Proposed Change Drivers con't.

Change Driver #3: Increasing acceptance globally that organizations in public and private sectors should have integrated “lines”

A mentioned in the first section of this article, in 2020 the IIA released the Three Lines Model, an update to its original Three Lines of Defense¹⁴. The role of management, including second line risk groups, is defined as “Actions (including managing risk) to achieve organizational objectives.” Internal audit’s role is defined as “Independent and objective assurance and advice on all matters related to achievement of objectives.”

Figure 3

Change Driver #4: Increasing global acceptance that there should be a dedicated standing committee of the board/governing body to oversee enterprise strategic planning and risk management frameworks

There are two credible sources of information available about how organizations are dealing with a world where high rates of change and major disruption of business models are occurring. One is a 2019 Canadian survey conducted by the Conference Board of Canada in collaboration with Chartered Professional Accountants of Canada and the Global Risk Institute¹⁵. This survey includes both public and private sectors. Its findings included the following:

Our survey shows that the integration of ERM with other business processes remains a work in progress. Only 39 per cent of respondents thought ERM was integrated to a great extent or a very great extent with their organization’s strategic planning process.

Although these results showed that a substantial number of respondents indicated a substantial level of integration of ERM in their operations, the survey concluded that a majority still needed to make progress in this area.

The other is a survey conducted each year (most recently in 2023¹⁶) by North Carolina State University and the American Institute of Certified Public Accountants (AICPA) that includes not-for-profit organizations, which reached similar conclusions, indicating that 34% (an improvement compared to the 9% reported in 2009) of respondents reported having a complete ERM in place. It nonetheless concluded that:

While progress has been made in implementing complete ERM over the fourteen years we have conducted this survey, there is still relatively slow progress in continuing to move towards a more robust, complete enterprise-wide approach to risk management.

The overarching conclusion of both surveys is that insufficient progress has been made integrating strategic planning and ERM. Unfortunately, both surveys imply ERM is about creating and maintaining risk registers or risk lists—ironically the main reason little progress has been made integrating strategic planning and ERM. Until organizations graduate from risk centric or risk list ERM, including presenting risk lists and risk heat maps to boards, to objective centric ERM linked to performance as called for by COSO ERM, little progress will be made integrating strategic planning, ERM and performance.

Next Steps for the Canadian Public Sector

In response to escalating risk oversight expectations, a growing number of Canadian municipalities, some provinces, and parts of the Canadian federal government implemented risk centric or risk register based forms of ERM. ERM should be designed to manage uncertainty key strategic/value creation and value preservation objectives will be achieved with a level of risk/uncertainty acceptable to senior leadership and oversight bodies. Risk list ERM does not accomplish that goal.

It cannot be stressed enough—risk centric or risk list ERM is sub-optimal at best, potentially dangerous. It creates the illusion risk is being managed. Ironically, risk list ERM is a major risk to better governance in the Canadian public sector. It has not been about managing the effect of uncertainty on objectives, the ISO definition of “risk”.

Risk specialists, internal auditors, and legislative auditors should all be actively promoting the need to transition from traditional risk centric or risk list ERM, and point-in-time legacy risk-based internal audit methods, to objective centric risk and uncertainty management.

Unless risk specialists, internal auditors, and/or legislative auditors take proactive steps to encourage progress toward modern objective centric ERM methods, audit committees and PACs across Canada should forcefully push for changes necessary for the good of all Canadians.

¹⁴ https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

¹⁵ https://www.conferenceboard.ca/product/the-state-of-erm-in-canada-a-benchmarking-study/

¹⁶ https://www.aicpa-cima.com/resources/download/2023-state-of-risk-oversight-report-14th-edition