I really like ISO31000’s definition of risk management— it states that a risk is the effect of uncertainty on objectives, be it positive or negative. As a result, it’s pretty clear that any risk in your register should be associated with your strategic or operational objectives.
What I find is a shame is that this definition hasn’t really been adopted by the rest of the governance, risk, and compliance (GRC) world, especially internal control. In many companies, internal control is still perceived as a necessary evil that you do to ensure you are compliant and don’t get into trouble with the regulator.
That’s a shame, isn’t it?
Wouldn’t it be a whole lot better if control owners were able to report on the company performance whilst performing their internal control assessment—and were also able to suggest enhancements to the business processes?
I might be somewhat Utopian, but I think this is achievable with a slight change of mindset and approach to the topic.
Let’s agree: It’s no evil at all!
Even if you don’t apply it to operational excellence, as I’ll try to illustrate below, internal control is much more than regulatory reporting.
First of all, it protects the company, of course, but also you and your team. Regularly performing controls will enable you to catch issues before they occur or shortly after. If—as you are supposed to—you also act to remediate them, then even if they occur you will have all the documentation to show internally (and also externally) that you did what you could to prevent them.
During recent fraud cases, few institutions and individuals were able to reduce, if not cancel, potential pursuits because they could show that they were mitigating the incident. Of those who did, many used their recorded controls and actions as evidence.
As you can see, it’s not a shield but a bulletproof vest. It doesn’t prevent the projectile—that’s the job of fraud detection and the like—but it reduces or even cancels its impact if all else fails.
It can—and will—help you perform better
Now, let’s do like ISO31000 suggests for risks and associate your existing controls to objectives. And here I’m suggesting we go further than the control objectives from COSO, and associate them directly to the business objectives: achieving a margin of XX%, increasing customer satisfaction by YY%, and so on. Keep in mind that “being compliant with regulation ABCD” is in itself an objective. Once this is done, run a report to consolidate the controls by objective category.
With this information at hand, you’ll very quickly see if your internal control framework is intended just for being and staying compliant or whether some controls are also designed to improve your company.
From there, select a few existing controls or design new ones that are intended to keep an eye on operational processes linked to quantifiable objectives and that fit in your framework so that they are viewed as new burdens.
Report on results and increase scope if successful
I already know that these controls will help you flag inefficiencies or potential operational issues before they arise and correct the trajectory quicker than typically done at year end or when audit reports them. Also, it will show proactivity, which is a key factor in today’s world, that internal control will support the business.
If you’re satisfied, then I would suggest reporting these new controls and their positive effects on the business to management and suggest increasing the scope to other functions.
This puts you in the driver’s seat to change the opinion people have about internal control!
Do you agree with this analysis? Have you already implemented a similar approach?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard.
For more effective risk management strategies, see When Is It OK To Have High Risks In Your Heat Map?