When does a company pull the trigger on an acquisition or investment? When is expanding into a new market a prudent choice? And when is the right time to hire additional personnel or change employee benefits?
These are among the many questions organizations consider through a lens of strategic opportunities and risks. James DeLoach, CPA, co-author of a new report, said that five lines of defense can help organizations achieve a healthy tension between risk and value protection.
“Opportunity pursuit is the name of the game in any successful organization,” DeLoach said in an interview. “At the same time, you have control mechanisms. You have limit structures. You have boundaries. You have a risk appetite.”
Achieving the proper balance between entrepreneurial risk and enterprise value protection is the most difficult task of risk management and internal control, according to a new report from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The AICPA, one of the partners in the CGMA designation, is a member of COSO.
The report describes how COSO’s enterprise risk management (ERM) and internal control frameworks can be used to improve organizational performance and governance. DeLoach said the frameworks help underpin every one of the five lines of defense that help maintain the proper tension between entrepreneurial risk and protecting value.
The five lines of defense identified by DeLoach, a managing director for global consulting firm Protiviti, are:
1. Tone of the organization. Tone at the top is not enough, DeLoach said. He said the tone at the middle and bottom of organizations—as established by middle managers instructing their employees—must be aligned with the tone at the top. “A proper tone of the organization sets a strong risk culture, which is foundational to the other lines of defense,” DeLoach said.
2. Primary risk owners. These include business owners and process leaders whose activities create risk. DeLoach said they need to take ownership in managing and mitigating risk.
3. Independent risk management and compliance management functions. The titles of these functions vary across organizations, but DeLoach said their duties are to create a framework for identifying, measuring, evaluating, and monitoring risk, and to ensure that the framework is applied across the organization in a robust manner.
4. Assurance functions. This role is typically filled by internal audit, DeLoach said.
5. Escalation process. This involves reporting of status, progress, and problems all the way up to executive management and the board of directors. “They are the last line of defense,” DeLoach said.
The report suggests that organizations strengthen their risk culture by focusing on improving the internal environment component of COSO’s ERM framework or the control environment component of COSO’s internal control framework—or both.
Organizations should consider using surveys, focus groups, and other assessment techniques to evaluate the state of their risk culture and identify opportunities for improvement, the report says. DeLoach said it’s important to consider physical mechanisms that drive risk culture—such as risk appetite, limit structures, policies and procedures, committee oversight activities, and incentive programs.
Internal attributes such as attitudes, belief systems, and core values also are important to consider. DeLoach said they manifest themselves in the way people clear audit issues, address control weaknesses, and escalate and resolve issues reported.
“The timeliness with which such activities are carried out, they provide powerful [indicators] regarding an organization’s risk culture,” DeLoach said. “If people are not addressing control weaknesses, if they couldn’t care less about the warning signs reported by the risk management function, that is a powerful [indicator] about the risk culture.”
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.