Risk: leverage it. Control it. Win.

• Author: McNally, J. Stephen
• Position: RISK CONTROLS - Reprint

Does your organization have a vision? A strategic plan? Of course it does. But if you want to help your organization achieve its objectives without too many surprises--and to be prepared to deal with those surprises that occur anyway--leveraging risk management and internal control effectively is mission-critical.

For many, when they think of internal control --or specifically about the Committee of Sponsoring Organization's (COSO) Internal Control Integrated Framework--they think of Sarbanes-Oxley compliance. That makes sense, because COSO's internal control framework is used by the majority of public companies subject to Sarbanes-Oxley compliance requirements.

Unfortunately, though, risk management and internal control activities in some organizations have become objectives in their own right, as opposed to being support tools for management. They have deviated from their original purpose, which is to support financial executives and their business partners in setting and achieving an organization's objectives.

Effective risk management and internal control is relevant--indeed, mission-critical--for all organizations, whether public, private, or nonprofit; large or small; simple or complex. This feature provides insight into several benefits to, and resources for, enhancing risk management. Financial executives must take a leadership role in tackling their organizations' strategic objectives and plans by upgrading and leveraging risk management and internal control.

Risks, Risk Management, and Internal Control

When thinking about risk, one of my favorite analogies relates to a ship: the safest place for a ship is in the harbor. But ships were made to transport people and goods to other destinations, and that involves risk.

Every organization faces a variety of risks, both from internal and external sources. For example, a cargo ship's voyage could be affected by personnel (crew sickness or desertion), mechanical issues (a boiler explosion), or other internal influences. A voyage could also be interrupted by external events, such as severe weather or a pirate attack. Risk must always be assessed and addressed in light of the organization's objectives.

Financial leaders can support their business partners by identifying specific risks that could impact the achievement of a given objective or objectives, and facilitating the related risk-assessment process, which is typically dynamic. To do so, you need to be aware of risk tolerance and risk appetite. An organization's risk tolerance and management's risk appetite are usually determined during the objective-setting process, and they both relate to how much risk an organization can bear, after risk treatment, and how much residual risk the organization's management team is willing to prudently accept.

Having defined a risk-tolerance level, management must determine how it intends to respond to a given risk. The organization could decide to accept a given risk, share it, reduce it or avoid it. Management may also decide to exploit a risk, transforming it into opportunity. A cargo company, for example, could do any of the following:

* Accept that mechanical issues are a risk of doing business.

* Share the risk by obtaining appropriate insurance coverage.

* Reduce the risk...