The May 2015 International Federation of Accountants (IFAC) paper "From Bolt-on to Built-in Managing Risk as an Integral Part of Managing an Organization" has neatly summarised the challenges of embedding risk management. The paper's main message is that risk management does not work effectively unless it is integrated within line management.

"In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a non-integrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management".

Few would disagree with this observation, although in practice the extent to which risk management is integrated into an organisation's overall system of management is more often than not determined by line management's willingness to embrace its principles and to adopt a systematic approach to defining organisational objectives and assessing and managing associated risks and opportunities. 

To address this, the approach suggested by the IFAC paper is to integrate risk management principles into the following key managerial steps:

  • Preparing before making a decision - identifying the major sources of uncertainty that could have an impact on the validity of the decision taken
  • Decision making – weighing up the effect of uncertainties as a result of the decision
  • Acting after the decision - determining what needs to be done to ensure outcomes are achieved including establishing controls to manage uncertainties
  • Monitoring and reviewing – monitoring identified major sources of uncertainty and identifying any new uncertainties. Taking the appropriate action and amending managerial procedures accordingly
  • Learning - capturing any learning in updated procedures and management processes

This is helpful in that it enables the principles of sound risk management to be articulated in a language that may be more readily understood by managers who are not risk experts.

However, there is still a need to establish and maintain a risk management framework to support line management in following these steps and to capture and disseminate knowledge of the risks or uncertainties to inform decision makers at all levels. Risk registers that are challenged and kept up to date remain essential.  Management must own these if risk management is to be effective.

A risk management function in some form is therefore required.  The extent to which the benefits of such a function are maximised or whether it stands alone depends upon the value placed upon its principles by management and ultimately the Board.  Unless the tone from the top demands that these principles are followed management will not feel motivated to implement them and there is a danger that decisions will be made without proper consideration of their consequences.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.