Enterprise Risk Management and the PMBOK

Enterprise Risk Management is a term used to describe a holistic approach to managing the risks and opportunities that the organization must manage intelligently in order to create maximum value for their shareholders. The foundation for the approach is the alignment of the organization’s management of risks and opportunities to their goals and objectives. One of the keys to this alignment is the “Risk Appetite” statement which is a statement encapsulating the direction the Board gives management to guide their risk management methods. The statement should describe in general terms what kinds of risk the organization can tolerate and which it can’t. This statement plus the organization’s goals and objectives guides management in the selection of projects the organization undertakes. The statement also guides management in setting risk tolerance levels and determining which risks are acceptable and which must be mitigated.

This article will attempt to review Enterprise Risk Management (ERM) and relate it to the best project management practices found in the PMBOK® (4th Edition). The source for most of my information about ERM comes from a study published by the Committee of Sponsoring Organizations (COSO) of the Treadway commission published in 2004. The Treadway commission was sponsored by the American Institute of Certified Public Accountants (AICPA) and the COSO consisted of representatives from 5 different accounting oversight groups as well as North Carolina State University, E.I. Dupont, Motorola, American Express, Protective Life Corporation, Community Trust Bancorp, and Brigham Young University. The study was authored by PriceWaterhouseCoopers. The reason for listing the oversight committee and authors is to demonstrate the influence the insurance and financial industries had over the study.

The approach suggested by the study, which is probably the most authoritative source of ERM information, is very similar to approaches taken to managing quality in the organization in that it places emphasis on the responsibility of senior management to support ERM efforts and provide guidance. The difference here is that, while Quality methodologies such as CMM or CMMI place the responsibility on management to formulate and implement quality policies, ERM takes responsibility right to the top: the Board of Directors.

Let’s go through the study recommendations and relate them to the processes recommended in the PMBOK. To refresh your memories, those processes are:

Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Response
Monitor and Control Risks

ERM begins by segregating goals and objectives into 4 groups: strategic, operations, reporting, and compliance. For the purposes of managing projects, we need not concern ourselves with operational risks. Our projects might support implementation of reports and our projects may be constrained by the need to comply with organizational or governmental guidelines, standards, or policies. Projects in the construction industry will be constrained by the need to comply with the relevant safety laws enforced in their location. Projects in the financial, oil & gas, defense, and pharmaceutical industries will also be required to comply with government laws and standards. Even software development projects may be required to comply with standards adopted by the organization, for example quality standards. Projects are a key means of implementing strategic goals so goals in this group are usually applicable to our projects.

The study recommends 7 components:

Internal environment The key component of the internal environment is the “Risk Appetite” statement from the Board. The environment also encompasses the attitudes of the organization, its ethical values, and the environment in which they operate.
PMBOK® Alignment The description in the study is actually very close to the description of Enterprise Environmental Factors. Enterprise Environmental Factors are an input to the Plan Risk Management process. The PMBOK also refers to the organization’s risk appetite in their description of Enterprise Environmental Factors, as well as attitudes towards risk.
Objective Setting Management is responsible for setting objectives that support the organization’s mission, goals, and objectives. Objective setting at this level must also be consistent with the organization’s risk appetite. The objective setting here may refer to objective setting for the project, as well as any of the other 4 groups.
PMBOK® Alignment Goals and objectives should include those that pertain to risk management. The project’s Cost and Schedule Management plans are input to the Plan Risk Management process. These documents should contain descriptions of the goals and objectives in these individual areas. These goals and objectives may determine how risks are categorized (Identify Risks), prioritized (Perform Qualitative Risk Analysis), and responded to (Plan Risk Response).
Event Identification Events that pose a threat to the organization’s goals and objectives are identified, as well as events that present the organization with an opportunity of achieving its goals and activities (or unidentified goals and objectives). Opportunities are channeled back to the organization’s strategy or objective setting processes.
PMBOK® Alignment This component aligns exactly with the Identify Risks process from the PMBOK. The only significant difference here is the recommendation that opportunities be channeled back to the organization’s strategy of objective setting processes. The PMBOK offers no guidance here but this component can be supported by simply referring any opportunity not identified with an existing project goal or objective back, to the project sponsor.
Risk Assessment Risks are scored using a probability and impact scoring system. Risks are assessed on an “inherent and residual” basis. This simply means that once a risk mitigation strategy has been defined, its effectiveness is measured by determining a probability impact score with the risk mitigation strategy in place. This score is referred to as residual risk.
PMBOK® Alignment This component aligns closely with the Perform Qualitative Risk Analysis process. This process provides for the probability and impact scoring for the identified risks. The Monitor and Control Risks process also supports this component. This is the process that measures the effectiveness of the mitigation strategies. This is the process that will determine the residual risks.
Control Activities Policies and Procedures are established to ensure that risk responses are effectively carried out.
PMBOK® Alignment This component is supported by the Plan Risk Management process. The output of this process is the Risk Management Plan which describes the risk management procedures the project will follow. Keep in mind that Control Activities is wider in scope than Plan Risk Management, the Plan will only cover those procedures that pertain to the project. The Monitor and Control Risks process also supports this component. This process ensures that the procedures defined in the plan are carried out and are effective.
Information and Communication This component describes how information pertaining to risks and risk management is identified, captured, and communicated throughout the organization.
PMBOK® Alignment This component is actually supported by the processes in the Communications Management knowledge area. The processes in this area manage all project communications. The Risk Management Plan will identify the information, how it is captured, and how it is maintained. The Communications Plan will describe to whom, when, and how the information is to be communicated.
Monitoring Specifies that ERM is monitored and changed when necessary. Monitoring and change are performed in 2 ways: ongoing management activities and audits.
PMBOK® Alignment Monitor and Control Risks supports this component. This process uses Risk Reassessment, Variance and Trend Analysis, Reserve Analysis, and Status Meetings to monitor risk management activities and ensure that the activities are meeting the project’s goals and objectives. This process also describes audits as a technique for determining whether planned activities are being carried out and are effective. One of the outputs of this process is updates to the Risk Management Plan in the case where activities are not effective in controlling risks. Preventive and Corrective actions are also recommended to address cases where activities are not being carried out, or are incorrectly performed.

ERM provides for assurance that it is effective by determining if all 7 components of ERM have been provided for, across all 4 categories of organizational goals and objectives. Project management will not cover off all areas of each component in each category, but will cover those organizational goals and objectives supported by the project and all the reporting and compliance goals and objectives that apply to the project.

Internal Control for ERM is provided for by the guidelines described in the Internal Controls – Integrated Framework document authored by COSO. We won’t go into detail describing these guidelines but treat them at a summary level. The ERM study aligns with the guidelines and refers the reader to that document for compliance details. The details of compliance would concern an organization implementing ERM but that must be instigated by the Board and would only concern a project manager if they were to be responsible for a project which implemented ERM. The guidelines place risk controls with other internal controls of the organization (keep in mind these guidelines are insurance and finance-centric). The guidelines provide for the assignment of responsibilities to 3 organizational roles: the Chief Financial Officer, the Chief Information Officer, and the Chief Risk Officer. The Chief Legal Officer is identified in lieu of a Chief Risk officer. The CFO is responsible for monitoring internal control of financial reporting, the CIO is responsible for monitoring internal control over information systems, and the CRO is responsible for monitoring internal control over compliance with laws, standards, and regulations. The guidelines re-iterate that risk management tone is set from the top of the organization as evidenced by the company officers responsible for monitoring.

The Internal Control – Integrated Framework guidelines also acknowledge that monitoring and control are prone to human error and that not all procedures have equal importance. They address this by the identification of the most critical procedures using “key-control analysis”. Key-control analysis is used to determine whether control procedures and processes are effective. The guidelines also attempt to provide direction in the identification of preventive or corrective actions to improve internal controls. They do this by evaluation of the information measuring the effectiveness. Only if the information is “persuasive” should corrections be made. The guidelines provide for internal audits of internal control procedures but acknowledge that every organization may not be large enough to warrant that role and that there is a place for external audits in internal controls.

Most of the reporting the project manager will be responsible for will be what the guidelines term as “internal”, that is the reports will only be read by management. In some cases reports may be read by 3rd party external organizations. The project manager’s reportage on risk management on their project may form a part of the information reported externally, but the project manager should not be made responsible for reporting externally.

The guidelines require that implementation of a framework be scaled to suit the size and complexity of the organization it serves. Scalability will require the organization to identify who will be responsible for a given activity. For example, the organization may not have a Chief Risk Officer in which case some other role must be identified for compliance responsibility. This responsibility will be delegated to the project manager when any compliance objectives form part of the project’s objectives.

Risk Management in Accounting Firms: Overview of The New Australian Standards


At its most basic level, risk is defined as the probability of not achieving, or reaching, certain outcomes (goals). Risk is measured in terms of the effect that an event will have on the degree of uncertainty of reaching stated objectives. Risk is commonly thought of in this context as a negative connotation: the risk of an adverse event occurring.

This article discusses the risks faced by accounting firms in Australia, and gives an overview of the new risk management standard (APES 325) issued by the professional standards board.


In the context of the professional Accounting Firm, risk is not a new concept for practitioners: it has been attached to the profession for as long as accountants have offered services in a commercial setting. However, as the number and size of legal claims against professional public accountants has increased over the years, so too has the issue of risk and risk management also increased in importance.

Risk management is the system by which the firm seeks to manage its over-arching (and sometimes, conflicting) public-interest obligations combined with managing its business objectives. An effective risk management system will facilitate business continuity, enabling quality and ethical services to be supplied and delivered to clients, in conjunction with ensuring that the reputation and credibility of the firm is protected.


The Accounting Professional & Ethical Standards Board (APESB) recognised that public interest and business risks had not been adequately covered in existing APES standards, notably APES 320 (Quality Control for Firms). In releasing the standard, the APESB replaces and extends the focus of a range of risk management documents issued by the various accounting bodies. Accordingly, APES 325 (Risk Management for Firms) was released, with mandatory status from 1 January, 2013.

The intention of APES 325 is not to impose onerous obligations on accounting firms who are already complying with existing requirements addressing engagement risks. All professional firms are currently required to document and implement quality control policies and procedures in accordance with APES 320/ASQC 1. Effective quality control systems, tailored to the activities of the firm, will already be designed to deal with most risk issues that arise in professional public accounting firm. However, APES 325 does expect firms to consider the broader risks that impact the business generally, particularly its continuity.


The process of risk management in the Professional Accounting Firm requires a consideration of the risks around governance, business continuity, human resources, technology, and business, financial and regulatory environments. While this is a useful list of risks to consider, it will be risks that are relevant to the operations of the practice that should be given closest attention.


The ultimate objective for compliance with the Risk Management standard is the creation of an effective Risk Management Framework which allows a firm to meet its overarching public interest obligations as well as its business goals. This framework will consist of policies directed towards risk management, and the procedures necessary to implement and monitor compliance with those policies. It is expected that the bulk of the Firm’s quality control policies and procedures, (developed in accordance with APES 320) will be embedded within the Risk Management Framework, thus facilitating integration of the requirements of this standard and that of APES 320, and ensuring consistency across all the Firm’s policies and procedures.

A critical component of the Risk Management Framework is the consideration and integration of the Firm’s overall strategic and operational policies and practices, which also needs to take account of the Firm’s Risk appetite in undertaking potentially risky activities.

Whilst the standard allows for the vast majority of situations that are likely to be encountered by the accounting firm, the owners should also consider if there are particular activities or circumstances that require the Firm to establish policies and procedures in addition to those required by the Standard to meet the stated aims.

Establishing & Maintaining

Ultimately, it is the partners (or owners) of the Accounting Firm that will bear the ultimate responsibility for the Firm’s Risk Management Framework. So it is this group (or person if solely owned) that must take the lead in establishing and maintaining a Risk Management Framework, as with periodic evaluation of its design and effectiveness.

Often times, the establishment and maintenance of the Risk Management Framework is delegated to a single person (sometimes not an owner), so the Firm must ensure that any Personnel assigned responsibility for establishing and maintaining its Risk Management Framework in accordance with this Standard have the necessary skills, experience, commitment and (especially), authority.

When designing the framework, the firm requires policies and procedures to be developed that identify, assess and manage the key organisational risks being faced. These risks generally fall into 8 areas:

Governance risks and management of the firm;
Business continuity risks (including succession planning, and disaster recovery (non-technology related);
Business operational risks;
Financial risks;
Regulatory change risks;
Technology risks (including disaster recovery);
Human resources; and
Stakeholder risks.

The nature and extent of the policies and procedures developed will depend on various factors such as the size and operating characteristics of the Firm and whether it is part of a Network. In addition, if there are any risks that happen to be specific to a particular firm – caused by its particular operating characteristics – these also need to be identified and catered for. At all times, a Firms public interest obligation must be considered.

A key factor in any risk management process is the leadership of the firm, as it is the example that is set and maintained by the Firms leadership that sets the tone for the rest of the firm. Consequently, adopting a risk-aware culture by a Firm is dependent on the clear, consistent and frequent actions and messages from and to all levels within the Firm. These messages and actions need to constantly emphasise the Firm’s Risk Management policies and procedures.


An essential component of the Risk Management process is monitoring the system, to enable the Firm overall to have reasonable confidence that the system works. The system works when risks are properly identified and either eliminated, managed, or mitigated. Most risks cannot be entirely eliminated, so the focus of the system needs to be on managing risks down (preventing occurrences as far as practicable), or mitigating the risk (handling the event should it occur).

As part of the system, a process needs to be installed that constantly ensures that the Framework is – and will continue to be – relevant, adequate and operating effectively, and that any instances of non-compliance with the Firm’s Risk Management policies and procedures are detected and dealt with. This includes bringing such instances to the attention of the Firm’s leadership who are required to take appropriate corrective action.

The Framework needs regular monitoring (at least annually), and by someone from within the Firm’s leadership (either a person or persons) with sufficient and appropriate experience, authority and responsibility for ensuring that such regular reviews of the Firm’s Risk Management Framework occurs when necessary.


A Risk Management system needs to be properly and adequately documented, so that all the necessary requirements can be complied with, and referred to (if necessary). The form and content of the documentation is a matter of judgment, and depends on a number of factors, including: the number of people in the firm; the number of offices the Firm operates, and; the nature and complexity of the Firm’s practice and the services it provides.

Proper and adequate documentation enables the Risk Management policies and procedures to be effectively communicated to the Firm’s personnel. A key message that must be included in all such communications is that each individual in the firm has a personal responsibility for Risk Management and are required to comply with all such policies and procedures. In addition, and in recognition of the importance of obtaining feedback, personnel should be encouraged to communicate their views and concerns on Risk Management matters.

In documenting the risk framework, the Firm needs to include and cover following aspects:

The procedures to be followed for identifying potential Risks;
The Firm’s risk appetite;
The actual identification of risks;
Procedures for assessing and managing, and treating the identified risks;
Documentation processes;
Procedures for dealing with non-compliance with the framework;
Training of Staff in relation to Risk Management; and
Procedures for regular review of the Risk Management Framework.

In alignment with the monitoring of the Risk Management system, all instances of non-compliance with the Firm’s Risk Management policies and procedures detected though its Monitoring process need to be documented, as with the actions taken by the Firm’s leadership in respect of the non-compliance.

Finally, all relevant documentation pertinent to the Risk Management process needs to be retained by the Firm for sufficient time to permit those performing the monitoring process to evaluate compliance with the Risk Management Framework, and also to follow applicable legal or regulatory requirements for record retention.


Risk is an ever-present and growing component of delivering professional accounting services to clients, and is not confined to taking on client work that can put the firm’s reputation into decline. It is the everyday business conditions and decisions made that can weigh heavily on a firm.

The modern accounting firm is in the unique position of having all the operating risks of a main-stream business, with the addition of those imposed by the various regulators and authorities.

A comprehensive and effective Risk Management Framework will assist owners of firm in identifying deficiencies and blind-spots that can impact a firm, as well as placing a commercial assessment on the probability of an occurrence, and putting in place clear plans on what to do and when.

With more than twenty years in the fields of accounting and finance, sales and marketing, and operational activity, Michael (MK) has an extensive understanding how businesses succeed in a holistic manner.

He is also the Director of Insignia Consulting, accounting and business management consultants. Insignia Consulting has particular expertise, and specialises in The Quality Control Manual for Accounting Firms in Australia, with experience with QA Audits and developing customised manuals for public practice firms.

Risk Management on Projects

Project Risk Management

How does project risk management differ from any other type of risk management? Well in most regards it doesn’t. However, as this is a project focused activity it helps simplify the overall focus by looking only at the core project fundamentals of scope – which are cost, quality and time. Remember that, I may test you later!

There are a number of good training videos available on YouTube that cover this principal. I’ve added a couple below to help bring home the point of this article. I find watching a presentation often easier to take in than reading some else’s thoughts.

Project Risk Management

So what is project Risk Management is all about? In an earlier article I talk about what risk and risk management are about. If you are still confused about what risks are and what risk management is about then read this article, it should bring you into the picture. On projects we talk about risk as any event that could cause an unplanned change to the projects scope – i.e. impact the project costs, timeline or quality of the deliverables, or any combination of the three.

What isn’t always obvious when talking about project risk management is that we also need to consider the positive impact a risk may have on a project – i.e. reduce costs, decrease the time line or increase the quality of deliverables. In reality it’s not very often that project risks present positive opportunities. Never the less, as project managers we have a responsibility to recognize and act on these risks positive or negative. That’s Project Risk Management.

David Hinde wrote a good article back in 2009 about using the Prince 2 Risk Management technique. Without getting imbedded in any particular methodology, the general approach to project risk management should follow a similar framework and this is as good as any for the purpose of this article:

David talks through a Seven Step process,

Step 1: Having a Risk Management Strategy

This means setting up a process and procedure and getting full buy-in from stake holders in how the organization will manage risk management for the project.

Step 2: Risk Management Identification Techniques

Where do you start in the identification of risks around a project? There are many risk management techniques and David suggests a few which are excellent. However, I like to take a step back and make a list of all the critical elements of a project on the basis of “if this task doesn’t happen will it be a show stopper?”. This helps be build a prioritized list of critical tasks against which I can then consider the risks – what could go wrong to impact this task.

Here’s my thought process on risk identification outlined:

List out critical deliverables
List out, against each deliverable, dependent tasks
List out against all dependent tasks and critical deliverables “any” potential event that could delay or stop the delivery to plan.
Grab a template risk analysis matrix and complete the first pass of assessment – probability v impact for each risk.
Take it to a project meeting and use it as the baseline for brainstorming.

Step 3: Risk Management Early Warning Indicators

Don’t rely on basic performance of the project as an indicator that everything is going well. Status reports showing a steady completion of tasks could be hiding a potential risk.

In risk management a number of other factors need to be on the project managers radar on daily basis. Things that I always look for are delivery dates from vendors – how confirmed are they, is there a movement in delivery dates (you’ll only see this if you regularly ask for confirmation updates from the vendor), resource issues – key individuals taking sick leave or personal leave more often than normal.

Delays in getting certain approvals signed-off by the steering committee or other governance bodies – will this impact orders going out or decisions being made on critical tasks? Getting qualified people in for inspections and certification (new buildings for example require a lot of local regulatory inspections). These are just a few of the daily challenges a Project Manager will face and all can be indicators of trouble to come.

As you gain more experience in risk management you start to instinctively recognize the early warning signs and challenge the culprits earlier in the process. You’ll also finds the a good project manager will build-in mitigation for the common project ailments at the very start, sometimes seeing the tell-tale signs when selecting vendors or suppliers will be enough to select better alternatives and this is what I call dynamic risk management at work.

Also keep an eye on the world around you – economic or geological events elsewhere can have a dramatic impact on local suppliers and supplies of key project materials. For example, flooding in Thailand has impacted the delivery of various computer components that are manufactured there, causing impact in both supply lines and pricing. (Yes, I work in Asia so see this type of impact first hand..)

Step 4: Assessing the Overall Risk Exposure in Risk Management

Taken directly from David’s article as he says this quite clearly – “PRINCE2 2009 gives an approach to show the overall risk situation of a project. Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms. By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.”

There are many similar ways I’ve seen risk calculated in organizations variations on risk management. Â As long as there is a common approach for showing all risks, prioritization and impact on a project then risk management will work and add value in protecting the investment in the project. Each project and each organization will have their own requirements in terms of how they want to see risks analysed and presented. By and large it doesn’t matter how this is done, as long as it IS doesn’t and it makes sense in the context of the project and organization. There are risk management tools to help organise and manage this.

In another article I’ll talk more about the Risk Management matrix and show a few examples. In my mind the only wrong way to do this is to not do it at all.

Step 5: Considering the Effect of Time on a Risk and Risk Management

The effect of time when analyzing risks is that the more imminent a risk the higher priority it may take. I say “may” as it may be that a very low priority risk with low impact may be about to happen where as a higher priority risk may be weeks or months away. How do you manage this?

Common sense (of which there is no such thing) would suggest that if the higher priority risks are still a long time away then the imminent lower priority risks should be dealt with first, as a higher priority..? Perhaps?

You’ll have to take a pragmatic view on this, every situation needs to be taken on its merits and in risk management, not being an exact science, you’ll be expected to make judgment calls and discuss options with your client and project board or steering committee. After all, the governance board of a project has a responsibility to steer such decisions so the role of a good project manager should be to collate the facts and present the data with recommendations. Let the higher paid guys make the big decisions.

Step 6: Giving a Clearer Approach to Help Define Risks in Risk Management

David gives an example in his article which I’m struggling to relate to the world of projects as I know them. I think essentially what this focuses on is the “mechanics” of the risks in such a way as to help us understand and look at the cause and effect of scenarios that could lead to the risk happening.

In this way we can focus on the lowest common denominator(s) that will generate the risk and mitigate those items. Is that a little confusing? The principal is, I believe to nip the problem in the bud by recognizing what or where the bud is. Don’t get hung up on this, I would say this is something you’d tend to do naturally as you gain experience in reviewing risks and dealing with risk mitigation (prevention).

Step 7: Focus on Opportunities in Risk Management

Finally – and last but not least, where can we make or recognize risks as opportunities. An example David talks about suggests that, for example, a new release of a software product that would offer major benefits if included in the project would be a possible “positive” risk.

This I can relate to more, with the experience of being asked to change the specification on a traders dealing system half way through a major project because the manufacturer had released a major systems improvement, a completely new model, that the bank saw as a strategic advantage.

The analysis of this risk covered the obvious change in costs, the new system was more expensive, the implementation was zero impact compared to the older system however there was a large element of re-training the trading staff and proving the system for the bank before go live. This became the biggest challenge once the cost differential had been signed-off by the project board.

The additional training time required was squeezed into evenings and weekends so the final project delivery schedule was not impacted – but getting vendor and project resources to support the additional work and making sure the system was fully functional and supported operationally when the new facility went live, added cost and stress that hadn’t been anticipated. This is where risk management and change management overlap – a topic for another article.