资源描述
Risk and performance:Embedding risk management The Association of Chartered Certified Accountants May 2019About ACCA ACCA (the Association of Chartered Certified Accountants) is the global body for professional accountants, offering business-relevant, first-choice qualifications to people of application, ability and ambition around the world who seek a rewarding career in accountancy, finance and management. ACCA supports its 208,000 members and 503,000 students in 179 countries, helping them to develop successful careers in accounting and business, with the skills required by employers. ACCA works through a network of 104 offices and centres and more than 7,300 Approved Employers worldwide, who provide high standards of employee learning and development. Through its public interest remit, ACCA promotes appropriate regulation of accounting and conducts relevant research to ensure accountancy continues to grow in reputation and influence. ACCA is currently introducing major innovations to its flagship qualification to ensure its members and future members continue to be the most valued, up to date and sought-after accountancy professionals globally. Founded in 1904, ACCA has consistently held unique core values: opportunity, diversity, innovation, integrity and accountability. More information is here: accaglobalAbout this reportEnsuring effective risk management in any organisation is essential. This report takes a close examination of the practices organisations are adopting to embed risk management practices across the organisation. Using an in depth case study approach, it explores how businesses can overcome the common challenges presented in implementing effective risk management processes and suggests good practices for aligning these to the delivery of strategic goals. Risk and performance:Embedding risk managementDr Simon Ashby Vlerick Business School, BelgiumDr Cormac Bryce City, University of LondonDr Patrick Ring Glasgow Caledonian University4ForewordIn an increasingly competitive and challenging environment, the effective management of risk is fundamental to an organisation success. In 2018 ACCA undertook a study to exam the practices boards should be adopting in providing effective oversight of the risk management process to support delivery of the strategy of the organisation. This report follows on from this initial study, and takes a closer look at how in practice businesses can truly embed risk management practices right across the organisation.Embedding risk practices successfully can be challenging. A key issue is how we translate the management of risk from a theoretical exercise to an activity that has resonance and meaningfulness right across the organisation, at all levels. For risk management to be truly effective, it must be managed as an inherent part of delivering day to day business activities, which is why the application of risk management processes must occur at all levels of the organisation. This requires significant communication, collaboration and coordination across the business. However, no two organisations are the same, and the ways in which sound risk management practices can be established varies from business to business, taking into account a wide range of situational and cultural aspects.We hope this report provides sensible reflections for organisation leaders at all levels to reflect on their own current practices in embedding risk management across their organisations. These considerations, as the report demonstrates, can apply both formally and informally, and it is essential that organisations consider their own unique circumstances, challenges and opportunities in applying these effectively.Jamie LyonDirector of Professional InsightsACCAContentsExecutive summary 6Disclaimer 6Author Biographies 81. Introduction 91.1 The risk management conundrum 101.2 What we already know about embedding risk management 111.3 Research aims, objectives and approach 112. Project methodology 123. Findings 133.1 Balancing formal and informal risk management to achieve strategic objectives 133.1.1 Combining strategy and risk 133.1.2 Formal and informal organisation 133.1.3 The risk management journey 153.2 Communicating for Effective Risk Management 183.2.1 The fundamentals of effective risk communication 183.2.2 Effective structures of communication 183.2.3 The importance of the informal: building relationships 213.2.4 Conversations about risk: risk talk 223.3 Overcoming Implementation Challenges 233.3.1 Creating risk value: managing the cost benefit equation 233.3.2 Accountability 253.4 Embedding Risk Management for Strategic Success 274. Recommendations for practice 305. Conclusion 32Appendix A: List of interviewees 33Appendix B: Supplementary academic literature review 34References 38Organisations in every sector, whether large or small, simple or complex, invest time and resources in managing risk. Effective risk management is an essential element in the success or failure of these organisations, but there remains much to learn about what actually constitutes effectiveness. Executive summary6ACCAs 2018 report on board-level risk management practices, Risk and the strategic role of leadership, highlighted the significance of risk in the boardroom and how boards organise their risk management activities to inform strategy and governance (Ashby et al. 2018). This report investigates how board-level risk taking and control objectives translate into the risk management activities performed within organisations. The aim is to understand how these risk management activities are embedded to ensure that staff across the organisation collaborate and co-operate to manage risk in a manner that is consistent with the boards risk taking and control objectives. Effective risk management within organisations can only be achieved when staff are willing to engage in risk management activities to achieve the boards risk taking and control objectives. In short, risk management cannot be effective if it is not embedded.The project is based on: four in-depth case studies, which included documentation reviews, site visits and 34 interviews across a range of business functions two focus groups, consisting of a number of risk management professionals, and input from the ACCAs Global Forums, with particular thanks to the Global Forum on Governance, Risk and Performance.The research shows that although the case study organisations had similar risk management objectives, the paths they took to embedding risk management varied according to the external environment in which they operated and a range of internal factors, such as leadership tone and the success or failure of past risk management initiatives. Organisational paths varied in the risk management mechanisms used and, in particular, the formality or informality of these mechanisms.Risk and performance: Embedding risk management | Executive summary7 The risk management function does not only design and implement risk identification, assessment and reporting tools; it must also work hard to explain and even sell the benefits of risk management to the wider organisation. Every case study organisation struggled with the requirements of a pure three lines of defence model for risk governance. The authors propose reformulating the three lines model to create a less segregated, modes of accountability approach.Towards the end of the report the findings are consolidated into a conceptual model for embedding risk management in organisations. This risk gearbox shows how formal and informal risk management mechanisms combine to create strategic thrust to support the board decisions on strategic risk taking and control. There are also a number of recommendations for organisations looking to improve the effectiveness of their risk management arrangements.Key findings include the following. Effective risk management requires the use of complementary formal and informal mechanisms. Formal mechanisms include risk registers, control assessments, internal audits and risk reports. Informal mechanisms include social networking and sales/influencing techniques. Communication is vital. This includes communication between business units and functions, as well as communication to/from the risk management function and internal audit function. The risk management function has a pivotal role in communication and building risk management relationships. The function operates as a nexus for risk management communication, facilitating such communication between business units and functions and to/from the internal audit function and board/senior management. A risk management function that cannot build effective relationships across an organisation will not be able to embed effective risk management practicesmunication is vital. This includes communication between business units and functions, as well as communication to/from the risk management function and internal audit function.DISCLAIMERThough funded by ACCA, this research project was conducted by three independent university academics. The findings from this project reflect the views of the case study and focus group participants and are not necessarily those of ACCA or its staff and members.8Author biographiesDR SIMON ASHBYWhile conducting the research, Dr Simon Ashby was Associate Professor of Financial Services at the Plymouth Business School. Previously he worked as a financial regulator for the UK Financial Services Authority (writing policy on risk management) and a senior risk manager in several UK financial institutions (covering both credit and operational risk).Simon has a PhD in corporate risk management and has published many academic papers and industry reports in the discipline. His current research interests include board-level risk management and risk governance; cyber-risk management; risk culture; and the reputational effects of operational risk events.Simon is a Fellow and former chair of the Institute of Operational Risk and a non-executive director and audit and risk committee chair of Plymouth Community Homes.Simon is now a Professor of Financial Services at Vlerick Business School in Belgium, which provides high quality postgraduate education around the world (vlerick/en).DR PATRICK RINGDr Patrick Ring is currently a reader in financial services in the Glasgow School for Business and Society at Glasgow Caledonian University. He is a qualified solicitor who, before entering academia, worked in the corporate area of private practice, and later as a lawyer with a large life assurer.Patricks teaching and research interests include financial regulation and compliance; operational risk management and culture in financial services; trust in financial services; pension policy and reform; and the retail financial advice sector.DR CORMAC BRYCEDr Cormac Bryce is a senior lecturer in Insurance and Risk at Cass Business School, City, University of London, and is a member of the Faculty of Actuarial Science and Insurance. His multi-method research spans areas from human behaviour in financial organisations to the effect of regulation on organisational behaviour within the aviation industry.Cormacs recent research focus has been grounded in areas of the error-reporting climate, and the effects of risk events on the market sentiment of financial services organisations.91. IntroductionThe management of risk is essential for every organisation. In a complex world, full of political uncertainty, changing technology, long supply chains, just-in-time operations, the vagaries of social media and an assortment of other factors, risk matters. Success or failure depends on an organisations ability to take, mitigate and avoid risk or to exploit, recover and learn from unexpected events when they occur.ACCAs 2018 report on board-level risk management practices, Risk and the strategic role of leadership, highlighted the significance of risk in the boardroom and how boards organise their risk management activities to inform strategy and governance (Ashby et al. 2018). This follow-on report moves on to investigate how board-level risk-taking and control objectives translate into the risk management activities performed within organisations.Most organisations with more than a handful of staff will have someone who has responsibility for identifying, assessing, controlling and reporting on risk. As organisations grow this individual may become a full-time risk manager and additional staff may be recruited to form a risk management function. In larger organisations, hundreds of staff may have full or part-time risk management roles covering different risk types or business areas.Risk management is, however, about much more than the risk manager or risk management function. Risk is present in example, a risk-assessment and reporting tool, such as a risk register, provides a common formal mechanism for organising risk management, but the register may produce inaccurate or incomplete information if staff do not understand how to use it or perceive it as bureaucratic. It is here that the informal organisation, such as social networks and trust, comes into play.The aim of the report is to identify the challenges that the case study firms have encountered when organising their risk management activities, and to share good practice. Each firm started from a similar position (limited organised risk management activity) and all are working to increase the organisation of their risk management activities to achieve goals such as organisational efficiency, stakeholder welfare, compliance, and reputation protection. Nonetheless, the paths that they have taken vary and reflect differences in their economic contexts and their organisational and risk cultures. This provides a wealth of practice that other organisations can use to improve their organised risk management activities.every organisational process, activity or decision. This means that all staff will have some responsibility for taking and controlling risk, the management of which is an integral part of the organisations success or failure.No matter how good a boards strategy and risk focus, or how deep its concern for stakeholder value and good governance, an organisation may fail to achieve its risk management objectives if staff are not engaged in these objectives or their risk-taking and control decisions are uncoordinated. It is here that embedding risk management is essential. Embedding is about organising risk management activities to engage staff in the management of risk, and coordinating their risk taking and control decisions.This report investigates how four case study organisations organise their risk management activities to achieve their objectives. Organisation is about more than formal structures, policies or procedures. Organisation is both formal and informal and both are necessary to ens
展开阅读全文