ERM Insights For The Finance Risk Leader - CGMA

Transcription

ERM insights for thefinance risk leaderAn expanded tool for the risk leader

Chartered Global Management Accountant (CGMA )The CGMA designation is the most widely held management accounting designation in the world. It was established in2012 by the American Institute of CPAs (AICPA ) and The Chartered Institute of Management Accountants (CIMA )to elevate the profession of management accounting globally. It distinguishes more than 150,000 accounting andfinance professionals who have advanced proficiency in finance, operations, strategy, and management. In the U.S.,the vast majority are also CPAs. The CGMA designation is underpinned by extensive global research to maintain thehighest relevance with employers and develop competencies most in demand. CGMAs qualify through rigorouseducation, exam and experience requirements. They must commit to lifelong education and adhere to a stringent codeof ethical conduct. Businesses, governments, and nonprofits around the world trust CGMAs to guide critical decisionsthat drive strong performance.cgma.orgAssociation of International Certified Professional AccountantsThe Association of International Certified Professional Accountants (the Association) is the most influential bodyof professional accountants, combining the strengths of the American Institute of CPAs (AICPA) and The CharteredInstitute of Management Accountants (CIMA) to power trust, opportunity and prosperity for people, businesses andeconomies worldwide. It represents 696,000 members, students and engaged professionals across 192 countriesand territories in public and management accounting, and advocates for the public interest and business sustainabilityon current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation,employability, and quality of CPAs, CGMAs and accounting and finance professionals globally.ERM insights for the finance risk leader – An expanded tool for the risk leader 2

Contents4Questions and insights for the finance risk leader20 Appendix A36 Additional resourcesERM insights for the finance risk leader – An expanded tool for the risk leader 3

The CGMA report, “A Leadership Guide for the Risk Leader” provides understanding and guidance for the finance professional who, in additional to manymanagement roles, leads the organisation in its enterprise risk management (ERM) through current and future risk needs.Based upon the checklist found in the original report, this expanded edition includes not only a checklist but direction and insights as to how this can be used(and can be used) by the professional to lead their entity through the current and future risk environs.Questions and insights for the finance risk leaderAn expanded checklist on how to enhance risk managementQuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)It’s important to take the time to KNOW your team’s skills aswell as skill gaps. Investments should be made to enhancethe team’s strengths, as well as to identify new teammembers to fill any skill gaps. Along with identifying whatcurrent strengths you and your team have, look to the futureand not only fill the gaps but provide for future needs.Note: Make sure I do this — What can Ido beyond our normal appraisal reviewsto better isolate our skills? What are thestrengths of my team? Where do theyneed to improve?Beyond the daily skills necessary, the need to developnew and enhance existing skills should be a consideration.John needs to develop entity understanding— check out AICPA/CIMA/CGMA foradditional resources. Can we identify acourse, training and timeline and evaluationof skills?MeX1. Have I done a skillsanalysis of myselfand team?2. H ave I identifiedskill gaps?XAdditional questions I’ve asked are: Is there a standard training process for each position? What happens if a staff has an unexpected leave? Can the work continue to be done?Where is a disruption occurring in skills toassist in what needs addressed? I f so, great. If not, what do we need to do to ensurebusiness continues as normal?A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 4

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)On the flip side, and equally important is identifying whatyou are doing right. It may not be so much the executionof a task but in the manner of the execution. For example,where are the efficiencies strong and noticeable? Whatskills support the development and maintenance of theseefficiencies? Does the team have an understanding of whatexactly is working? And are they able to replicate it?Begin by leveraging our areas andpeople of excellence. Identify each teammember’s strength and for now, just onearea of improvement. Develop a ‘buddysystem’ to begin to leverage our strengths.Once we’ve got this in place, let’s considerconveying this methodology to otherdepartments.Me3. H ave I identified whatwe are doing great?XFor example, a person on the team who can look beyonda problem, analyse it while concurrently identifying otherareas where this same type of issue is occurring. This is agreat skill as it enables you to address problems as a wholeand not as one-offs. It also provides support for managementfor global solutions instead of just departmental.4. H ave I identified growthopportunities?XLooking and listening are often overlooked skills. Consider: Are your CPE courses relevant to you? Where do you feel your education is lacking? W hat do you notice when in meetings or in conversationwith colleagues that you wish you had more expertise?You need to finalise for each staff memberon yearly appraisal at a minimum.What am I doing to monitor throughoutthe year? Have I considered quarterly orsemi-annual check-ins? I s there someone in the department or my organisationwho has these skills/expertise that can become a mentorto me? R eview the observations and identify what has beendiscovered and plan the next steps.5. A m I learning and growingthe team and thosearound me? If I’m theonly one being reliedupon, why is that?XAdmittedly, it’s different to know what you don’t know. I amregarded as one of, if not THE, subject-matter experts in ourentity on risk.Because of your role, you need to address the question:What future opportunities or threats do you need to beinvestigating or learning? Consider sources such as currentevents, industry trends and projections and a big pictureview of my organisation.Am I THE subject matter expert? Am Ithe only one relied upon? Am I makinga point to develop future leaders? AmI developing myself as a leader? Doesmy team have a common leadershiplanguage? Consider succession planningfor key risk personnel.A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 5

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)The easiest and quickest way to determine this is to discusswith your mentor or trusted colleague who is in a similar rolewhat they are dealing with and perhaps what they see youmay need to address. These individuals are outside your boxand can often see the blatantly obvious items that you maybe missing. Also, discuss with peers with dissimilar roleswithin your organisation. They have a different perspectivethat can reveal risks that may be right in front of you, butyou aren’t seeing. Seek out those in the organisation whosee the bigger pictures, as well as those who have a betterunderstanding of the more detailed processes than you.This will enable a more well-rounded assessment of risk.Do a quick search (and assign to somestaff) of risks related to my industry.Make sure to “think outside the box”purposefully.There’s more to risk than just being aware of the need tohave a ‘culture.’ First, I need to understand what culture isencouraged. Is everyone in the organisation speaking thesame language? What values, behaviours and inherentassumptions do our organisation define as good andpreferred? Once I bring that to awareness, I begin cultivatingthat culture with my team. This includes working towardsproviding training for the entire organisation as well asprovisions to dive deeper into each areas/department’s risks.Are my employees aware of the risksthe organisation is facing? Training formangers and staff, open communication,etc. Where are we in the lifecycle ofrisk culture?Looking back over my career, I can see different stages andtypes of networking that were cultivated. Realising this, youmay want to ask yourself these questions:Increase connections on professionalnetworks. What types of groups haveI historically attended? Should I trysomething new?MeX6. D o I think I’m missingsomething?7. D o I foster cultureof risk awareness inthe organisation?8. Professional networking:Do I have a strongnetwork of professionalrisk managers.XX Where am I in my existing network? Who are my peers within or outside my organisation? Do I need to make a change in my networks? Are meetings and events becoming stagnant?Begin to Identify with each team memberwhere they are currently networking andwhere they would like to go.A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 6

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)My team, as well as the entire organisation, should workwith the organisation’s strategic goals at the forefront. Butare we? In reviewing my team’s performance documents,I’ve identified:My performance goals as well as myteams link to our organisation’s strategies/mission. We discuss these frequently andlink our daily work to the overall strategy.My team9. Is there evidence thatmy team is working witha direct focus on meetingthe organisation’sstrategic goals?X1. T asks and outcomes that tie directly to a strategicgoal or initiative.2. A second category of indirectly tied goalsHow can I ensure that indeed our work islining up with the goals?3. A third category of tasks is not related at allto strategic goals or initiatives.It’s now time to look at those in the third category and seeif we can address these activities to focus more on first tieractivities. The third category would be held for a potentialrevisit (try to keep these to a minimum): Deleted Revised/changed to roll into first- and second-tier tasks10. Is my team aware of theconnection betweenwhat they are doingand how it meetsthe organisationsstrategies?XThe strategic plan continues to be a critical document forany organisation. But a plan without continued attentionto execution in the most efficient manner can result inmissed opportunities, wasted efforts and resources anda lower ‘hitting of the mark’. Specifically, are we linkingwhat our team members do to the strategic plan? Can theysee how their daily performance and outcomes tie backto the strategic plan? How can we better do so? We needto see how we are contributing to the successes of theorganisational goals.Discuss with front-line personnel todetermine if they see/know where theyfit into the organisation’s strategic plan.Are they aware of how they specificallycontribute to the goals and bottom line?A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 7

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)In working with various departments, I’ve experiencedthat some understand risk and the language better thanothers. For those with lesser understanding, I spend moretime focusing on bringing them to awareness instead ofaddressing their risks. AICPA & CIMA have some recentresources that I noticed a few months ago. We need to goback and check these out as some awesome tools couldaddress this.My team knows the lingo, but we doexperience barriers in understanding invarious departments as terminology canbe confusing. How can I elevate them?Consider developing a ‘risk dictionary’and then involve the whole team inenterprise training efforts. Use lingo whenappropriate so that everyone becomescomfortable with it.My teamX11. Does my team andorganisation have acommon ‘risk’ languagethat all understand?Updated risk heat mapCommunicating risks using a heat mapA leadership guide for the risk leader12. Do I have a mechanism tomeasure performance andensure accountability?XDuring the last few reporting cycles, we’ve noted thatmanagement/executives have emphasised the efficiencyof financial reporting. What further work needs to bedone both within my team and in other areas to align ouroutputs relating to reporting. The increased global focus onefficiency means that we need to make them as robust aspossible. A viable goal is to focus on management reportingneeds for the next two quarters and improvements instreamlining content and resulting efficiency in delivery.Leverage technology to create a risk scorecard.Develop performance and outcomemeasures. Review them on a routine basisand discuss them with key stakeholdersboth inside and outside the organisation.What is already in place so that I canreadily see improvements?A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 8

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)It is often noted that those in the finance profession remainin silos within their organisations. Change must begin withyour team. Focus on how the team can become a goodbusiness partner. What can be done to improve relationshipsand enhance quality overall? This is best determined by abrainstorming session or two with the team. Their ideas areoften those in which they are willing to invest. An easy startinto this area is to schedule some time at the next teammeeting to begin to address it. Continue to encourage openlines of communication between departments.The training area of my organisationseems to be a mitigation of risks, BUT Ineed to investigate to see what risks existthere. What is in place and what needs tobe developed?Sometimes the obvious is all it takes. This could be assimple as providing a “resource” library within your entity.Is there an actual library or an online portal that includes avariety of materials devoted to risk? These may include:Look into how we teach or coach riskwithin the organisation. Understandhow staff use risk to conclude.My team13. A re there pockets(i.e., departmentsor teams) within myorganisation that appearto ignore risk or berisk-averse? How canthis be addressed?XX14. H ave we builtenterprise-wide riskmanagement skills?Do we collaborate withHR on necessary skills?1. COSO docs2. AICPA Risk ToolkitFind ways to make risk management amore personal interest for everyone(e.g., provide examples that are relevant toco-workers/peers and explanations of whyit is important to them).What seems to be the preferred methodof engagement of learning?3. CGMA Risk Management Toolkit4. P odcasts (I know my team prefers this method ofknowledge — you could encourage them to sharethese with the team as a whole)15. P rofessional networking:Is my team activelydeveloping a network ofrisk professionals bothinternally and externally?XBased on the qualifications and needs of our team, I’velearned to identify the available networking opportunities,and perhaps attend with team members. You canencourage attendance at these events with comp time,schedule revisions and a small budget to cover costs.Identify and align with risk leads inother departments.Encourage team and allow time toattend events.A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 9

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)One of the recurring themes I’ve experienced in allorganisations that I’ve been a part of, at varying levels, is theneed to align understanding. If you are engaging with thosewho are working in the dispatch office of publicly providedtransportation, or the grants area of an agency, the mostprominent disconnect occurs in the language used.Staff seems to struggle a lot withconveying their understanding outsideof our team. How can the languagegap be bridged? What is the team notunderstanding?My team16. Can my team bridgecommunication ofthe risk program andunderstand it themselves?XFor example, a prominent struggle often lies witharticulating the IT risks as they relate to the organisationBEYOND the finance area. Yet, these risks are relevant tofinancial success. As this gap continues to show up, thereare definitive steps you can take to reduce the gap.17. What is our team’s focus?18. W hat is our maincontribution to theorganisation’s success?If you are a manager or director of several ‘sub-teams’ orfunctions, consider meeting with each area separately.During these sub-team meetings, discuss what isconsuming our time and then determine if it is indeedwhere our focus should be. Make 3–5 bullet points ofyour focus.How does our mission flow down to ourstrategic plan?Make sure that you add value through the robustimplementation and monitoring of the responsibilitiesspecifically assigned within the understanding ofinterdepartmental dependency on goals and outcomes.What is the perception of our department?Do people see a specific value add?Does the rest of the organisation evenknow we exist?How does the strategic plan flow down toperformance plans?How do the team members’ performanceplans flow down to their responsibilities?The need to step outside your offices and host lunchand learns, interdepartmental meetings to enhance riskunderstanding is critical. The demonstration of yourpresence and participation in meetings and decision-makingnot only at the manager level but also at the executive level,provides exposure not only to the team members but totheir activities.A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 10

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)This has gained considerable importance with thenecessity of remote work in this decade. Consider theissues that your organisation has had and resolvedthroughout the pandemic.How were we judged on our pastperformance? Did we identify the rootcauses correctly? Do we know howto mitigate the risk to hold ourselvesaccountable?My team19. Do I have a mechanismto measure performanceand ensure accountability?XLook at what has not changed or been resolved andconsider whether these are similar or have a commonality(i.e., having to do with security, access, IT response, inabilityto sync, etc.). Once the root cause has been identified, thiswill aid in determining where to begin the resolution or at thevery least, a viable workaround.X20. Do my team membershave mentors?This is a relevant question that often we want to answerwith a quick ‘yes’ or ‘no’. Thinking back on my career, theacceleration is often seen during those times I had a mentorwho was engaged, directional in guidance and supportive.Without that, even the right tools and/or the right experiencein the position may have been irrelevant.Look at who is feeding into your employees’ professionallife and work with them to drive these relationships towhere the employee, the team and the organisation needthem to grow.21. Do we have a training plan?XEmployee engagement 101 speaks to the importanceof developing a work plan for employees. This not onlyincludes a focus on their CPE for their respective licensesand designations, but education to assist in meeting theirgoals while enhancing their strengths and minimising theirweaknesses.Do we have a formal mentoring program?Who would I suggest as mentors formy team?Could mentors be found throughnetworking activities?What target CPE should our team memberscomplete? What requirements are in placefor those without certifications?The Journal of Accountancy had an article related to thislast year.A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 11

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)As a risk professional, you should ensure that yourorganisation’s financial performance is known amongst yourteam. This will enable employees to know when spendingmay need to be reduced vs. when funds are available tomitigate risks. Considering what you are doing well vs. whatneeds to be done is a quick check to identify lean areas vs.those in excessive spend mode.Is my team integrating the informationreceived with the proper context andsufficient understanding? If not, what canbe done to elevate that?Talent has never been a larger issue than it is today. Studiesand surveys in all industries identify talent as one of thetop three concerns, if not THE TOP challenge. Not only isobtaining and retaining a concern, but adding new skills toexisting staff to get them up to speed as soon as possibleis mission-critical. The need to immediately analyse currentresponsibilities with talent and experience should be atop activity. This includes the consideration of shifts inresponsibilities, changes in processes and future needs.How long have they been in their existingroles? What has evolved, both internallyand externally to the organisation thatrequires new or additional skills?The words ‘change management’ have been thrown arounda lot recently. We want to be change managers; we seek tocreate effective change but ultimately how did we do in thelast 24 months with change? The pandemic threw everyonefor a loop and continues to do so. This could be a greatindicator of what your team and your organisation did right and what it didn’t.Analyse and document how theorganisation identifies and responds tochange. Consider breaking it down intothree areas:My team22. I s my team able toeffectively communicatethe financial performanceof the organisation?23. A re people in the rightposition for success?XXCan a bit of job shifting/sharing get uscloser to where we need to be?My organisation24. I s my organisationequipped to handlechange?X Myself My team My organisationA user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 12

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)Clearly, this ties in with the prior question. As you look atyour organisation on a micro and macro level, it is importantto note:Continue to develop and improve the rightcommunication, change managementapproach, and training.My organisation25. I s my organisation willingto make changes?X W ho was ready to make changes immediately? Identifythe effects on the individual, their team and the entity. W hat areas hung on to ‘business as normal’? Considerthe results of those areas.What do I see others in my industry doingthat my entity is clearly not? t this point, you may want to compare the results fromAthe different responses. Consider the response from seniorleadership (or lack thereof). L astly, what about the industry as a whole? The positioningof your entity within industry trends will provide you with agood indication of its responsiveness and ability to thriveand survive.26. Are risks linked to thestrategic goals of theorganisation?XStrategy is not housed at the executive and organisationallevels only. It does begin there. To ensure that theorganisational strategies trickle down, begin with identifyingyour department’s specific risks and link them to thestrategies of the organisation. Make sure all strategic riskstie into one of our risks as applicable.Check whether risks are written as an‘abstract’ and that they can be tied to thestrategic goals of the organisation. Whatare the specific identifiable steps andmetrics available?Examples are often the best teachers.Consider an entity goal of ‘Delivering standard-settingservice to its stakeholders and customers’.The risk/finance area refines the goal further as:‘proactively engage with our internal departmentsto identify emerging risks to both the departmentand to the entity’.As you can see, this is just one piece of the whole strategicgoal. However, if accomplished, we see the success flow tothe entire organisation.A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 13

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)While tending to imagine budgeting and forecasting as beinghoused in a separate functional area, again, you must thinkbeyond those confines. Understanding the developmentand analysis of the FP&A process within past trends, currentconditions and the expected/unexpected possibilitiesenables a more efficient measure of risk trends. Askingsuch questions as:I am responsible to fund the performancegoals that link to the organisation’s mission.My organisation27. Does my organisation’sbudget tie to a strategicplan that mitigates riskto a tolerable level?XWhat does my organisation consider atolerable risk level?Where could an error in budgeting andforecasting cause an intolerable risk event? How can we improve these links? Can we get rid of ones that don’t work anymore? A re the right scenarios being used and is the focus whatis relevant?28. When risks arise, doesmy organisation havethe infrastructure tocommunicate aboutthose risks both internallyand externally?X‘Embedded within any enterprise risk management(ERM) program is the ability to communicate effectivelythroughout all the processes to the decision-makers andimplementers’. (Reference) Risk finance professionals at alllevels must effectively communicate the concepts of risk forthe Enterprise Risk Management program to be effective.Develop internal and externalcommunication plans and responsibilities.You will often need to initiate and facilitate concepts,identification, revisions, reporting and monitoring of risks.Regarding your communication, you may want to ask: W hen was the last entity-wide communication?Is there another one scheduled? I s training available for key employees or all employees?Are we participating? Can we? I s my organisation set up to recognise what external‘events’ may result in risk (e.g., legislation, naturalcatastrophes, and military/political activities)? D o they know to whom they should bringthese concerns?A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 14

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)Some questions are never going to go away about risk.Explaining the differences between ERM vs. RM, internalcontrols and the need for internal and external audits isa way of life for finance professionals. Whether simple orcomplex, items to consider are:Develop, train, and implement training.My organisationX29. C an my organisationarticulate the differencebetween enterprise riskmanagement, internalcontrols, and internalaudits?Consider various levels of training(i.e., board would receive differenttraining than staff accountants). What have we done that needs revisited? How have we done this? A quick memo or lunch webcast? W hat is the ONE action we make NOW to foster anawareness and understanding of risk from all in yourorganisation?30. D oes my organisationhave a formal enterpriserisk management processwith direct alignment withstrategic goals?XStrategy and ERM are intricately linked and should at somestage be considered together. Although processes andoutputs differ, there does come a place where they merge.Regarding the process ensure that strategy is adequatelydetailed within. Does it need to be refreshed?Yes, we have an ERM process. But we alsoneed to consider how often the ExecutiveManagement reviews risks? When areprocesses reviewed and changes made?What does monitoring look like? Is themonitoring effective? I s my organisation willing to take an objective review ofour ERM model to determine its true maturity level?A user-friendly version for use in your entity can be found by following this link.ERM insights for the finance risk leader – An expanded tool for the risk leader 15

QuestionYesNoMaybeProfessional Insights from seasoned professionalsItems for risk leader to consider(Examples)This is a tough process to navigate, especially if you are notinvolved directly in the process. However, encouraging myteam to adhere to the processes begins with your knowingwhat the executives are concerned about and what is their‘top of mind’. Ideally, risk leaders should be in the ‘know’ ofwhat upper management and executives are trained on anddecisions made. But there are usually some gaps that youwill need to fill.Need to check executive meeting minutespromptly after each meeting (do notwait until just before an external audit toreview). Provide evidence of response toany updates, revisions, additions.My organisation31. I s the

Chartered Global Management Accountant (CGMA ) The CGMA designation is the most widely held management accounting designation in the world. It was established in 2012 by the American Institute of CPAs (AICPA ) and The Chartered Institute of Management Accountants (CIMA ) to elevate the profession of management accounting globally.