The statement is necessary, but the guidance on creating it is unclear and self-contradictory. Its current shortcomings point to existing misunderstandings in the GRC disciplines regarding the distinctions between risk management and internal control, the former being more future-oriented and the latter being focused on day-to-day operations. Focusing only on operational risk implies a narrow view of risk management, both within the organization as well as to stakeholders and the public.
The Practicality of a SORMIC
During Q&A, participants expressed uncertainty about the actual value of the document. Considering the lack of clarity from the MCCG, most were used to utilizing whatever they had on risk management in their organization, removing confidential data, and calling it a SORMIC – which makes for an overly long document with mostly unnecessary information.
Pillai concurred with the skepticism surrounding SORMIC’s usefulness, but stated that at the end of the day, it’s vital to consider the function and purpose of your organization’s SORMIC as well as its audience. The average layperson will most likely not bother to read it thoroughly in the first place, while for serious investors with larger vested interests, the SORMIC can provide a starting point for further discussions in private.
Within the organization, what is laid out within the SORMIC can also be used as a benchmark to improve on or establish processes. Case in point, it is a requirement to disclose the process applied to review the risk management or internal control system. To this end, organizations can perhaps look to implement a Risk and Control Self Assessment (RCSA) – a useful tool in risk management best practice, regardless of the requirement.
At the same time, crafting a SORMIC requires you to balance between writing about the processes, and divulging too much information that inadvertently expose organizational vulnerabilities. It is also of interest to note that external auditors are only required to check for completion; they are not required to ensure that the SORMIC is accurate or fit for purpose. Thus, fundamentally, the SORMIC is intended as a document to showcase that your organization does have an assurance function, that there is Board oversight in place, and that existing processes are reviewed and revisited annually in order to reach strategic objectives. It is about maintaining investor confidence by telling the public what you do to manage risk, and not necessarily how you do it.
Going forward, there perhaps should be a review of the intended outcomes of MCCG requirements. If the goal of the MCCG is to help ensure the future sustainability of organizations, its disclosure requirements should focus less on internal control and more on risk management, to improve the quality of decision-making and ensure that organizational objectives are being met.
Interested in our next Tea Talk on Creating Value Out of ERM? Click Here
7 The IERP® Monthly Newsletter September 2018