Risk Management & Internal Controls Synergy that is often forgotten!

Risk Management & Internal Controls Standards, guidelines, resource centres, institutes,
gateways; an entire industry formed around fundamental business practices commonly known
as risk management and internal controls. Yet, how much is really known about this business
process and how much of what is known is put into practice? Is this important driver of
business performance, as well as being one of the best defences against business failure, so
complex to be able to sustain a worldwide industry?

To define both elements;

1. Risk Management involves having formal processes in place that can effectively identify
and measure and prioritise risk in an order in which the risk needs to be addressed.
2. Internal Controls are the methods implemented to minimise the impact of risk and
includes tracking (monitoring) of the identified (and controlled) risk to help prevent or
detect the materialization of the risk.

If these brief definitions are accurate and I believe they are, why is risk management and
internal control so often not aligned? Clearly the processes go hand in hand; identify the risk,
measure the likely consequences, ignore the risk or mitigate it using adequate controls
and/or insurance and a watchful eye.

Today the positioning of risk management and internal controls reminds me of procurement
operations; lots of emphasis on the principles, yet fraud, corruption and mismanagement
persist and with significant financial loss, particularly in government sectors.

One reason for this is (in my opinion) that both activities often occur in highly decentralized
organisational structures and in widely dispersed geographic settings. Leadership
responsibilities are often highly diffused and staff lack the expertise and abilities (and time)
needed to manage these activities.

In circumstances such as this, its not surprising that weak risk management and internal
controls practices expose organisations to significant dangers, and lost opportunities. Many
people forget that risk is not only a negative threat; risk can also be a positive opportunity.

In other areas, such as financial reporting or auditing, these activities are established at the
highest organisational level (or should be) and expanded, amplified, implemented and
enforced throughout an organisation with standards aligned worldwide. Unless management
recognise the risk and control synergy and achieve commonality in application, appropriate to
their business environment, the probability of success is diminished.

This brings me to who owns risk in an organisation? Managers, process owners, strategic
planners, project and procurement teams, internal auditors, and internal controllers have a
part to play in managing and minimising risk. But have the participants mentioned been
allocated the various components of the risk management and internal control process, and
with their authorities and responsibilities clearly defined?
In the event of a change in risk ownership, can the risk be quickly and effectively re-
allocated? Are inter-dependencies managed in an integrated way? Is information about risks
shared across the organisation to ensure that risks can be identified and managed in a
proactive way? Next to the CEO who in the organisation is in charge of managing risk?

Successful organisations know how to take advantage of opportunities and deal with threats
but in the fragmented business world of the 21st century, balancing risk and opportunity and
improving performance is a complex undertaking for any CEO or business management team.
Success depends on the right combination of tools, techniques and the experience of the
people who are involved in achieving objectives.

Whether managing risk at strategic level, operational, programme or project level, control of
risk can and should be applied uniformly across an organisation including both local and
international operations. Such alignment of risk management and internal control can
significantly benefit operations, help decision making and reduce operational costs. Most of
all it can help to keep the business in business.