Risk: Leverage it. Control it. Win!
I am pleased to introduce Steve McNally, Finance Director and Controller for Campbell Soup, who will be guest blogging for us this week. Keep reading for his insights on risk management and internal controls.
Does your organization have a vision? A mission? Strategic plans and objectives? Of course it does.
That said, do you want to help your organization realize this vision and achieve its objectives without too many surprises along the way? Do you want to be ready to deal with the surprises that occur anyway?
Bottom line, do you want to deliver sustainable value to your organization’s stakeholders? Effectively leveraging risk management and internal control (RM/IC) is mission-critical. Few organizations, however, do so.
Many approach RM/IC with a compliance-only mentality, seeing it as useful to meet Sarbanes-Oxley (SOX) or other regulatory requirements, but nothing more. Others see RM/IC as simply a tool to enable issuance of complete and accurate financial statements and disclosures. Even those who recognize that RM/IC can benefit overall strategic planning and business management often hit one pitfall or another.
One common pitfall is to only view risk as a negative, not understanding that organizations must take risks in pursuit of their objectives. The analogy of the ship, one of my favorites, brings this point home. It goes like this…
The safest place for a ship is to stay in its harbor, but that is not what ships were made for. Instead, ships were made to transport people and goods to other destinations. And that involves risks, and rewards.
What is the main objective of risk management and internal control? While maintaining an effective system of controls and processes for managing risk is important, the main objective of RM/IC is to properly set and achieve your organization’s objectives, avoid too many surprises along the way, and, by doing so, create sustainable value.
Good risk management makes good business sense. And good internal control is the invisible hand that enables an organization to achieve its objectives. Many organizations, including AICPA, IFAC, and IMA, provide guidance on implementing RM/IC programs. Several frameworks, however, are of particular note:
- COSO Internal Control Integrated Framework, 2013 Edition
- COSO Enterprise Risk Management Integrated Framework
- ISO Standard 31000:2009 – Risk Management
Effective RM/IC is relevant, indeed mission-critical, for all organizations, whether large or small; simple or complex; or public, private, or nonprofit.
You have a key role to play.
For a complete overview of frameworks available to support the upgrade of RM/IC within your organization, read the full article, Risk: Leverage It. Control It. Win!, which was published in the Winter 2015 edition of the Pennsylvania CPA Journal.