Organizational objectives and activities are aligned with the prioritized interests of stakeholders.

This model also sets out primary responsibilities of a governing body:

The governing body:

• Delegates responsibility and provides resources to management to achieve the objectives of the organization while ensuring legal, regulatory, and ethical expectations are met. (My emphasis)
• Establishes and oversees an independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives. (My emphasis)

In the financial services sector, the Office of the Superintendent of Financial Institutions (OSFI), in September 2018, issued a guide titled simply “Corporate Governance”⁶. OSFI defines corporate governance as follows:

Corporate governance is a set of relationships between a company's management, its Board of Directors (Board), its shareholders, and other stakeholders. It also provides the structure through which the objectives of the company are set, and through which the means of attaining those objectives and monitoring performance are determined.

OSFI board accountabilities are aligned with federal government guidance issued by the Treasury Board Secretariat (TBS)⁷. OSFI’s definition of “governance”—focused on setting and overseeing strategy, objectives, and monitoring performance—is increasingly being accepted as good practice for public and private sectors.

Unfortunately, both OSFI and TBS at the federal level in Canada, still appear to assume ERM means creating and maintaining risk registers or risk lists. This is consistent with the results of annual research studies done jointly by the American Institute of Certified Public Accountants (AICPA) and North Carolina State University which continue to indicate limited progress integrating strategic planning and ERM⁸.

Progress implementing core ERM concepts and achieving benefits promised by COSO and ISO at provincial and municipal levels has also been slow. British Columbia, and other provinces, have bucked the trend and embraced the risk centric approach to ERM. They claim they have used international risk management standard ISO 31000 that defines “risk” as the “effect of uncertainty on objectives” as a foundation⁹.

However, despite these efforts, the overall trend in risk management practices continue to fail to meet the growing expectations of governing bodies.

Canadian municipalities that have implemented similar risk centric or risk register based ERM frameworks include Toronto, Peel, Edmonton, Halifax, and others. Risk list ERM does not integrate ERM with strategic planning, key objectives, and performance.

Change Driver #2: Increasing acceptance that ERM should link strategy, objectives, risks, risk treatments, residual risk status, and performance

As stated in the Backgrounder of this article, ISO 31000:2018¹⁰, the global risk management standard, defines risk as the “effect of uncertainty on objectives”. This definition, and the overall approach proposed by ISO, forms the basis of the the Canadian federal government’s Framework for the Management of Risk¹¹. An overview visual from that standard is shown below. The most important change in the 2018 update is the central focus in the top circle on “Value creation and protection”.

Figure 2 – Relationship between COSO Principles, Framework and Process

In 2017, COSO released its updated Enterprise Risk Management (ERM) guidance¹². A core focus of COSO ERM 2017 is convincing organizations to move from risk centric/risk list ERM practices in wide use globally, to one that truly integrates risk management with strategic planning and decision making.

In January 2020 COSO released a supplement: Creating and Protecting Value: Understanding and Implementing ERM¹³. To reinforce points made in COSO ERM 2017 still being widely ignored, this new COSO guidance stresses in multiple places that ERM should be strategy/objective centric not risk centric.

  ⁴ https://media.frc.org.uk/documents/UK_Corporate_Governance_Code_2024_kRCm5ss.pdf

  ⁵ https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

  ⁶ https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/corporate-governance-guideline-2018

  ⁷ https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=19422

  ⁸ https://www.aicpa-cima.com/resources/download/2023-state-of-risk-oversight-report-14th-edition p.24

  ⁹ https://www2.gov.bc.ca/gov/content/governments/services-for-government/internal-corporate-services/risk-management

¹⁰ https://www.iso.org/obp/ui/fr/#iso:std:iso:31000:ed-2:v1:en

¹¹ https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=19422

¹² https://www.coso.org/_files/ugd/3059fc_61ea5985b03c4293960642fdce408eaa.pdf

¹³ https://www.coso.org/creating-and-protecting