A simple introduction to risk management and internal control in organisations| Home / more articles - The author - Contact on your terms - Feedback - Ask a question - Links - Services |
A simple introduction to risk management and internal control in organisationsby Matthew Leitch, 10 November 2004
This complicated field of risk management and internal control needs a simple introduction. It needs an overview that puts everything in place and gets us thinking in the right direction.
But it's not so easy to write. This is a massive subject in which much of the established advice is not good advice. Regulations differ between countries and sectors. Techniques and concepts derived from different sciences and professions often contradict each other in fundamental ways.
Here's my view. It is a little unusual but I hope it works for you as it does for me.
There are many, many definitions around for "risk management" and "internal control" and the one thing they have in common is that they are rather abstract. Some people say risk management is part of internal control, while others say internal control is part of risk management.
Over the years I have noticed that the meaning of both terms, in practice, has expanded so, today, there is no useful difference in meaning between "risk management" and "internal control." The explanation below is just as true whichever terms you use.
More recently some have suggested using a new term, "uncertainty management", to refer to the field. There are several excellent reasons for this and I increasingly write "uncertainty management".
The objectives of risk/uncertainty management programmes should be to (a) open people's minds to the full range of things that may happen in future (i.e. to take off the mental blinkers we wear most of the time) and (b) help people cope with the complexity thus revealed and so act in accordance with their expanded view. All the techniques I recommend concentrate on these. Whether it's reminding an accounts clerk that bank statements and cash books can be wrong so a reconciliation is needed, or helping an executive director think widely about the future direction of a charity so that she will recognise the value of flexibility, the mind has to be open or risk management seems unnecessary.
Psychologists have shown that we tend to be overconfident in predictions and believe we have more control than is really the case. That agrees 100% with my observations. When we work together in organisations the tendency towards a blinkered view of the future is usually increased by various social pressures and management systems.
We would like to institutionalise an open minded attitude to the future, not a blinkered attitude.
Think widely about the techniques that might make the organisation (or just your part of it) more effective at dealing with uncertainty, particularly in the areas where uncertainty makes a big difference.
Having developed ideas for improved ways of handling uncertainty in critical areas, institutionalise them with procedures, roles, systems, training, or whatever is appropriate to you. It is impossible to anticipate every future requirement and detail, so therefore many of the actions you institutionalise will be analysis/design/planning activities that generate further actions. Things you do regularly, or whenever some trigger event happens, can often be written into your normal procedures and systems, but things that you do once only, on a project perhaps, will need to be generated by something in your normal procedures.
Keep on improving and adapting.
Which would you rather focus on, managing uncertainty or auditing what you do? It's not a hard question but unfortunately most regulations about what organisations must do in this area concentrate on laying down specific requirements for evaluating rather than doing. Not surprisingly risk programmes in organisations tend to be designed to meet regulations and so emphasise evaluation and use a lot of audit techniques.
To avoid this trap I suggest thinking about what would be a sensible way for you to manage uncertainty and then thinking about the easiest way to meet evaluation requirements. An effective management approach will naturally include organised documentation and management information that gives continuous evidence of operation and effectiveness. With those in place a very efficient evaluation is possible.
If you have a well organised analysis of your areas of uncertainty and some powerful methods in place or under development most auditors will be smiling.
An example based on a large organisation would be too long for this simple introduction, so here are two examples on a small scale. Although these examples are laid out as tables, with areas of uncertainty linked to improvement ideas, that is not the only way you can do it, and usually not the best for large scale design. Any design method that works counts as risk/uncertainty management.
A charity working to help women at risk from their partners might find that its important areas of uncertainty and ideas for improvement include:
Areas of uncertainty | Ideas for improved management |
The risks around individual cases involving women. | Review the information collected about risk factors in each case. Experiment with a checklist of risk factors. |
Funding. Uncertainty about income from one year to the next and also uncertainty about the cost of programmes under consideration. | New forecasting and commitment planning approach based on Adrian Poffley's book, "Financial stewardship of charities", which is excellent on this. |
Effectiveness of programmes. The true impact of programmes is sometimes hard to measure or even judge, and the effect of proposed programmes is even more difficult to predict. | We've tended to argue about what to do until we reach some kind of consensus but then commit to programmes as if we know what they will achieve. Time to look at how we can gather more information through trials and develop our programmes in an evolutionary way, dynamically adjusting priorities as we learn quickly. |
The reactions of volunteers. We rely on volunteers and major changes to the way things are done can affect their willingness to continue supporting. | New programme of consultation with volunteers on various ideas for improving programmes and the way the charity is run. |
Reliability of book keeping and accounting. | Get the accounting controls documentation reviewed. Time to consider a full time book-keeper. |
A local builder may decide that his areas of uncertainty and ideas for improvement include:
Areas of uncertainty | Ideas for improved management |
The health and safety of the team. | Get the protective clothing I've been meaning to buy for months. Discuss the risk factors of each job with the lads before starting, and give them reminders relevant to each job. |
Unexpected problems on jobs, especially what we find when we start digging and the results of using unfamiliar tools or materials. | Most of the warning signs are obvious so I'll start checking through a list of potential problem areas and spend a bit more time on design and planning. It would be worth discussing major uncertainties with customers because some will be prepared to pay for work unexpectedly required, particularly if they have been warned of the possibilities. Look at equipment that might allow me to check what is underground or behind a wall before I give a quote. |
Our schedule through the year, particularly the effects of cancellations, sickness, weather, and project problems. | Stop promising dates to customers so far in advance. Start giving indications of start dates where the customer can be flexible. Update the customer closer to the start time. Look back over typical drift over the last few years so I can give customers a realistic range. |
Whether customers will pay. | Stage payments through the job. Can't think why I've never asked for more than the cost of materials until now. |
The uncertainty in the customer's mind about what they want. They seem particularly vague on materials, but some customers find everything difficult to decide. | Increase my range of samples of materials so I can show people the real colour and texture. Offer a drawing service including 3D/perspective drawings of projects. |
The skills that make this work possible include knowledge of methods for managing uncertainty and knowledge of design and planning methods that work with controls on different scales and in different situations. If I had to pick one skill in particular that makes an impact it would be knowledge of uncertainty management methods. The more you know the more the impact can be. If you are excited by the opportunities to raise performance a lot of other things fall into place.
My websites in this area are www.managedluck.co.uk and www.internalcontrolsdesign.co.uk. There are some links pages on them that will take you to more "official" sources.
The main causes of blinkered thinking, and ways to counter it, are described in "Open and honest about risk and uncertainty", which is based on a speech given at the 2004 Risk Management Congress in London. An earlier paper with wider scope and more detail is "Straight and crooked thinking about uncertainty."
There are many ways to manage uncertainty and it pays to get beyond the obvious sign offs and documentation. Many effective methods are described in "Designing intelligent internal control systems."
More ideas on how to break down your areas of uncertainty and how to run a meeting to do it are given in "How to run a risk management meeting", which is written for non-specialists. It gives a realistic description of what sort of behaviour to expect.
The place to start designing better ways to manage uncertainty is with existing methods. Interviewing to find out what is done requires the right types of question in an effective order (and I'm not talking about open vs closed questions!). The skills needed are described in "How to interview someone about risks and controls."
Although it is sometimes easy to think of your uncertainty management system as a table of techniques listed against areas of uncertainty this is rarely the best design method. A method that works well, particularly for large scale financial processes is given in "Designing internal control systems" and a similar approach applied to projects is described in "Rapid project risk management". Another example of the design method in action is "Controls for e-business processes."
The practical advantages of concentrating on management to cut down on audit are described in "A new focus for Turnbull compliance" and more information about designing efficient evaluation methods is given in "Sarbanes-Oxley Act section 404 and 302: efficient compliance."
If you're wondering why I like to say "uncertainty management" when the usual term is "risk management" the explanation appears in "Changing risk management to include the upside of risk", "An illustration of upside risk management", and "Results of an experiment in risk and uncertainty management"
About the author: Matthew Leitch is an independent consultant and researcher specialising in internal control and risk management. He is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients.
Words © 2004 Matthew Leitch| Home / more articles - The author - Contact on your terms - Feedback - Ask a question - Links - Services |