Sandra Richtermeyer, Ph.D., CMA, CPA, is dean of the Manning School of Business at the University of Massachusetts Lowell. She works actively with a variety of professional organizations and is a frequent speaker on professional development, governance, internal control, technology enablement, and performance measurement. In this episode of Count Me In, Sandy talks about enterprise risk management and aligning an organization's mission, vision, and values. Her teaching and research interests are in the areas of corporate governance, accounting information systems, and nonprofit and governmental accounting, she has authored many articles in academic and practitioner publications, and she has held many leadership roles in a variety of organizations over the past 20 years--she is an active board member in a variety of organizations and regularly consults with and provides training for boards on governance best practices and leadership challenges, in addition to coaching CEOs with an emphasis on improving communications between board members, the CEO, and senior management. All of this experience comes through in this episode of Count Me In as Dr. Sandy Richertmeyer offers extremely valuable insight on ERM and organizational best practices.
FULL EPISODE TRANSCRIPT
Welcome back for Episode 20 of Count Me In! Mitch Roshong and Adam Larson from IMA here with you to pass along industry knowledge and the latest perspectives on management accounting. Our expert guest speaker for today's episode has over 20 years of experience as a board member more than 14 years of academic leadership experience and is extremely well versed in presenting on key accounting topics for our conversation. Adam spoke with Dr.. Sandy Richtermeyer on the importance of enterprise risk management.
That's right, Mitch. Sandy is the Dean of the Manning school of business of the university of Massachusetts Lowell. She's previously served as chair of IMA's global board of directors and represented IMA on the COSO board where she served on the committee that updated the COSO internal control integrated framework and the COSO enterprise risk management framework. She is truly committed to organizations achieving excellence through good governance and effective risk management. In this episode, Sandy talks about why organizations should align their mission and vision to create a culture that embraces the tone at the top and enables successful strategic execution through enterprise risk management. Now, here is episode 20 of count me in with Dr. Sandy Richtermeyer.
What advice do you have for organizations seeking to align their mission, vision, and core values with effective risk management programs?
Sometimes when we think about a mission, vision, and core values or as an organization is preparing to to become more risk, mature or refined, or maybe they're just getting started in their risk management program. So I like to give them like three practical exercises, three things that they can work on or think about. Usually you start to set the tone for looking at risk management in a different way. So one of them, one exercise that I ask them to do is to do a mission check. And I think it's good for an organization to do a mission check every three to five years just to make sure their mission statement, mission of their organization is still truly in line with who they want to be. And then after they do that mission check and maybe they make some changes to it or maybe the mission statement that they have in places is working great for them. Then I asked them what top three risks could cause you to fail in your mission? And this is usually a pretty good exercise because oftentimes you get a lot of variance on the responses. But I think by you know, having organization leaders you know, come up with just three, only three top risks that could cause them to fail and then be in alignment on there on those top three risks that could cause their mission to fail can be a very, helpful exercise. And it's one that really sets the tone for what you need to do, you know, down the road as you move through the risk management process. So that's the first exercise I usually ask them to do. And then the second is to evaluate their vision statement and see if that vision statement that they have or sometimes they don't even have one or they confuse it with the mission statement. But usually larger organizations have a vision statement, but ask them to see if this vision statement is a good fit for their ideas on how they want to create, preserve and enhance value. What are they trying to accomplish and how does that vision statement, describe that. And then I asked them to describe what risks could cause them to not achieve their vision. This is where it's also important to bring in the concept of having them think about risks that bring in new opportunities and risks that they want to avoid or mitigate. So the vision statement piece and associated risks is very helpful for them to think about. And then the third exercise we move into evaluating core values. And that's hoping that they have clearly articulated core values. Sometimes an organization might say, well we haven't really, you know, clearly defined our core values. And so this is a great opportunity before they get too far into the risk management process for them to take a step back and really look at their core values. And maybe they have them in place or they create them. But if they say they have core values in place that they've, that they've articulated before or they're that or that they've articulated previously to starting on their risk management journey, then we ask are the core values specific enough to speak to the value creation that they hope to achieve? Are these core values? Are the core values that they have enablers of a good culture? Do they set the tone for a culture that will allow the organization to achieve its strategic goals and achieve its desired performance? Again, these generic or vague values might not bring about a culture that's needed to reach strategic goals and objectives and ultimately strong performance. So it's good to take a pause and do this values check. So I think these three exercises, one is a mission check to evaluate a vision statement. Three, evaluate core values or create a vision statement and create core values. Those are activities that I think can really become very effective and useful that set the right foundation for risk management.
All right. So we've talked about an organization's mission and their vision and how important those are focusing on your risk management program. But what role does the organizational culture play in risk management and then who is responsible for establishing that culture?
Sometimes an organization wants to do everything or organizational leaders want to do everything they can to improve the culture and and help establish the culture that will embrace risk management and all that that entails. They focus on how can they instill more transparency and risk awareness into the culture. Because oftentimes if you look at where does some really core problems exist in organizational culture, very often it has to do with lack of transparency. People don't feel like they know what's going on, they're not aware, they feel like they are on a need to know basis, that type of thing. And they also may not be even remotely aware of the key risks of the organizational faces. So how do you get people to understand or how do you, how do you improve transparency or how do you build a risk aware culture that will be very useful in terms of implementing risk management? Well, what I've seen organizations do is sometimes they they work on ways to encourage people in the organization to, bring up issues of concern to have maybe like, I don't know, for lack of a better example, maybe a suggestion box or maybe it's a way to voice concerns either anonymously or yeah, not anonymously, but basically encouraging people both to talk about key issues of concerns and make sure that when they do that that, that you can help them not have fear of retribution because oftentimes people are reluctant to bring up challenges or concerns or issues that they see because they feel that it's going to come back at them. And so as you find ways to transparently have, you know, maybe a for maybe it's an open for maybe it's an open discussion, ways that you can talk about challenges and concerns in a transparent, open matter manner. And make sure that people feel comfortable in that in discussing their concerns. That can be very helpful. Now that can be hard to do and sometimes it takes organizations, a few tries to get that right but that can be very helpful in terms of you know, elevating a culture and making it more positive and ready to embrace, you know, risk management and, and other strategic goals with the organization. Maybe trying to improve or work on. So again, improving transparency, finding ways to share information, making sure that people understand that they can bring up concerns or opportunity or bring up concerns or new ideas that can be received in a positive way or that they feel that they're able to positively contribute. Another way that I've seen organizations improve their culture and very much helped prepare them for risk management practices is to talk about, you know, if they have a core value statement, to give examples of when that core value statement is alive and kicking. You know, when is it working? Well, maybe an employee does something that, is something that improves customer service and perhaps there's a customer focused values that's very important to the organization. When someone does something in alignment with core values, is that, how do they call that out? How do they talk about that great behavior and share that example and talk about the positive side of how when we embrace our core values, how it affects our culture and it becomes contagious. People want to follow, they want to be part of that and that, and if it's done in a very positive way, that can be very helpful. So, you know, how does that get implemented? Well, senior management needs to buy into that management at different levels of the organization need to think about how they can promote the culture given where they sit in the organization. you know, a large organizations can have a lot of complexities because there can be subcultures and departments or in different areas of the organization. But as leaders at any level, the organization learn how to embrace and Dr.aw out the good, the good things that are happening, the things that are aligned with the culture, talk about them, share them in a very transparent and open way. It can have a dramatic impact on organizational culture.
How do accountants compliment the implementation of a risk management program?
Well, I think the skills and the mindset of accounting and finance professionals are so incredibly important to effective implementation of risk management. When I think about what, you know, management accounting professionals or accounting finance professionals bring to the table. They bring to the table knowledge of obviously reporting on performance gathering information. I think about information flow. How does information flow through the organization? How has it integrated through the organization and how does internal control affect the ability for information to flow through and be helpful? And as they're working on decision support, planning, control activities, those types of things. I'm also hopefully being heavily involved with strategic planning and objective settings. Their skillsets, their ability to synthesize, organize, and communicate with clarity. The issues that are so important to consider with risk management. It's, it's very important to have them involved. In terms of their skillset, I believe that accounting and finance professionals have so much to offer to an organization as they look at deploying risk management and maybe moving from a risk immature organization to a risk mature organization. And when I think about the skill sets that that accounting and finance professionals have I really like to reference the IMA's management accounting competency framework because I think that it's so inclusive. It has all the key elements of what a solid finance and accounting professional should, that they are engaged in, that they should be aware of and knowledgeable of. I think about the, the core foundations of that that revolve around planning and reporting decision making, technology and operations. I mean, if I just start with the planning and reporting aspect, that's so important too. A big part of risk management, particularly right in the right after you think about mission, vision and core values, you know, you move into them to strategy development and the management accounting professionals ability to be at the table while a strategy or strategic planning is happening while it's being conducted. While they're thinking about what is the proposed strategy going to look like? What's involved with that? What resources are needed? How does this impact organizational operations? Those things are so important. And I think that having the input of accounting and finance professionals in those stages of strategic planning and development is absolutely key because in that strategic planning and development session or in that, during that stage you have to be thinking about what are the risks that could impact the organization? What risks what risks are possible, what could cause an organization to not achieve its strategic goals and objectives, to not meet its strategic plan or not to not be able to execute a strategic plan? What could occur that throws an organization off track with its strategy? And that's where risk management is absolutely essential. So in the management accounting competency framework the technology piece is highlighted is very important and many organizations cite that their number one risk that they face or that they feel most uncertain about is technology risk. Whether it's a loss of data, whether it's, you know, ERP downtime or system downtime or theft of data. All different types of things come into play there. And I think that having management accounting professionals, our accounting and finance professionals who are well versed in technology and a technology enablement of key processes in the organization, it can be very, it's very important and very helpful with regards to implementing an effective risk management strategy. Okay. So another way that accounting and finance professionals use their skills and can contribute greatly to enterprise risk management is in their knowledge of performance assessment. So the third component in the COSO erm framework, his performance. Performances is right in the middle of the framework and it's very important to effective effective risk management. Part of that is identifying risks, what organizational risks exist, how can we identify and capture all of these key risks for the organization and the skillset of an accounting and finance professional are very helpful, however, because they can help collect, synthesize and aggregate the information for other key players in the ERM process to evaluate and as they look at each key risk, there needs to be some type of assessment that shows how does that risk affect the performance of the organizational strategy and the business objectives. So the impact on performance is key because in terms of sorting through risks and determining what we're going to focus on, what's the most important? The impact on performance is key. So that risk identification process is, is critical and it's incredibly helpful to have accounting and finance professionals involved with that.
This has been Count Me In
, IMA's podcast providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in from more relevant accounting and finance education, visit IMA's website at www.imanet.org