Risk management and enhancing capacity
Enterprise Governance Framework
Corporate Governance le Conformance
Business Governance le Performance
Value Creation Resource Utilization
(Source: Enterprise Governance - Getting the Balance Right:
Federation of Accountants)
Risk and Opportunity Management Process
1. Identify Risks and Opportunities Sources of Risks Sources of
2. Manage risks and opportunities
Assess and Alter risk appetite
Assess risks and Opportunities
Manage Risks Manage Opportunities
Share Risk Transfer Risk Reduce Risk
3. Evaluate Risks and Opportunities
(Source: Management Accounting Guideline - Managing Opportunities and
Risks Authoured by: Tamara Bekefi, Marc J Epstein and Kristi Yuthas
Published by SMAC, AICPA and CIMA)
(Source: Enterprise Governance ‘Getting the Balance Right:
International Federation of Accountants)
CMA Sri Lanka presentation at the 52nd National Cost Convention
organized by the Institute of Cost and Works Accountants of India in
Chennai held from January 4 to 6, 2011
Since the spectacular collapse of the Barings Bank in 1995 there has
been an ever growing interest in risk management. This has been fuelled
by subsequent high profile corporate debacles, as well as natural and
man-made disasters - 9/ 11, Enron, Worldcom, Ahold, Parmalet, the 2004
Tsunami, Hurricane Katrina, Northern Rock and Lehman Brothers, to name a
few. Risk has been viewed, more and more, as something negative - a
hazard, that need to be managed, if not avoided or eliminated altogether
; a value destroyer. Understandably, governments and regulators have
reacted with stringent regulatory initiatives such as the Sarbanes -
Oxley Act 2002, Basel 2 Accord, accounting standards, and numerous codes
of corporate governance.
It is needless to say that hazardous risk - risks which have only a
downside (examples : accidents, corporate fraud, human error, disasters)
need to be managed rigourously, in order to preserve value and to ensure
the sustainability of companies.
Otherwise, companies could lose money. However, it is important not
to focus only on downside risks. Many risks, business risks in
particular (examples: business acquisitions, new products, investments
in technology, innovation) have an upside as well as a downside - a
positive side as well as a negative one. It is the upside of risks,
which provide opportunities for growth and profit. Whilst it is
necessary to manage the downside of such risks, it is also vital that
the upside should be exploited.
After all, risk-taking is the engine that drives business and propels
growth, as suggested by the well-known adage Nothing ventured, nothing
gained: Business enterprise is essentially about taking risks.
Companies, which focus only on the downside of risks, could miss
opportunities, which might have initially appeared too risky, and not
properly analysed. Exploiting the upside of risks , i.e. opportunities,
is at the centre of value creation process. One should be mindful of
opportunities to create value,that could be hidden in risk.
In many instance, risk and opportunity are a duality ; they are like
the two sides of a coin. Accordingly, a risk could present opportunities
for innovation and competitive advantage, which in turn could lead to
short - and long term growth and profitability.
In such instances, ‘risk management provide a window for ‘opportunity
management’, which leads to ‘Risk and Opportunity Management’.
As explained above, focusing exclusively on the downside of risk
could be harmful to the well-being of organizations. Several initiatives
have been taken to remedy this situation. Two somewhat early responses
are : (1) Enterprise Risk Management - Integrated Framework 2004 of the
Committee of Organizations Sponsoring the Treadway Commission (COSO),
and (2) Enterprise Governance - Getting the Balance Right, 2004, of the
International Federation of Accountants (IFAC) and the Chartered
Institute of Management Accountants (CIMA). Both initiatives are
attempts to address risks in a broader and holistic manner, rather than
viewing risk as a mere threat to be avoided.
They look at risk in the context of the organizations strategy,
culture, and operations. Of these two initiatives, the Enterprise
Governance approach and methodology has a distinct orientation toward
addressing the much neglected value creating upside risks.
The early responses to corporate failures were mostly in the form of
codes of corporate governance. These codes attempted to seek compliance
with rules and regulations on issues such as board structures, Chairman
and CEO, non - executive directors, executive remuneration, internal
control, and oversight mechanisms ( examples : audit committees,
They sought to bring about improved accountability and assurance.
Whilst the philosophy of Enterprise Governance accepts the importance of
corporate governance, it argues that good corporate governance on its
own cannot ensure success: ‘Good corporate governance is a necessary,
but not sufficient, foundation for success.’
Bad corporate governance can ruin a company, but cannot, on its own,
ensure its success (Enterprise Governance - Getting the balance Right: (IFAC)
It goes on to assert that companies must balance conformance with
Enterprise Governance is defined as ‘the set of responsibilities and
practices exercised by the board and executive management with the goal
of providing strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately and verifying that the
organization’s resources are used responsibly’ (Information and Systems
Audit and Control Foundation, 2001).
There are two dimensions to Enterprise Governance, viz conformance
and performance. Conformance is also called ‘Corporate Governance’,
whilst performance is also called ‘Business Governance.’
The performance dimension focuses on strategy, value creation and
resource utilization. It seeks to help the board to make strategic
decisions; understand its risk appetite and key drivers of performance.
Enterprise Governance philosophy recognizes that the performance
dimension cannot be easily subjected to regime of standards and audit.
Hence, it seeks to develop a set of best practice tools and
techniques in performance related areas such as ‘Enterprise Risk
Management’, ‘Acquisition Process’ and ‘Board Performance’.
Unlike in the case of the conformance dimension, the performance
dimension lacks a formal board oversight mechanism. Hence, the IFAC
study on Enterprise Governance has proposed the ‘strategic scorecard’ to
bridge this ‘Oversight Gap’.
The strategic scorecard is neither a detailed strategic plan nor a
substitute for the Balanced Scorecard. It aims at helping the board of
director ensure that all the aspects of the strategic process have been
completed thoroughly. The strategic scorecard has four quadrants -
Strategic Position, Strategic Options, Strategic Risks, and Strategic
Implementations. Thus, risks , in the form of strategic risks, have been
embedded in the performance dimension of enterprise governance , i.e.
Risk management and value creation
The need to proactively approach risk - taking, in order to take
advantage of value creating opportunities, should not be underestimated.
Intelligent risk-taking is essential in order to build value; it needs
to be operationalized.
The management accounting guideline titled ‘Managing Opportunities
and Risk’, jointly published by the Society of Management Accountants of
Canada, the American Institute of Certified Public Accountants and the
Chartered Institute of Management Accountants of the UK, provide a
comprehensive and invaluable framework in this area.
The guideline expands the risk assessment model to include
opportunities and innovation, and provides the needed tools and
techniques to capture the positive side of risk, while rigourously
managing its downside impact.
It asserts that ‘an organization may come to see that developing a
greater capacity to identify and mitigate risk allows it to capture
opportunities that the competition cannot.’
It goes on to state, ‘Effective risk management practices and tools
are necessary for companies to seize opportunities and gain competitive
advantage over companies that do not know of these practices and tools,
or cannot effectively implement them’.
It encourages taking a portfolio view in regard to risks as managing
some risks well create the opportunity to take risks in other areas. It
also proposes techniques that organizations can use to alter risk
appetites to capitalize on opportunities.
In addition to following the traditional risk management practices,
the management accounting guideline ‘Managing Opportunities and Risks’
emphasizes the need to (1) Identify and manage opportunities, often
related to innovation, and manage related risks, and (2) Identify and
manage opportunities where others see only unmanageable risks. The risk
and opportunity management process proposed by the guideline has the
following three major phases:
1. Identify risks and opportunities
2. Manage risks and opportunities
3. Evaluate risks and opportunities
The identification of risks and opportunities draws attention to the
following: (A) the sources of risk and opportunities, and (B) strategies
for identifying risks and opportunities.
Some key sources of opportunity are (1) supply chain, (2) product and
service offering, (3) processes, (4) technology, (5) new markets, (6)
customers, (7) political, legal and social forces. The strategies
recommended for identifying risks and opportunities are, (1) Learning
from the past, (2) Developing Customer Sensitivity, (3) Learning from
others, (4) Scanning, (5) Scenario Planning, (6)Seeing the market gaps
and change the game, (7) Developing idealized design and competing in
advance and (8) Developing market sensitivity.
The second phase - ‘managing risks and opportunities’, consists of
the following four steps: (1) Assess and alter risk appetite, (2) Assess
risks and opportunities, (3) Managing risks and (4) Managing
opportunities. Assessing the risk appetite allows an organization to
decide how best to respond to the opportunities and risks it has
Risk appetite is the risk exposure, or potential adverse impact from
an event, that an organization is willing to accept without taking
action. It is heavily influenced by the organization’s culture and
changes over time. It should be quantified in monetary terms. Risk
appetites should be defined and agreed upon at least annually; it should
be proposed by the senior management and endorsed by the board of
Once the risk appetite is assessed, the company should proceed to
assess all major risks and opportunities against it. For this purpose,
it is very important to quantify the risks and opportunities in monetary
If a risk exposure exceed the risk appetite threshold (also called
risk tolerance), measures could be taken to bring it back within the
accepted level, so that the exposure is in line with the risk appetite.
In the alternative, the risk appetite itself could be altered. A low
risk appetite could result in narrow assessment of risk, which could in
turn result in the rejection of promising opportunities.
If the goal is to capture an opportunity, and the existing risk
appetite is a hurdle, it might be desirable to alter the risk appetite.
This can be done by enhancing the capacity to accept more risk,
thereby shifting the risk appetite threshold. The guideline ‘Managing
Opportunities and Risks’ describes methods of altering risk appetites.
After assessing risks and opportunities, the company could reject
them, or proceed to manage them. The final phase is the evaluation of
risks and opportunities.
Role of the management accountant
Risk and opportunity management calls for expertise in areas such as
strategy, management, finance, management, management information and
control systems, and internal audit.
The management accountant is well placed to play a prominent role in
risk and opportunity management as he or she is skilled in these
disciplines. The management accountant could contribute in the following
* Establishing guidelines and procedures for strategic planning
around opportunities and risks
* Improving the identification, measurement, and management of risks
* Preparing the evaluation of risks and opportunities
* Integrating the model with other functions such as strategy
* Training managers to make more effective evaluations of risks and
* Implementing processes to monitor and communicate business risks
The IFAC Exposure Draft - ‘How Professional Accountants in Business
Drive Sustainable Organizational Success’ identifies eight drivers of
sustainable organizations, the third driver being ‘Integrated
Governance, Risk and Control’.
Further, the document identifies challenging roles for accountants as
(1) ‘Value Creator’, (2) Value Enabler, (3) Value Preserver, and (4) ‘
Value Reporter’, the first two coming under ‘performance’, whilst the
last two come under ‘conformance’.
The roles of the management accountant in the area of ‘Integrated
Governance, Risk and Control’, as a value creator and a value enabler
(A) As Value Creator - facilitate an understanding of an
organization’s appetite for risk and deliver aligned and effective
governance, risk and control practices to achieve a balance between
conforming with rules and regulations and driving sustainable
(B) As Value Enabler - implement enterprise risk management and
control as a strategic activity and as integral part of an
organization’s governance system, as well as into all other decision -
making processes in the organization.
Role of management accountancy bodies
Risk Management, as a professional discipline, is continuously
expanding at a rapid pace. In view of the role that could be played by
management accountants in this critical area, it is important for
management accountancy bodies to foster the discipline in the following
* Provide education and training of members and students
* Be a Thought Leader by undertaking research and development in risk
* Create general awareness on the subject amongst the business
community, the state, civil society, and other groups of stakeholders.
The Sri Lanka experience
The Sri Lankan economy has been an open economy since its
liberalization in 1977. Accordingly, it has been vulnerable to the
fluctuations in the global economy.
Sri Lanka too has had its share of high profile corporate collapses
during the last decade.
These have been largely due to poor corporate governance.
During the past decade, there has been a growing awareness in risk
management in Sri Lanka. Many public seminars and workshops have been
conducted. The professional accountancy bodies have included risk
management in their syllabi.
On the practical side, it is understood that several blue-chip
companies - both national and multi-national, have formalized risk
management systems in place. However, generally speaking, there is much
room for improvement in this area both in the public and private
Hazard risks - risk which only have a downside, should be necessarily
managed, if not eliminated altogether. That is essential in order to
preserve value and ensure the sustainability of companies.
However, risk management should not stop there. From a value creation
perspective, it is vital that risks with upsides as well as downsides
are managed in order capitalize on opportunities.
Further, it should be realised that better risk management systems
enable companies to take on more risks and thereby exploit
opportunities. In other words, sound risk management systems enhance the
capacity to build value.
Management accountants have a vital role to play in the process.
Management accountancy bodies could contribute by supporting members,
students, companies, and other stakeholders in the area of education,
research and development in the area of risk and opportunity management.