• Cart
Log in

Log in

home page banner blank


Voices from the Field


OBJECTIVE CENTRIC RISK AND UNCERTAINTY MANAGEMENT IN THE PUBLIC SECTOR: OPTIMIZING RISK MANAGEMENT AND ACCOUNTABILITY

Proposed Change Drivers

Change Driver #1: Global escalation of expectations for boards/governing bodies to oversee risk in private and public sectors

Since the 2008 global financial crisis there have been increasing calls on private sector boards, and what the IIA calls “governing bodies” in public and not-for-profit sectors, to better oversee processes for creating and overseeing value creation strategies and objectives and for identifying and assessing risks that create uncertainty about whether strategies and objectives will be achieved. There is growing recognition governing bodies should be responsible for overseeing effectiveness of strategic planning, ERM, and internal audit. The UK Governance Code update4, just released in January 2024, illustrates this trend.

The IIA, in its 2020 Three Lines Model5, defines “governing body” roles as follows:

Principle 2: Governing body roles

The governing body ensures:

  • Appropriate structures and processes are in place for effective governance.
  • Organizational objectives and activities are aligned with the prioritized interests of stakeholders.

This model also sets out primary responsibilities of a governing body:

The governing body:

  • Delegates responsibility and provides resources to management to achieve the objectives of the organization while ensuring legal, regulatory, and ethical expectations are met. (My emphasis)
  • Establishes and oversees an independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives. (My emphasis)

In the financial services sector, the Office of the Superintendent of Financial Institutions (OSFI), in September 2018, issued a guide titled simply “Corporate Governance”6. OSFI defines corporate governance as follows:

Corporate governance is a set of relationships between a company's management, its Board of Directors (Board), its shareholders, and other stakeholders. It also provides the structure through which the objectives of the company are set, and through which the means of attaining those objectives and monitoring performance are determined.

OSFI board accountabilities are aligned with federal government guidance issued by the Treasury Board Secretariat (TBS)7. OSFI’s definition of “governance”—focused on setting and overseeing strategy, objectives, and monitoring performance—is increasingly being accepted as good practice for public and private sectors.

Unfortunately, both OSFI and TBS at the federal level in Canada, still appear to assume ERM means creating and maintaining risk registers or risk lists. This is consistent with the results of annual research studies done jointly by the American Institute of Certified Public Accountants (AICPA) and North Carolina State University which continue to indicate limited progress integrating strategic planning and ERM8.

Progress implementing core ERM concepts and achieving benefits promised by COSO and ISO at provincial and municipal levels has also been slow. British Columbia, and other provinces, have bucked the trend and embraced the risk centric approach to ERM. They claim they have used international risk management standard ISO 31000 that defines “risk” as the “effect of uncertainty on objectives” as a foundation9.

However, despite these efforts, the overall trend in risk management practices continue to fail to meet the growing expectations of governing bodies.

Canadian municipalities that have implemented similar risk centric or risk register based ERM frameworks include Toronto, Peel, Edmonton, Halifax, and others. Risk list ERM does not integrate ERM with strategic planning, key objectives, and performance.

Change Driver #2: Increasing acceptance that ERM should link strategy, objectives, risks, risk treatments, residual risk status, and performance

As stated in the Backgrounder of this article, ISO 31000:201810, the global risk management standard, defines risk as the “effect of uncertainty on objectives”. This definition, and the overall approach proposed by ISO, forms the basis of the the Canadian federal government’s Framework for the Management of Risk11. An overview visual from that standard is shown below. The most important change in the 2018 update is the central focus in the top circle on “Value creation and protection”.

Figure 2 – Relationship between COSO Principles, Framework and Process

Figure 2 – Relationship between COSO Principles, Framework and Process

In 2017, COSO released its updated Enterprise Risk Management (ERM) guidance12. A core focus of COSO ERM 2017 is convincing organizations to move from risk centric/risk list ERM practices in wide use globally, to one that truly integrates risk management with strategic planning and decision making.

In January 2020 COSO released a supplement: Creating and Protecting Value: Understanding and Implementing ERM13. To reinforce points made in COSO ERM 2017 still being widely ignored, this new COSO guidance stresses in multiple places that ERM should be strategy/objective centric not risk centric.

From COSO’s Creating and Protecting Value: Understanding and Implementing ERM

Theme 4.
The starting point is to focus initially on the organization’s top strategies and business objectives

The starting point for enterprise risk management is to specifically and carefully identify the key strategies and business objectives of the organization. Depending on when the ERM initiative is started, this can be conducted during the strategy setting process or done by analyzing existing strategies. ERM does not start by simply attempting to identify risks, but it starts with a thorough analysis of the organization’s key strategies and business objectives. Following the updated Framework, the organization is trying to identify those events that might impair its ability to achieve its strategies and business objectives. Accordingly, there first must be a clear understanding of the key strategies and business objectives before one can assess the events that could impair those strategies. The sequence is critical and, again, reinforces the objective of ERM as helping the organization be successful with its chosen strategies. Put another way, in approaching ERM, the organization needs to be “strategy-centric” not “risk-centric.”

 


  4 https://media.frc.org.uk/documents/UK_Corporate_Governance_Code_2024_kRCm5ss.pdf

  5 https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

  6 https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/corporate-governance-guideline-2018

  7 https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=19422

  8 https://www.aicpa-cima.com/resources/download/2023-state-of-risk-oversight-report-14th-edition p.24

  9 https://www2.gov.bc.ca/gov/content/governments/services-for-government/internal-corporate-services/risk-management

10 https://www.iso.org/obp/ui/fr/#iso:std:iso:31000:ed-2:v1:en

11 https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=19422

12 https://www.coso.org/_files/ugd/3059fc_61ea5985b03c4293960642fdce408eaa.pdf

13 https://www.coso.org/creating-and-protecting

 

Page 2 of 3