Enterprise risk management needs a proper framework

Directors, sometimes blindsided by other matters, may be sublimely unaware of risk factors in their environment, despite having a controls framework. This can be a minefield for those with governance risk compliance responsibility, which is why a rigorous risk control framework is a vital comfort. It is not possible to know where all the potential risks lie or those to which their managers and staff have paid too little attention.

Individuals with governance and operational risk responsibility do not always appreciate the need for an objective review of each step in an end-to-end process. For CEOs and CFOs of US-listed companies this can be a dangerous oversight, possibly ending in jail time. For those in organisations not listed on a US stock exchange, but who nevertheless have governance responsibility, it will be at the very least embarrassing, possibly leading to resignations.

"Framework managers must be aware of the dangers in both understating and overstating risk mitigation"

To enable proper risk mitigation, it is necessary to recognise those steps in each end-to-end process that identifies the flow, and also any risks needing mitigation. But I have found, quite frequently, that this is overlooked or side-stepped, exposing the organisation to unforeseen, or uncalculated, or unaddressed risk of fraud or loss of public or shareholder confidence. For example, despite solid processes for account set-up, approved product, or authorisation, a risk factor might lie dormant in the approved supplier process, easily concealed, particularly in large, complex multi-site operations or even pan-European organisations with public accountability.

While this leaves the company and its senior directors vulnerable to risk exposure and its consequences, there can be inadequate or untimely address, even in large organisations.

The error of averaging control ratings

In identifying potential risks, it is important to use a criticality matrix and a consistent benchmark in their evaluation. One risk is resolved by one or more controls, each having its own rating. It is a false security to pack a high-risk rating with a low-risk rating to yield an average – yet quite often this is workplace practice. Staff must not be tempted to average the control ratings. Directors need to be aware of such badly-advised shortcuts.

Framework managers must be aware of the dangers in both understating and overstating risk mitigation, which either increases or minimises the number of controls, their severity and their impact on business process efficacy. Overstating a risk mitigation reduces the business's efficiency. Understating it oversimplifies the process and understates the control requirement, with operational impact. Both have consequences of either stifling the business process or over-relaxing the control.

"Directors must ensure that risk mitigation controls are assigned to internal audit, independent auditors or governance consultancies"

Each mitigating control is independent of the perspective that is used to addresses the risk. It may be that one control is perceived as a 'show stopper' – a key control that fails to transact or cannot execute its task. Another mutual control might not be a show stopper itself, but may be important within the overall mitigation of the risk, and may well be shared in addressing other risks.

In constructing a risk-control framework or risk-control self-assessment, I cannot stress enough the importance of addressing each risk individually.

Assign controls

Directors must ensure that risk mitigation controls are assigned to internal audit, independent auditors or governance consultancies, never to the group accountant who is usually responsible for the framework.

The proper application of the control risk framework makes end-to-end process-flow of each step of the process possible, but such application also enables identification of the key controls and more reliable risk evaluation, diminishing potential damage. Yet, often in business practice, there are still too many oversights or shortcuts. Getting it right early saves time, risk exposure, costs and embarrassment.

John Wilkinson is a project management, governance and internal controls specialist at Core Process Controls LLP

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.