This post discusses risk management and internal control. In this post, you will understand the meaning of risk management, internal control, and internal control as a risk management strategy.

WHAT IS RISK MANAGEMENT?

Effective risk management means influencing future outcomes as much as possible by acting proactively rather than reactively. Risk management encompasses identifying, analysing, and responding to risk factors that form part of the life of a business. Risk management identifies, assesses, and controls threats to a firm’s capital and earnings. These threats or hazards may arise from several sources, including financial uncertainty, legal liabilities, strategic management errors, accidents, and natural disasters. 

Every business and organisations face the risk of unexpected, harmful events that can cost the company money or fold up. Risk management allows organisations to prepare for the unexpected by minimising risks and extra costs before they happen. Hence, effective risk management can reduce the possibility of a risk occurring and its potential impact.

IMPORTANCE OF RISK MANAGEMENT

Risk management is beneficial to individuals, businesses, and organisations. Effective risk management ensures that risks of high priority are dealt with as aggressively as possible. 

Essential benefits of risk management include:

1. Creates a safe and secure work environment for all staff and customers.

2. Increases the stability of business operations while also decreasing legal liability.

3. Protects from events detrimental to the company and the environment.

4. Protects all involved people and assets from potential harm. and

5. Helps establish a company’s insurance needs to save on unnecessary premiums.

RISK MANAGEMENT STRUCTURE

A risk management structure should do more than identify potential risks. A good risk management structure should also calculate the uncertainties and predict their influence on a business. Consequently, the result is a choice between accepting risks and rejecting them. Risk acceptance or rejection depends on the tolerance levels a company has already defined for itself. 

Suppose a company sets up risk management as a disciplined and continuous process to identify and resolve risks. In that case, a risk management structure should support other risk mitigation systems. They include planning, organisation, cost control, and budgeting. In such a case, the business will usually experience few surprises because the focus is on proactive risk management.

RISK MANAGEMENT STRATEGIES

Risk management strategies should also attempt to answer the following questions:

1. What can go wrong? 

2. How will it affect the organisation? Consider the probability of the event and whether it will have a large or small impact. Consider both the workplace as a whole and individual work.

3. What can be done? What steps can be taken to prevent the loss? What can be done to recover if a loss occurs?

4. If something happens, how will the organisation pay for it?

RISK MANAGEMENT PROCESS

There are five basic steps in managing risks. These steps are known as the risk management process. The steps involved in a risk management process include:

Step 1: Identify the Risk

Step 2: Analyse the risk

Step 3: Evaluate and Rank the Risk

Step 4: Treat the Risk – also known as Risk Response Planning

Step 5: Monitor and Review the risk

WHAT IS AN INTERNAL CONTROL?

Internal control (sometimes known as an internal safeguard) helps a company run its processes efficiently and effectively. Internal controls are policies, procedures, and technical safeguards that protect a firm’s assets by preventing errors and inappropriate actions. There are several internal control frameworks to assist organisations in facilitating the implementation of regulatory compliance obligations and enterprise risk management (ERM) best practices. 

The best-known framework is the Committee of Sponsoring Organisations (COSO) internal control framework. The Committee of Sponsoring Organisations (COSO) defined internal control as a process designed to provide reasonable assurance that a firm’s operation is effective and efficient, its financial disclosures are reliable, and it meets regulatory compliance objectives.

Sound control helps to assure business continuity, prevent costly errors, avoid irregularities, prevent fraud, and maintain the integrity of financial statements and accounting records. Well-designed controls can empower your company to achieve its established objectives. Conversely, missing or poorly designed controls can result in inefficient processes, low productivity, costly errors, and fraud.

IMPORTANCE OF INTERNAL CONTROLS

Internal control enables a firm to:

1) Improve transparency throughout the enterprise,

2) Promote accountability in every process and business unit,

3) Promote ethical behaviour,

4) Identify problems and take corrective action,

5) Improve employees and the firm’s productivity,

6) Maintain regulatory compliance,

7) Protect the company’s reputation and brand value, and

8) Retain more customers and maintain an excellent competitive position.

RISK MANAGEMENT AND CONTROL

The Board of Directors, assisted by the Audit Committee, is responsible for monitoring and assessing the effectiveness of the company’s internal control and risk management systems. Internal control and risk management ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. Internal audit assists the Board of Directors with its monitoring responsibility by ensuring that the group’s control measures have been planned and set up effectively.

TYPES OF INTERNAL CONTROLS

Internal controls fall into three categories: preventive, detective and corrective controls. Let us discuss these three types of internal controls.

1. PREVENTIVE CONTROL: Preventive internal controls are aimed at preventing an adverse event from occurring. Preventive controls avoid issues before they occur, including accounting errors, material misstatements, fraud, or cyberattacks. 

2. DETECTIVE CONTROL: Detective internal controls detect an error problem after it has occurred. Detective controls find errors and irregularities that have already happened. They are essential because they show whether preventive controls are operating as intended and help improve process quality and prevent the recurrence of errors. 

3. CORRECTIVE CONTROL: Corrective internal controls, by nature, are specific to a firm’s typical flaws and risks, previously evaluated through comprehensive risk assessments or detective controls, such as audits. Corrective internal controls are often implemented after detecting an internal problem. Corrective internal controls include disciplinary action, report filing, software patches or modifications, and new policies.

COMPONENTS OF AN INTERNAL CONTROL SYSTEM

The COSO internal control framework consists of five components that work together to create an effective system of internal controls. The Committee of Sponsoring Organisations of the Treadway Commission is an organisation that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. 

According to COSO, here are the components of internal control that represent the five objectives of a sound internal control system: 

1. Control environment, 

2. Risk assessment, 

3. Control activities, 

4. Information and communication, and 

5. Monitoring activities.

BENEFITS OF INTERNAL CONTROLS

Advantages of internal controls include:

1. Internal controls serve as an early warning system to identify issues before they become big problems. 

2. Prevent Fraud: Robust internal controls deter employees from misconduct. 

3. Avoid External Audit Findings and Regulatory Fines

4. Protect the effectiveness and efficiency of operations.

5. Identify and correct internal control problems on a timely basis.

6. Prepare reliable and accurate financial statements. and

7. Assure compliance with applicable laws and regulations.

SCOPES OF INTERNAL CONTROL

The following are the main areas which are generally covered by a sound internal control system:

1. Cash: An internal control mechanism can be applied to the company’s payments and receipts to avoid misappropriation.

2. Sales and Purchase Control: An efficient control system ensures good purchase and sales transactions to strengthen a firm’s internal control.

3. Financial Control: Financial control ensures a sound accounting, recording and supervision system.

4. Employee’s Remuneration: Effective internal control system ensures good record keeping to avoid corruption and misappropriation.

5. Capital Expenditure: Internal control system ensures a thorough assessment of capital expenditure and supervision of project execution.

6. Inventory Control: Inventory control ensures efficient inventory handling, record keeping, and asset management.

7. Investment Control: Internal control system ensures thorough documentation and assessment of a firm’s investment portfolio.

INTERNAL CONTROL PROCEDURES

It is beneficial to describe the internal control procedures. A firm internal control procedure should be sound and robust. Here are the seven internal control procedures: 

1. Separation of duties, 

2. Access controls, 

3. Physical audits, 

4. Standardised financial documents, 

5. Periodic trial balances, 

6. Periodic reconciliations, and 

7. Approval authority.

RISK MANAGEMENT AND INTERNAL CONTROL PLAYERS

The board and all employees must be involved in a company’s risk management and internal control activities. Here are the key players in a firm’s risk management and internal control activities:

1. Executive management or executive board

2. Board of Directors or the supervisory board

3. The audit committee

4. The risk manager

5. Internal audit

6. Employees

THREE LINES OF DEFENSE (3LD) MODEL

The Institute of Internal Auditors published a global position paper titled ‘The Three Lines of Defense in Effective Risk Management and Control’ in 2013. The concept has remained sufficiently crucial that a further position paper was published in June 2017 by the Chartered Institute of Internal Auditors, titled: The Three Lines of Defense.

The “Three Lines of Defense” is increasingly adopted by various organisations to establish risk management capabilities across business organisations. This approach is often referred to as a 3LD model.

Three lines of defense 3LD model distinguish several business functions between “risk owner” and “risk manager” (the parts that deal with risk), also between “overseeing risks” and the “independent assurance”. These functions are essential in Enterprise Risk Management (ERM) with organisations in diverse sectors.

The three lines of defense model is an organisation’s internal defense model, which can be summarised as follows:

1. THE FIRST LAYER OF DEFENSE

The first layer of defense is implemented by the unit, component or business function that performs daily operation activities, especially those on the organisation’s front lines. This is formed by managers and staff responsible for identifying and managing risk as part of their accountability for achieving objectives. Collectively, they should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk control. 

This requires understanding the company, its objectives, the environment in which it operates, and the risks it faces. In this case, they are expected to:

• Ensure the conductive control environment in their business unit.

• Be able to execute effective internal control in their business units, as well as the monitoring process and maintaining transparency in the internal control. 

• Implement risk management policies on their roles and responsibilities, especially in activities that lead to corporate growth. They are expected to be fully aware of the risk factors that should be considered in every decision and action.

 2. THE SECOND LINE OF DEFENSE

 Risk management and compliance functions execute the second layer of defense, especially in structured risk management and compliance units, e.g. department or risk management and compliance units. This provides policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line, conducts monitoring to judge how effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.

In this case, they are expected to:

• Be responsible for risk management development, monitoring process and implementation of the company’s overall risk management.

• Monitor and ensure all business functions are implemented under the company’s risk management policies and standard operating procedures. and

• Monitor and report to the department with the highest accountability on the company’s risk exposure.

3. THE THIRD LINE OF DEFENSE

Auditors, including internal and external auditors implement the third layer of defense. An internal audit provides this. Audit Committee reports to the board. The Audit Committee engage a risk-based approach to evaluate the effectiveness of governance, risk management, and internal control of the organisation’s governing body and senior management. It can also assure sector regulators and external auditors that appropriate rules and processes are in place and are operating effectively. The third line of defense plays a vital role by ensuring that the first two lines operate effectively and advising how they could be improved.

The role of the internal auditor is much more intense in the Three Lines of Defense model because they are part of the company that is independent by design. In this case, the internal auditors are expected to:

• Review and evaluate the design and implementation of risk management holistically, and

• Ensure the effectiveness of the first layer of defense and the second tier.

For public companies in countries that embrace a “two-board system”, the context of implementing the Three Lines of Defense model can be seen from the perspective of governance structures in the existence of the company directors who have executive accountability and the board of commissioners who have oversight accountability. In addition to the regulations, the Board of Directors has an internal audit unit as part of the company’s control. The BOC has an audit committee as part of its implementation mechanisms of accountability.

IMPLICATIONS OF THE THREE LINES OF DEFENSE FOR RISK MANAGEMENT AND INTERNAL CONTROL

The Three Lines of Defense Model ensure integration of Internal Control and Risk Management within a firm’s units or departments, including:

1. THE BOARD OF DIRECTORS: The Board of Directors defines the strategy, approves the risk policy and appetite, and supervises risk management, monitoring the performance of the duties delegated to the Executive Committee.

2. THE EXECUTIVE COMMITTEE: The Executive Committee establishes and implements high-level controls, fosters organisational culture and commitment to internal control, and defines reporting lines and internal control powers and responsibilities.

3. THE CHIEF RISK OFFICER: As a member of the Executive Committee, the Chief Risk Officer ensures that discussions about risk are consistent and effective at all levels. The Risk Management Committee, which often includes non-executive Board members, is responsible for monitoring the company’s principal risks; evaluating the compliance with the tolerance levels and the execution and effectiveness of decided mitigation actions; assessing the firm’s internal control and risk management systems; issuing reasonable opinions and recommendations; and evaluating compliance with the company’s risk management policy.

4. THE AUDIT BOARD: The role of the Audit Board is to monitor the effectiveness of the internal control and internal auditing systems and assess the functioning of the internal systems and procedures yearly, thereby contributing to enhancing the internal control environment. As part of its supervisory function, the Audit Board monitors the work plans and resources assigned to the Internal Audit and Legal and Governance Departments and receives periodic reports from departments. The Audit Board also assesses the annual strategic guidelines and risk policy the Board of Directors established.

5. EXTERNAL AUDITOR: The external auditor is responsible for auditing the company’s accounting and internal control systems and making recommendations to the stakeholders, including the Executive Committee, the Board of Directors and the Audit Board. Although the External Auditor is outside the organisation, it plays an essential role in the company’s accounting and internal control system.

6. RISK MANAGEMENT DEPARTMENT: The risk management department is responsible for implementing the internal control system between the company bodies, departments and committees to achieve the organisation’s goals and objectives.

7. THE LEGAL AND GOVERNANCE DEPARTMENT: The Legal and Governance Department establishes ethical and compliance controls. It monitors the internal control system by conducting internal inquiries, audits or risk assessments on ethics and compliance matters by performing due diligence on the same issues for relevant partners and transactions.

8. THE LOCAL RISK OFFICERS: Unit or Department Risk Officers assist the organisation’s business units responsible for identifying, assessing and managing the risks in their respective business units, in line with risk management standards. They are also responsible for incorporating risk information into their decision-making processes and ensuring compliance with the approved risk management policies and procedures.

ROLES OF INTERNAL AUDIT IN RISK MANAGEMENT

In today’s world, processes and operations have become more complex, and new risks have emerged. Organisations are trying to give more considerations to risk management; however, they need help differentiating the internal audit functions and risk management functions. The best approach is to have a separate internal audit and risk management function. Still, operationally this is difficult to implement, time-consuming and costly.

Most organisations have internal audit functions but do not have a risk management function. Therefore, the internal audit function undertakes the risk function in organisations without a practical risk management function. The three levels of defense in a practical Risk Management Control Framework are Operational Management as the first line of defense, Risk management as the second level defense function and internal audit as the third level of defense responsible for entity-wide assurance. The primary role of the internal audit in risk management is to guarantee the effectiveness of the risk management process. 

In cases where they play the same role, Internal Audit is consultative in risk management. This is done through assessing and monitoring the company’s risks to recommend appropriate risk mitigation controls and assessing the system’s internal controls and the governance processes in an organisation.

ENHANCING ENTERPRISE RISK MANAGEMENT THROUGH INTERNAL AUDIT

Here are eight primary steps internal audit teams can engage in collaborating with stakeholders to manage a firm’s risk: 

1. Ensure collaboration among the three lines of defense

2. Adopt a risk management methodology or framework

3. Establish Operational Risk Management and Chief Risk Officer (CRO) 

4. Conduct continuous monitoring and assessments

5. Perform test-of-design (ToD) and test-of-operating effectiveness (ToE) for high-risk controls, processes, and functions

6. Achieve line-of-business collaboration and consensus on findings and recommendations

7. Help foster a positive corporate culture and tone-at-the-top

8. Consider external factors that could encourage excessive risk-taking

See the full video on Risk Management & Internal Control: https://youtu.be/hosHGBH1r6o