INT_YCORP_ERM_1

This article was first published in the April 2018 International edition of Accounting and Business magazine.

There is a persistent and growing need for accountability and transparency in philanthropy – as the recent scandals surrounding some well-known charities have made clear. Every year, billions of dollars are spent on achieving the development goals of low-income countries. But how can those responsible for internal control processes ensure that development and humanitarian aid is used as intended, and that financial statements are reliable and comply with laws and regulations? And how do we meet the greater expectations of accountability from global regulatory bodies, donors and even beneficiaries? 

As the financial risks around aid efforts evolve, we need to rely on control systems that prevent or nullify the effect of these risks. 

US anti-fraud body COSO (Committee of Sponsoring Organizations of the Treadway Commission) offers guidance on enterprise risk management (ERM), internal controls and fraud deterrence, and has an internal controls framework focused on ERM. Many companies apply this framework, which is also used by development organisations to achieve their goals and improve performance.

Building a framework

ERM considers four categories of objective: strategic, operational, reporting and compliance. The organisation, its divisions and business units are another dimension to be considered when applying the framework. COSO recommends eight interrelated components for evaluating ERM: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. 

Of these, internal environment is the most critical in assessing financial risk in humanitarian and development projects. It sets the foundation for risk perception, risk management philosophy and risk appetite. For instance, if senior management doesn’t commit to integrity and ethical values, its stance will almost inevitably trickle down to the rest of the organisation. Regardless of how strong the other seven components might be, if directors, team leaders and project managers do not have a sense of accountability or do not demonstrate a commitment to risk management, then implementing controls will prove all but impossible. 

Every organisation or project must have objectives and a supporting environment that contributes to achieving them. Management should identify the internal and external events that are likely to affect objectives, as this exercise will clearly highlight the risks and opportunities. The risks identified should be analysed according to likelihood and impact, with the entity developing an appropriate response for each risk identified. 

Once management has agreed the appropriate responses, it needs to establish the control policies, procedures and systems. For control activities to be effective, they must apply to the entire entity or project, including its divisions, business units and functions. 

Information and communication are vital in keeping a control system functioning effectively. Information must be communicated clearly and be well understood by all the individuals who need it. 

Good systems can become less effective and even redundant if they are not constantly monitored. Other components of ERM must also be monitored continuously to ensure loopholes are plugged. 

As most progressive development organisations work towards becoming agile partners in addressing the world’s most pressing problems, it is vital to manage risk through a framework such as COSO’s to ensure that internal control measures are robust. 

Fejiro Ogbanufe FCCA