Enterprise risk management needs a proper
Directors, sometimes blindsided by other matters, may be
sublimely unaware of risk factors in their environment, despite
having a controls framework. This can be a minefield for those with
governance risk compliance responsibility, which is why a rigorous
risk control framework is a vital comfort. It is not possible to
know where all the potential risks lie or those to which their
managers and staff have paid too little attention.
Individuals with governance and operational risk responsibility
do not always appreciate the need for an objective review of each
step in an end-to-end process. For CEOs and CFOs of US-listed
companies this can be a dangerous oversight, possibly ending in
jail time. For those in organisations not listed on a US stock
exchange, but who nevertheless have governance responsibility, it
will be at the very least embarrassing, possibly leading to
"Framework managers must be aware of the
dangers in both understating and overstating risk
To enable proper risk mitigation, it is necessary to recognise
those steps in each end-to-end process that identifies the flow,
and also any risks needing mitigation. But I have found, quite
frequently, that this is overlooked or side-stepped, exposing the
organisation to unforeseen, or uncalculated, or unaddressed risk of
fraud or loss of public or shareholder confidence. For example,
despite solid processes for account set-up, approved product, or
authorisation, a risk factor might lie dormant in the approved
supplier process, easily concealed, particularly in large, complex
multi-site operations or even pan-European organisations with
While this leaves the company and its senior directors
vulnerable to risk exposure and its consequences, there can be
inadequate or untimely address, even in large organisations.
The error of averaging control ratings
In identifying potential risks, it is important to use a
criticality matrix and a consistent benchmark in their evaluation.
One risk is resolved by one or more controls, each having its own
rating. It is a false security to pack a high-risk rating with a
low-risk rating to yield an average – yet quite often this is
workplace practice. Staff must not be tempted to average the
control ratings. Directors need to be aware of such badly-advised
Framework managers must be aware of the dangers in both
understating and overstating risk mitigation, which either
increases or minimises the number of controls, their severity and
their impact on business process efficacy. Overstating a risk
mitigation reduces the business's efficiency. Understating it
oversimplifies the process and understates the control requirement,
with operational impact. Both have consequences of either stifling
the business process or over-relaxing the control.
"Directors must ensure that risk mitigation
controls are assigned to internal audit, independent auditors or
Each mitigating control is independent of the perspective that
is used to addresses the risk. It may be that one control is
perceived as a 'show stopper' – a key control that
fails to transact or cannot execute its task. Another mutual
control might not be a show stopper itself, but may be important
within the overall mitigation of the risk, and may well be shared
in addressing other risks.
In constructing a risk-control framework or risk-control
self-assessment, I cannot stress enough the importance of
addressing each risk individually.
Directors must ensure that risk mitigation controls are assigned
to internal audit, independent auditors or governance
consultancies, never to the group accountant who is usually
responsible for the framework.
The proper application of the control risk framework makes
end-to-end process-flow of each step of the process possible, but
such application also enables identification of the key controls
and more reliable risk evaluation, diminishing potential damage.
Yet, often in business practice, there are still too many
oversights or shortcuts. Getting it right early saves time, risk
exposure, costs and embarrassment.
John Wilkinson is a project management, governance and internal
controls specialist at Core Process Controls LLP
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The recent case of Dickinson v NAL Realisations (Staffordshire) Ltd is a "101" guide to how not to run a small business, providing insight into the pitfalls that can await any director or shareholder...
As the Brexit negotiations start, one direct impact is an interest from clients and advisers looking to have flexibility in their organisational structure ahead of any legislative or other changes being implemented.
An assignment of rights under a contract is normally restricted to the benefit of the contract. Where a party wishes to transfer both the benefit and burden of the contract this generally needs to be done by way of a novation.
When in March 2016 the Honduran activist Berta Cáceres was shot dead, after protesting against the Agua Zarca hydroelectric project, news of her death spread around the world in hours, prompting investors to suspend their support for the proposed dam.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).