Competition for Risk Assessment Increases

Quality, finance, accounting, and auditing professions will compete to carry out risk management

Published: Wednesday, January 13, 2021 - 13:03

Ever since the International Organization for Standardization (ISO) included risk-based thinking in ISO 9001:2015, an idea has arisen among some in the quality profession that quality managers can move into the risk management arena without any competition from other professions. This article looks at two recent reports that demonstrate how competition will occur. Further, the competition will come from professions that have more organizational clout than quality managers.

The reports are Gartner Audit Leadership Council’s “2021 Audit Plan Hot Spots Report”¹ and the International Federation of Accountants’ (IFAC) “Enabling the Accountant’s Role in Effective Enterprise Risk Management.”² The Gartner report indicates the key concerns that auditors should be focusing on in upcoming audits. The IFAC report discusses the how accountants can promote and become more involved with an organization’s enterprise risk management (ERM) process.

While the focus here is on these two reports, it should be noted that they represent part of a substantive movement in the financial, accounting, and auditing professions towards ERM. This push is occurring in both the public sector³ and private sector. In the private sector, for instance, the Institute of Internal Auditors (IIA) issued a study titled “On Risk 2020.”⁴ It is designed to help align and enhance risk management in the organization. According to the report, “In today’s dynamic risk universe, risk management must effectively combine risk mitigation of potential negative outcomes with identification and prioritization of opportunities to enhance organizational values.” It concludes that a holistic approach to risk management would be of benefit.

This growing emphasis on risk management among the finance, accounting, and auditing professions can be seen in the Gartner 2021 audit plan report and the IFAC report.

Gartner 2021 audit plan report

The Gartner Audit Leadership Council was founded in 1979. It is a research and advisory organization. Every year it reports on the audit hot spots. These are areas auditors will be focusing on, as determined by interviews and surveys of their clients and reviews of secondary literature. The hot spots for 2021 are impacted by Covid-19. The No. 1 hot spot for audits is a heightened focus on organizational resilience. Business continuity and disaster recovery are now a high priority.

Because of Covid-19, organizations have adjusted operational activities. The adjustments include remote working and accelerated use of cloud technology. This has increased traditional concerns about cybersecurity and supply chain management. It has also created problems with employee morale and productivity. The report notes: “Prolonged remote work, personal responsibilities, isolation due to social distancing, and fear of contracting the virus when returning to work are also increasing employee stress. These factors are creating risks of lost productivity and reduced employee engagement.”⁵

The rapid nature of the changes being implemented means that there is a greater risk of poor planning and implementation. The report stresses the need for auditors to be cognizant of the risk hot spots and work an assessment of their potential impact into the scope of the audit.

Enabling the accountant’s role in effective enterprise risk management

Where the Gartner Audit Leadership Council focuses on specific hot spots, the IFAC focuses on the role accountants and the chief financial officer (CFO) should play in risk management, specifically enterprise risk management.

The IFAC was founded in 1977. It represents more than 3 million accountants in both the public and private sector worldwide.

In 2013, the IFAC issued, in conjunction with the Chartered Institute of Public Finance and Accountancy in the United Kingdom, a “Good Governance in the Public Sector—Consultation Draft for an International Framework.”⁶

The purpose of the framework was to encourage better service delivery in the public sector. It is anticipated that by developing such a framework, national governments will use it as a guide for governmental operations.

A key component of the framework is managing risks and performance through robust internal control and strong public financial management. The document points out that “good governance requires that the notion of risk is embedded into the culture of the entity, with governing body members and managers at all levels recognizing that risk management is integral to all their activities.” The framework was formally adopted in 2014.

In 2019 the IFAC issued a report titled, “Enabling the Accountant’s Role in Effective Enterprise Risk Management.” The purpose of the report is to help IFAC members communicate the role that accountants and finance professionals should play in ERM. On page three the report notes that: “Enterprise risk management (ERM) needs to be part of the professional accountant mindset and makeup.... To add value, accountants need to be seen as risk experts who are outward-looking and provide valuable insights to management risk in a way that supports their organizations in responding to uncertainty and achieving their objectives.”

The report notes that while uneven in application, CFO and finance function roles have been increasing to include risk management. This movement builds on the traditional roles of ensuring that financial and compliance risks are managed effectively and efficiently; and analyzing and communicating opportunities and risks to the governing body and others.

To further strengthen the accountant’s role in ERM, the report makes recommendations on the types of skills that accountants will need. There are five broad categories. These are:
1. Deep understanding of business: To meet the requirement of ERM accountants need to understand the mission, strategy, and total operational activities of the organization.
2. Models framework and tools: The accountant needs to understand the two dominant risk management models (ISO 31000 and COSO-ERM).
3. Enhanced quantitative and statistics skills: Statistical, data modeling, and analytical skills are needed to obtain a good understanding of correlations and confidence limits.
4. Ability to lead and communicate across teams: ERM is an enterprisewide process. It is necessary to work with others across the organization and to communicate fully with them. This requires skills in team development, leadership, and communication.
5. Confidence to challenge and ask probing questions

The IFAC believes that one of its roles is to assist it members in obtaining the above skills. In this respect, it is no different than how the American Society for Quality (ASQ), the quality professions association, sees it role. Thus, a good question to ask is: Comparatively, what are the strengths and weakness of each profession with respect to ERM?

Quality profession ERM strengths

An obvious strength is skill three, enhanced quantitative and statistical skills. This is the bread and butter of the quality professional. Accountants and auditors generally do not have the level of training and experience in these areas. Although they may understand correlations and financial forecasting, few know how to establish confidence limits or have advanced statistical skills.

Quality professionals probably have an advantage in skill five, confidence to challenge and ask probing questions. A key component of the quality professional’s job is to identify and communicate issues related to product and process quality. Thus, most have good communication skills. Auditors and CFOs would have those skills, but the average accountant doing accounts payable and receivable, probably not.

With respect to skill area four, ability to lead and communicate across teams, determining which profession has the advantage depends more on the topic and individuals involved. If the area is supply chain, product, or process quality, the quality professional would have the advantage. If it relates to finance, the accountants and finance professions have the advantage. With respect to risk assessment, except in quality systems management, where the quality professional has an advantage, internal auditors have a more comprehensive understanding of the overall organizational activities. They are, and will increasingly be, involved in compliance monitoring and financial and operational risk assessment. The advantage goes to the internal auditors.

Let us turn to the quality profession’s ERM weakness.

Quality profession’s ERM weakness

The most obvious weakness is access to the C-suite and governing body. The quality manager is lower on the organizational totem pole compared to the CFO and auditors. The CFO is a member of the C-suite. Further, the CFO and auditors report regularly to the governing body. Consequently, they have more influence on who should be doing risk assessment. This organizational position also gives CFOs and auditors a better understanding of the organization’s operation (skill area one).

A second weakness relates to the professional societies. The IIA and IFAC are relatively stable. The same cannot be said ASQ. ASQ’s membership has been steadily declining. It has gone from approximately 135,000 in 1997 to 55,000 in 2020, with the 2020 ASQ budget anticipating continued decline. In addition, ASQ has a group, of which I am a member, that seeks to restore the influence of local chapters. This group also objects to splitting ASQ into a training and consulting element and a chapter element. As part of this split, the governing body’s emphasis is on the training and consulting element. The chapter element is being starved for funds. For instance, the Portland Oregon ASQ chapter, while technically still active, has not had a meeting for more than two years.

Somewhere along the line, it has been forgotten that chapters were a major driver of the training activity. At each meeting attendees were encouraged to take classes and obtain various certifications. Without this push from chapters, the base demand for training will decrease. At the same time that ASQ’s training level is decreasing, the IIA and IFAC are encouraging their members to obtain the skills necessary to provide risk assessment and assist with the ERM process.

A third weakness is skill two, the ERM model emphasis. Many in the quality profession are familiar with risk assessment through ISO 9001:2015 and the various updates ISO has made to its certifications. Quality professionals, however, are not generally familiar with the two dominant ERM models: ISO 31000:2018 and COSO ERM. (Although ISO 31000:2018 does not use the term ERM, it is still generally considered an ERM model.)

COSO ERM was developed and supported by IIA and four other finance and accounting professional organizations. Accounting, finance, and auditing professionals are generally more familiar with COSO ERM than quality professionals are with ISO 31000:2018. COSO ERM is their default. Further, while ISO 31000:2018 is the dominant ERM model used in government, COSO ERM dominates in the private sector. If it comes to a choice between models, COSO ERM, because it is supported by the finance, accounting, and auditing professionals, will win over ISO 31000.

Conclusion

ERM and risk assessment are becoming increasingly important organizational activities. With the inclusion of risk-based thinking in ISO 9001:2015 and the increasing emphasis on risk management in other ISO certifications, the stage has been set for competition between the quality and the finance, accounting, and auditing professions as to which will carry out risk management in the organization.

In this competition, the quality professional has a current advantage in the statistical and analytical knowledge. However, organizations like the IIA and IFAC are likely to increase training for their members in this area. Thus, this advantage could quickly erode. Further, the quality manager does not have the same influence in the C-suite or at the governing body level as the CFO and auditors. With accounting, auditing, and financial organization sponsoring and supporting COSO ERM, it is likely to be the dominate model in the private sector. ISO 31000:2018 is currently the dominant ERM model in the public sector, but the more the quality profession attempts to expand its risk management role via ISO 9001:2015 or its revision, the greater the likelihood ISO 31000:2018 will lose its dominant position in the public sector.

With their only real advantage being quantitative skills, and little clout in the C-suite, it is difficult see how effective quality managers are going to be in becoming major players at the enterprise level of risk management.

References
1. Gartner Audit Leadership Council. “2021 Audit Plan Hot Spots Report,” 2020.
2. International Federation of Accountants (IFAC). “Enabling the Accountant’s Role in Effective Enterprise Risk Management,” 2019.
3. Kline, James J. and Greg Hutchins. “Auditors, Accountants and ERM,” Journal of Government Financial Management, Winter 2019, pp. 33–37.
4. Institute of Internal Auditors. “On Risk 2020: A Guide to Understanding, Aligning, and Optimizing Risk,” 2020.
5. Gartner Audit Leadership Council. “2021 Audit Plan Hot Spots Report,” 2020, p. 3.
6. IFAC. “Good Governance in the Public Sector- Consultation Draft for an International Framework,” 2013, p. 33.

About The Author

James J. Kline

James J. Kline, Ph.D., CERM, is the author of numerous articles on quality in government and risk analysis. He is a senior member of the American Society for Quality. A manager of quality/organizational excellence and a Six Sigma green belt, he has consulted for the private sector and local governments. His book, Enterprise Risk Management in Government: Implementing ISO 31000:2018, is available on Amazon. He can be reached at jeffreyk12011@live.com.