The AICPA s Enterprise Risk Management Initiative

Transcription

1 The AICPA s Enterprise Risk Management Initiative For more information and resources on ERM, visit aicpa.org/erm

2 Table of Contents Introduction... 1 A New Endeavor... 2 Cross-Functional Collaboration... 3 Top Strategic Priority... 3 First Focus Vendor Relationships... 4 ERM Strategy in Action... 4 Rise of an Organization-Wide Implementation Process... 7 Pilot Program s Business-Unit Focus... 8 Current Status and Next Steps... 8 Results To Date... 8

3 Introduction Enterprise Risk Management (ERM) plays a vital role in helping enterprises of all types and sizes achieve their goals and objectives more productively, more efficiently and more successfully. This is especially true when ERM is made an integral part of an organization s core functions and embedded into its culture. However, since the economic recession first took hold of the business community more than three years ago, many organizations have been presented with not only changes in existing risk areas but also with never-before-seen risks that have introduced a new set of management challenges and barriers to success. Many organizations are just beginning to figure out how to incorporate ERM, said Carol Scott, Vice President Business, Industry and Government at the American Institute of CPAs (AICPA). Increasingly though, our members indicate they understand the importance of ERM and want to implement it within their organizations. AICPA research indicates that organizations are re-examining their risk-management strategy to gauge its effectiveness and, when necessary, improving existing practices and launching new initiatives. In the process, they are creating an improved and more formalized ERM program. 1

4 A New Endeavor The AICPA recognizes the importance of ERM as well as the short- and long-term impact risk has on the organization and the CPA profession as a whole during both challenging and prosperous economic times. It also understands that a strong ERM strategy is necessary for identifying and addressing potential risks, keeping pace with change and embracing the newfound opportunities that change can present. In fact, this understanding underlies the Institute s mission to provide members with the resources, information and leadership that enable them to provide valuable services in the highest professional manner to benefit the public, employers and clients. The AICPA has therefore launched an exciting strategic initiative focused exclusively on its ERM program. From vendor relationships to technology infrastructure, the Institute is redefining how it identifies, assesses, mitigates and manages risk. In the process, it is achieving increased efficiencies and heightened innovation, while expanding products and services for members. The AICPA s Office of Strategy Management is implementing the new ERM initiative and its goals are to: Further improve the AICPA s risk-management practices Embed risk management into, and raise its awareness within, its organizational culture Better achieve the AICPA s mission Communicate the full-range of benefits and opportunities ERM can deliver to the Institute, from contributions to the bottom-line to competitive advantage The ERM initiative is NOT: Bureaucratic Independent from the Institute s strategic plan Solely a function of individual business units An ad-hoc strategy 2

5 Cross-Functional Collaboration ERM has long played a key role in the AICPA s core activities and culture. However, it was a function that had not yet been integrated and managed uniformly across the entire organization. Rather, it was performed by individual groups on an ad-hoc basis, with each group identifying actual and potential risks and creating and managing a strategy for addressing them. Although this approach had been successful, the AICPA determined that an organization-wide risk-management program across all functional areas could generate additional improvements in operational efficiencies and member services. It would also allow AICPA colleagues to share ERM strategies and best practices, and promote teamwork, communication and collaboration among different groups. The initial outcomes of our pilot program have been very rewarding, said Victor Velazquez, Senior Vice President People, Strategy & Enterprise Management. By integrating ERM into organizational strategy and culture with the full support of President and CEO Barry Melancon, CPA, we ve been able to create a successful system for assessing and mitigating risks going forward. Top Strategic Priority Among the ways that the AICPA is demonstrating its renewed commitment to ERM is through its decision to identify it as a Strategic Priority in its Strategic Plan as follows: Competition and Risk Assess and act on competitive risks for the profession and the AICPA. Build robust risk-assessment and decision-making capabilities in all levels of the organization. ERM s position as a leading strategic priority further supports its value and long-term importance to both the AICPA and its vast and diverse membership. In addition, the new initiative has been presented to Barry Melancon and other senior leaders. It is also being included as an agenda subject at AICPA committee meetings. 3

6 First Focus Vendor Relationships The AICPA took the first step toward its new cross-organization ERM initiative at the height of the economic crisis in Members of the senior leadership team, recognizing the prominent role vendors play in the services and functions of AICPA business units and the heightened importance of a secure financial foundation for its business partners during uncertain times proactively initiated a vendor analysis across all functional areas. The purpose of the analysis was to: Identify vendors whose financial condition was unstable Make alternate arrangements with vendors that were more financially secure Avoid the risk and accompanying fallout to the Institute and its members that would occur should a vendor be unable to meet its responsibilities because of fiscal difficulties As a result of the analysis, a few vendors were identified and replaced with those that were on a firmer financial footing, and risks that could have significantly interrupted AICPA operations and services were successfully and efficiently addressed. This strategic approach to vendor relationships dramatically demonstrates the tangible benefits that ERM can deliver, including proactive risk-management practices, cross-functional collaboration, and vendor relationships that are more secure, productive and long-term. It also resulted in a number of additional steps that are further driving risk management into the Institute s organizational culture and management structure. ERM Strategy in Action Following the success of the vendor analysis, and recognizing the measurable benefits it delivered, the AICPA launched its new ERM strategy. The core features of the strategy include a sound, carefully planned approach and tactical action steps that will continue to be refined as the strategy is rolled out across all business units. The following describes five key steps to the strategy: Steering Committee Formed First, with the evaluation of the Institute s ERM function and vendor analysis complete, and ERM firmly ingrained into the AICPA s strategic plan, an eight-member, cross-functional steering committee was created to identify risks at the organizational level. Levels range from senior manager and director to vice president and CFO. In addition to identifying risks, the steering committee is responsible for guiding the direction of the new ERM initiative. Steering committee members participated in a series of brain-storming sessions when identifying risks at the organizational level and those risks were subsequently discussed with other AICPA leaders for additional input and refinement. 4

7 Top 11 Risks Identified Second, as a result of the steering committee s brainstorming sessions and discussions with other AICPA team members, 11 organizational risks were identified and subsequently shared with AICPA President and CEO Barry Melancon and people directly reporting to him for their review. Their insights and opinions were used in refining, and where necessary revising, the list of 11 risks. Risk Assessment Guideline Created Third, once the Institute s top 11 risks were identified and reviewed, the next step was for the steering committee to create a tool for assessing each risk a Risk Assessment Guideline. The guideline (Figure 1 below), or Heat Map, features a four-point, color-coded grid that is used to assess each risk. Figure 1: Risk Assessment Scale Severe Potential Impact High Medium Low Remote Unlikely Likely Probable Likelihood The grid follows a two-dimensional approach that: Assesses the likelihood of each individual risk Remote, Unlikely, Likely and Probable Measures each risk s potential impact on the organization s ability to achieve its objectives Low, Medium, High and Severe and the range of financial consequences expected to arise if the risk should become a reality 5

8 The guideline also determines the organization s risk-tolerance thresholds and equally important, the amount of risk it is willing to assume for growth, innovation and progress. Projects that involve risks that fall beyond the thresholds are removed and/or closely monitored. Individual Interviews Performed Fourth, the Senior Manager, Strategic Initiatives, obtained additional information on the 11 identified risks by interviewing the eight steering committee members who performed risk assessments. The Senior Manager also interviewed 20 AICPA directors and other leaders one-on-one for additional insights into and assessment of the 11 risks, and to ensure that all actual and potential risks had been fully considered by the steering committee. They revealed that both the eight-member steering committee and the 20-person AICPA team rated the same risks as high for the organization. Top 11 Risks Further Reviewed by AICPA Leadership Fifth, the 11 risks, now agreed upon by steering committee members and the 20-person team, were again shared with President and CEO Barry Melancon and people directly reporting to him. These 11 risks were then discussed with the AICPA s audit committee at its quarterly meeting. 6

9 Rise of an Organization-Wide Implementation Process The AICPA s new ERM initiative requires an implementation process (Figure 2, below) that reflects its planned, step-by-step, cross-functional approach and features the Risk Assessment Guideline as a key component. When creating the process, the Institute adhered to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework for ERM. Figure 2: ERM Process Self-assessment Internal audit Monitor Performance Plan Risk Owner Implement Mitigation Strategy Risk Oversight Committee Identify Risk Accept Share Mitigate Avoid Plan Response Strategy Assess Risk Potential Impact Likelihood 7

10 Pilot Program s Business-Unit Focus With organizational risks identified and assessed, a risk assessment tool developed and a new implementation process in place, the Institute was prepared for the next stage the launch of a pilot within a business unit. The pilot s purpose is to: Test the effectiveness of the ERM process. Drill down into process-level risks. Refine and revise the implementation process as needed before the pilot is rolled out across the organization. Current Status and Next Steps The pilot is now complete and the AICPA is drilling down into the next high priority, organization-level risk, which spans several business units and has a high likelihood and high potential impact. In addition, steering committee members continue to meet periodically to chart the future direction of the new ERM initiative, and are working with cross-functional teams to further study the organizational risks that they identified. Results To Date Although the AICPA s new ERM initiative remains in its early stages, it is nonetheless generating significant momentum and a number of positive changes within individual business units and the AICPA as a whole. The initiative is improving the AICPA s ability to more proactively detect and respond to risk, minimizing the consequences of unchecked risk. Risk considerations are being integrated into AICPA strategy, strategic projects and innovations as well as day-to-day operations. As a result of the organization-wide focus on ERM and a new perception of risk among staff, AICPA team members now realize that risk also offers a unique set of opportunities that can best be grasped through a successful risk-management program. Successfully integrating the awareness of risk into AICPA strategy, operations and culture, elevates it as a method for staff and management to make wise decisions based on risk considerations and meet the organization s objectives. 8

11 Copyright 2011 American Institute of CPAs

12 T: E: W: aicpa.org