Can Risk Management Build Internal Controls?

Using risk management techniques is an important component in creating the internal control required for compliance with Sarbanes-Oxley (SOX) Section 404.  Risk management includes all the activities associated with identifying and reducing risk, as well as coping with negative events should they occur.  Identifying risks and creating systems and safeguards to ameliorate them is one way to create a basic internal control system.

The Stages of Effective Risk Management

Risk management can seem like an overwhelming and daunting task – but only if you try to envision, predict, and prevent every imaginable risk all in one swipe.  The trick to successful risk management is to break it down into manageable stages and tasks.  Using a continual improvement method, identify and mitigate high priority risks first, and then continually improve your risk management by regularly reviewing and prioritizing risks and addressing them according to your organizational needs.

The basic steps of risk management include:

1. Understand the Mission
2. Perform risk assessment to identify and categorize risks
3. Prioritize risks and activities
4. Design processes, training, and checks/metrics (controls) for top level risks
5. Monitor internal control effectiveness and improve as required
6. Repeat steps 2-5

Methodical Risk Assessment Leads to Proper Internal Controls

The first step in conducting effective risk management is understanding the mission.  Clearly identifying and articulating the mission makes recognizing the risks to mission success much easier and much more effective.  In terms of Sarbanes-Oxley and SOX Section 404 – understanding the mission is easy.  The SOX mission is to create accurate financial statements and avoid a material misstatement.

Once you identify the mission, begin risk assessment by listing the possible risks to accurate financial statements (i.e. improperly listing assets).  There are several approaches to listing possible risks, but the most effective ones employ a methodical technique.  For example, for financial statements a methodical risk assessment approach could be to identify inputs to your financial statements, and then work backwards to consider input sources, processes, etc;, listing possible reasons for incorrect information.  It also might be useful to consider typical categories of risk such as system/process problems or weaknesses, human error, and fraud.

Prioritize Risks to Determine Internal Control Activities

When trying to assess possible risks the goal is to be exhaustive.  You may end up with a sizable list, but that is an expected risk assessment outcome - don’t let it intimidate you.  Think of it as useful information.  It is unlikely that you will be able to address all the listed risks from your risk assessment at once.  The goal should be to identify high priority risks and focus on those first.   Now you are creating an internal control system that complies with Section 404 Sarbanes Oxley.

Fig. 1: List risks, and then plot them according to impact and likelihood

Creating a matrix or graph of risks by likelihood versus impact is a great tool in finishing the risk assessment task and moving toward risk management.  For example, you could have the risk/internal control committee rank every risk item on the list for probability and impact.  Then average them and plot them as R1, R2, R3, etc;, as they are plotted on Figure 1.   Obviously, after plotting risks, those with highest probability of occurrence and the highest potential impact (or in terms of financial statements – materiality) should be addressed first.

How many risks are addressed at one time depends on the size and capability of the organization.  A large organization with lots of resources might focus risk management on the top 12 or 15.  A small organization might only be able to set a goal of attending to the top three or top six risks in the first pass.

Managing Risk with Internal Controls

Now that you have identified the most important risks to manage, the next step is to identify the best way to mitigate them. A typical method is to create well-defined processes that help minimize the risk.  The process should account for the inputs, outputs, as well as process activities, but the process should also incorporate metrics and check-steps.  This builds in the capacity to monitor the process’ effectiveness right into the process itself.  Once your process is defined, then it is communicated through policies and procedures, training, and work instructions.  We will go into more detail about the role of policies and procedures for a SOX Section 404 internal control system in next week’s article.

Continually Improving Risk Management and Internal Controls

Once in place, processes should be monitored by regularly verifying that process checks are functional and that process metrics demonstrate effectiveness.  Corrections are made as required. Once these processes are fully operational and demonstrated effective, it is time for Step 6: repeat the risk assessment / risk management process in order to address the next level of risks. Be sure to begin with listing and plotting risks at the start of every iteration. (It will be easier each time through.)  Internal situations and operational environments change over time, so risks and their priorities change as well.

If you are having trouble envisioning your internal control system, risk management techniques can get the ball rolling.  These risk management activities also improves other components of an internal control system as listed by COSO:  the Control Environment, Control Activities, Information and Communication, and Monitoring.  Congratulations, you are slowly and surely building an effective internal control system by prioritizing and addressing your risks.

    Email     Print    RSS

Posted on Monday, November 10th, 2008 under Internal Control