|
© Matti Mattila, CPFA, CISA, CIA |
Internal Control Vs. Risk Management
|
|
| | | |
|
To See The Forest From The Trees
| |
|
Internal risks of a process are prepared for, with internal control.
However, there are risks some of which have more significant consequences
than purely internal risks of a process do - e.g. fire, terrorism, and epidemics.
These risks apply to numerous processes.
That’s why it makes sense to treat them with tailored risk responses.
A risk response is an action taken to mitigate one or more risks
that usually affect one or more processes,
and which [risks] by their nature cannot be mitigated effectively and efficiently
[solely] with controls built within a process.
|
|
|
It would be waste of management resources to address risks of all size with equal vigour.
Managers should concentrate on risks of biggest concern,
i.e. on risks with significant negative consequences.
Such risks can be those internal to a process as well as those outside a process.
As a result, both internal control and risk management are indispensable in effective risk mitigation.
|
|
|
Determination of risks is the border and the interface between risk management and internal control.
As written earlier, risks of a process are mitigated in accordance with a plan
that is put into effect in the internal control structure of the process.
However, this is true only when the determination of risks of internal control
- the self-correction system of internal control - is effective.
If determination of risks is neglected so badly
that an organization is exposed to significant negative consequences,
because of the risks of the process,
a management intervention is a necessity. This is a matter of risk management, too.
|
|
|
Risk Management
|
|
|
Risk management is discussed here only to the degree necessary
for understanding its nature and its relation to internal control.
Detailed examination risk management is out of the scope of this document.
|
|
|
Risk management is determination and preparing oneself to such negative events
that prevent an organization from achieving its objectives.
Negative events include all kinds of events and neglects with negative consequences,
also waste of [good] opportunities [27].
Risk management is central part of any organization’s strategic management.
Its objective is to add maximum sustainable value to all activities of the organization.
It should be a continuous and developing process [28].
There are several alternatives to separate phases of this process.
The following phases of risk management are identified commonly:
risk identification, risk analysis, risk evaluation, and risk treatment.
In the risk treatment phase an organization tries to impact
the consequences and probabilities of the negative events.
This is done with risk responses.
Risks are treated with measures considered appropriate in each individual case,
taking into account the risk appetite of the organization.
Risk appetite is the amount of risk, on broad level,
an entity is willing to accept in pursuit of value [29].
|
|
|
Risk responses need to be supported by internal control,
as stated in COSO ERM [30]:
"having selected risk responses, management identifies control activities
needed to help ensure that risk responses are carried out properly an in a timely manner".
Risk management as a process, in order to be effective and efficient,
must have internal control in place, too.
Internal control of risk management encompasses among other things
taking up an attitude that risk management must be taken seriously;
ensuring that risk data is current and available to authorized individuals - and only to them;
controls to ensure that risk responses take place as planned;
and determination of neglects and shortcomings in risk management.
|
|
|
[27]
Mattila Mattila: Tehtävänä [johtaminen, vastuulla] valvonta [2007], page 23
[28]
The Institute of Risk Management, the association of Insurance and Risk Managers,
and ALARM The National Forum for Risk Management in the Public Sector:
A risk management standard [2002], pages 2-3
[29]
The Committee of Sponsoring Organizations of the Treadway Commission:
Enterprise Risk Management - Integrated Framework; Executive Summary Framework, page 19
[30]
The Committee of Sponsoring Organizations of the Treadway Commission:
Enterprise Risk Management - Integrated Framework; Executive Summary Framework, page 61
|
|
|