‘Compliance-only mentality’ is bad for risk management

Risk management should be imbedded in business processes rather than ‘bolted on’, says IFAC

Having a ‘compliance-only’ mentality is one of several serious risk management flaws highlighted in a new report by the International Federation of Accountants (IFAC).

The 26-page report, entitled From Bolt-On to Built-In: Managing Risk as an Integral Part of Managing an Organisation examines how companies should integrate risk management into their existing processes instead of treating it as an added function.

According to the report, other risk management flaws include treating risk simply as a negative and “overlooking the idea that organisations need to take risks in pursuit of their objectives” and having internal control that is overly focused on external financial reporting to the extent that other material organisational risk is not effectively monitored.

It also emphasised that line managers should be aware that they are managing risk as part of their everyday roles and responsibilities – in other words, risk management should not be regarded as a separate function or process.

In the report, IFAC states that effective risk management supports management’s attempts to make all parts of an organisation more cohesive, integrated and aligned with its objectives, while operating more effectively, efficiently, ethically and legally. Yet some organisations “rely on ad-hoc crisis management that attempts to recover the status quo after an event”.

Fayez Choudhury, IFAC’s CEO, said: “This paper recognises what risk management was originally intended to do for an organisation – help support effective decision-making and improve performance.

“Too many organisations don’t realise how useful risk management can be if integrated properly. Without this step – building risk management into your organisation – too many management teams are missing the point and missing the benefits.”

In its report, IFAC identifies eight ways that organisations can effectively integrate risk management within their overall structure. These include setting objectives that aim to create sustainable value and growth, monitoring risk in relation to those objectives, and ensuring that those responsible for setting and achieving the organisation’s objectives are also responsible for effectively managing the related risk.

The report also states that the application of risk management needs to be tailored according to the requirements of each individual organisation.

Scroll to top