Relating Internal Controls to Issues and Risks
As suggested in Distinguishing Issues Versus Risks, whether you are implementing Enterprise Risk Management (#ERM), Integrated Risk Management (#IRM), Operational Risk Management (#ORM) or all the above programs, there is value to the stakeholders in clearly distinguishing between issues and risks.
Similarly, there is value in ensuring that all stakeholders have a clear and common understanding of the relationship between controls and issues. Perhaps the following will help you in sharing this additional perspective.
In the last article, we considered the objective of driving a car to Toronto by Tuesday in winter conditions. In that article, we learned that bald tires could remain an issue-only without an active objective requiring the use of the car, as any trigger event would not be realized and thus risk could not manifest.
What we didn’t consider previously is that Bob, the owner of the car, is a consultant and must drive to Toronto often for contract commitments. As such, he wants to minimize any travel objective uncertainty (risk) associated with the tires on the car. To do so, he has initiated some control actions and so he:
- Made an appointment at the garage to buy new winter tires.
- Purchased a tire depth gauge and a tire pressure gauge.
- Scheduled his car for the annual safety inspection.
Bob essentially used three types of controls to minimize future uncertainty in driving to Toronto on time for future consulting commitments.
- By buying the new tires, he corrected the issue – a corrective control
- By buying the tire gauges and committing to using them regularly to assess treadwear against a standard, he will detect any future issues with his tires much sooner – detective controls
- By scheduling his annual vehicle safety inspection immediately, he is ensuring any other issues are identified and solved before they can contribute to manifesting into risk – a preventative control
Bob could have rolled the dice and hoped for great weather for his next several trips until he got around to buying tires or was forced to deal with it given an accident or flat tires. However, by avoiding the issue he would have carried the stress of not knowing if he’d make his required deadlines, and he would have been risking his life and the lives of many others given likely accidents.
To help prevent, detect, and correct issues within your enterprise, consider the formal management of required internal controls - essentially a list of ‘what should be’ regarding roles, technology, information, and processes. By comparing ‘what should be’ against current state (‘what is’) you will be well positioned to uncover issues, which could help to prevent accidents and missed deadlines. As my mother-in-law always says - ‘a stitch in time saves nine.’
To maximize enterprise effectiveness and efficiency, consider the formal management of internal controls within your enterprise (Internal Control Framework management), as well as the management of issues (Issues Management), possible trigger events (Threat Hunting), and the resulting risks (Enterprise Risk Management).
#riskmanagement