|Home / more articles - The author - Contact on your terms - Links - Services|
A simple introduction to risk management and internal control in organisations
by Matthew Leitch, 10 November 2004
This complicated field of risk management and internal control needs a simple introduction. It needs an overview that puts everything in place and gets us thinking in the right direction.
But it's not so easy to write. This is a massive subject in which much of the established advice is not good advice. Regulations differ between countries and sectors. Techniques and concepts derived from different sciences and professions often contradict each other in fundamental ways.
Here's my view. It is a bit different and I hope it works for you as it does for me.
There are many, many definitions around for "risk management" and "internal control" and the one thing they have in common is that they are rather abstract. Some people say risk management is part of internal control, while others say internal control is part of risk management.
Over the years I have noticed that the meaning of both terms, in practice, has expanded so, today, there is no useful difference in meaning between "risk management" and "internal control." The explanation below is just as true whichever terms you use.
More recently some have suggested using a new term, "uncertainty management", to refer to the field. There are several excellent reasons for this and I increasingly write "uncertainty management".
The main objective of risk/uncertainty management programmes is simply to improve the way uncertainty is managed.
Within that I find it helpful to focus on two sub-objectives: (a) open minds to the full range of things that may happen in future (i.e. to take off the mental blinkers we wear most of the time) and (b) help people cope with the complexity thus revealed and so act in accordance with their expanded view. All the techniques I recommend concentrate on these. Whether it's reminding an accounts clerk that bank statements and cash books can be wrong so a reconciliation is needed, or helping an executive director think widely about the future direction of a charity so that she will recognise the value of flexibility, the mind has to be open or risk management seems unnecessary.
Psychologists have shown that we tend to be overconfident in predictions and believe we have more control than is really the case. That agrees 100% with my observations. When we work together in organisations the tendency towards a blinkered view of the future is usually increased by various social pressures and management systems.
An "internal control" or "uncertainty management" system is not a gadget or computer system, so what in practical, concrete terms are we talking about? An internal controls improvement exercise involves changing the way work is done (and the things that are used to do that work) to deal with the uncertainties the work involves. The changes are connected so they work together so in that sense they make a system.
Here are some examples to show the wide range of work that can be improved in this way:
A company sets up a new division from scratch. What should its processes be and how should they be controlled?
A project is started to replace a key computer system in a government department. Hundreds of controls are needed to help make the project a success. Hundreds more are needed in and around the new system to make it robust and yet agile.
Companies are occasionally embarrassed by having to pay a performance bonus to a senior executive for completing some task even though it has turned out to be a bad idea. Controls could be designed to make the process of agreeing rewards take better account of uncertainty over what should be achieved.
Work can be done to change book-keeping procedures to reduce the risk of errors and fraud.
The way engineering design work is done can be changed to better cope with uncertainties about the eventual performance characteristics and use of what is being designed.
An organisation may realise it is being hindered by its system of annual fixed budgets and design a more effective alternative system.
In other words, it's a makeover that institutionalises open mindedness about the future. When people talk about "embedding risk management" this is exactly what they should have in mind.
In some areas there is already a strong tradition of internal control e.g. business continuity, software testing, credit management, and book-keeping. In other areas, mostly areas of management, there is a lot that can be done that hasn't been already, with huge scope for innovation and new ideas. I sometimes use the phrase "intelligent internal controls" to refer to controls that involve managers and go beyond traditional checklists and sign offs. For example, scenario planning is an example of an intelligent control because it opens minds to the future and helps them deal with it.
The scope for improving intelligent controls is huge. The reason for this is the human tendency to ignore uncertainty, and view the future too narrowly. Going through life continually surprised does not stop us from thinking this way! These mental blinkers are institutionalised in many management processes.
[A practical difference between the phrases "risk management" and "internal control" is that when people talk about internal control they usually focus on dumb, traditional controls that are routinely recurring, whereas when they talk about risk management they more often think of intelligent controls that are generated as one-offs for a project or business plan. It makes sense to consider all types of control and to design a system that has a bedrock of recurring controls, including some that generate the one-off control actions needed for non-recurring circumstances.]
We would like to institutionalise an open minded attitude to the future, not a blinkered attitude.
We should think widely about the techniques that might make the organisation (or just our part of it) more effective at dealing with uncertainty, particularly in the areas where uncertainty makes a big difference.
Having developed ideas for improved ways of handling uncertainty in critical areas, we should institutionalise them with procedures, roles, systems, training, or whatever is appropriate to us. It is impossible to anticipate every future requirement and detail, so therefore many of the actions we institutionalise will be analysis/design/planning activities that generate further actions. Things done regularly, or whenever some trigger event happens, can often be written into normal procedures and systems, but things done once only, on a project perhaps, will need to be generated by something in our normal procedures.
We should keep on improving and adapting.
Let's get one thing clear immediately: listing risks and writing controls against each one will not produce an internal control system worthy of the name. Creating something that works well takes knowledge, skill, creativity - and an approach that helps you use them.
The best way to design internal control systems is naturally. The methods described on this website are natural. They involve starting with one or more generic control schemes then modifying, combining, and detailing them to take account of the distinctive characteristics of the process, organisation, people, products, etc. This begins with high level design, sketching out roughly what has to be built, from which the work needed to design details and implement them can be seen. Detailed work follows.
Thinking about risk is part of this, but not the sole determinant of the control system.
I hope you agree that this sounds natural and obvious, but please be aware that the most commonly talked about method today is to list "risks" and write controls next to them. That's fine if you're just trying to find what controls are there already, or as a rough and ready "to do" list, but would you expect an architect to design a building by just making lists of the doors, windows, and walls? Of course not! Unless you can put the elements together into a meaningful structure or system it's hard to see what you're doing. How would you feel if a building had some rooms with no doorways at all, or if visitors through the main entrance had to pass through the kitchen before reaching other rooms?
Which would you rather focus on, managing uncertainty or auditing what you do? It's not a hard question but unfortunately most regulations about what organisations must do in this area concentrate on laying down specific requirements for evaluating rather than doing. Not surprisingly risk programmes in organisations tend to be designed to meet regulations and so emphasise evaluation and use a lot of audit techniques.
To avoid this trap I suggest thinking about what would be a sensible way for you to manage uncertainty and then thinking about the easiest way to meet evaluation requirements. An effective management approach will naturally include organised documentation and management information that gives continuous evidence of operation and effectiveness. With those in place a very efficient evaluation is possible.
If you have a well organised analysis of your areas of uncertainty and some powerful methods in place or under development most auditors will be smiling.
Thanks to section 404 of the Sarbanes-Oxley Act, many large companies around the world are now having to compare their internal controls against some kind of model system. The model most people are using is called the COSO internal control framework, but it is very high level and not adapted to any particular company. Also, it is narrowly focused on book-keeping.
Nevertheless, this is an exciting move for audit. Instead of looking at controls and asking "Do these look as if they work?" (accepting any reasonable looking design) the auditors will, increasingly, look at controls and ask "Do these match the model our organisation has chosen?"
Audit work can be done much more quickly this way, and recommendations are easier to make and agree.
An example based on a large organisation would be too long for this simple introduction, so here are two examples on a small scale. Although these examples are laid out as tables, with areas of uncertainty linked to improvement ideas, that is not the only way you can do it, and usually not the best for large scale design. Any design method that works counts as risk/uncertainty management.
A charity working to help women at risk from their partners might find that its important areas of uncertainty and ideas for improvement include:
Areas of uncertainty
Ideas for improved management
The risks around individual cases involving women.
Review the information collected about risk factors in each case. Experiment with a checklist of risk factors.
Funding. Uncertainty about income from one year to the next and also uncertainty about the cost of programmes under consideration.
New forecasting and commitment planning approach based on Adrian Poffley's book, "Financial stewardship of charities", which is excellent on this.
Effectiveness of programmes. The true impact of programmes is sometimes hard to measure or even judge, and the effect of proposed programmes is even more difficult to predict.
We've tended to argue about what to do until we reach some kind of consensus but then commit to programmes as if we know what they will achieve. Time to look at how we can gather more information through trials and develop our programmes in an evolutionary way, dynamically adjusting priorities as we learn quickly.
The reactions of volunteers. We rely on volunteers and major changes to the way things are done can affect their willingness to continue supporting.
New programme of consultation with volunteers on various ideas for improving programmes and the way the charity is run.
Reliability of book keeping and accounting.
Get the accounting controls documentation reviewed. Time to consider a full time book-keeper.
A local builder may decide that his areas of uncertainty and ideas for improvement include:
Areas of uncertainty
Ideas for improved management
The health and safety of the team.
Get the protective clothing I've been meaning to buy for months. Discuss the risk factors of each job with the lads before starting, and give them reminders relevant to each job.
Unexpected problems on jobs, especially what we find when we start digging and the results of using unfamiliar tools or materials.
Most of the warning signs are obvious so I'll start checking through a list of potential problem areas and spend a bit more time on design and planning. It would be worth discussing major uncertainties with customers because some will be prepared to pay for work unexpectedly required, particularly if they have been warned of the possibilities. Look at equipment that might allow me to check what is underground or behind a wall before I give a quote.
Our schedule through the year, particularly the effects of cancellations, sickness, weather, and project problems.
Stop promising dates to customers so far in advance. Start giving indications of start dates where the customer can be flexible. Update the customer closer to the start time. Look back over typical drift over the last few years so I can give customers a realistic range.
Whether customers will pay.
Stage payments through the job. Can't think why I've never asked for more than the cost of materials until now.
The uncertainty in the customer's mind about what they want. They seem particularly vague on materials, but some customers find everything difficult to decide.
Increase my range of samples of materials so I can show people the real colour and texture. Offer a drawing service including 3D/perspective drawings of projects.
The skills that make this work possible include knowledge of methods for managing uncertainty and knowledge of design and planning methods that work with controls on different scales and in different situations. If I had to pick one skill in particular that makes an impact it would be knowledge of uncertainty management methods. The more you know the more the impact can be. If you are excited by the opportunities to raise performance a lot of other things fall into place.
My websites in this area are www.managedluck.co.uk and www.internalcontrolsdesign.co.uk. There are some links pages on them that will take you to more "official" sources.
The main causes of blinkered thinking, and ways to counter it, are described in "Open and honest about risk and uncertainty", which is based on a speech given at the 2004 Risk Management Congress in London. An earlier paper with wider scope and more detail is "Straight and crooked thinking about uncertainty."
There are many ways to manage uncertainty and it pays to get beyond the obvious sign offs and documentation. Many effective methods are described in "Designing intelligent internal control systems."
More ideas on how to break down your areas of uncertainty and how to run a meeting to do it are given in "How to run a risk management meeting", which is written for non-specialists. It gives a realistic description of what sort of behaviour to expect.
The place to start designing better ways to manage uncertainty is with existing methods. Interviewing to find out what is done requires the right types of question in an effective order (and I'm not talking about open vs closed questions!). The skills needed are described in "How to interview someone about risks and controls."
Although it is sometimes easy to think of your uncertainty management system as a table of techniques listed against areas of uncertainty this is rarely the best design method. A method that works well, particularly for large scale financial processes is given in "Designing internal control systems" and a similar approach applied to projects is described in "Rapid project risk management". Another example of the design method in action is "Controls for e-business processes."
The practical advantages of concentrating on management to cut down on audit are described in "A new focus for Turnbull compliance" and more information about designing efficient evaluation methods is given in "Sarbanes-Oxley Act section 404 and 302: efficient compliance."
If you're wondering why I like to say "uncertainty management" when the usual term is "risk management" the explanation appears in "Changing risk management to include the upside of risk", "An illustration of upside risk management", and "Results of an experiment in risk and uncertainty management"
|Home / more articles - The author - Contact on your terms - Links - Services|
|If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues and friends, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details|
About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is the author of www.workinginuncertainty.co.uk and www.internalcontrolsdesign.co.uk and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it. more
Please share: Tweet