Assessing Controls Over Operational Risks

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


“Operational Risks” and “Operational Objectives” have been defined in a number of ways. For example, the COSO Enterprise Risk Management–Integrated Framework talks about Operational Objectives as relating to the “effective and efficient use of its resources.” The latest draft of the COSO Internal Control–Integrated Framework (ICF) has somewhat longer language: “Operational Objectives… pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.”

Operational risks would then, I presume, be risks to the achievement of the organization’s objective(s) to be effective and efficient.

More common in my experience is the use of "operational risk" to refer to matters that arise from the normal course of running the business. For example, the Basel Committee on Banking Supervision’s Sound Practices for the Management and Supervision of Operational Risk (2011) has this: “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”

Whichever you like, my process for assessing the adequacy of controls over these risks is the same as I described in my earlier post on How to Assess the System of Internal Control.

“An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories”. (COSO ICF updated 2012 draft, paragraph ¶86)

In order to achieve this, you need:

  1. Clearly defined objectives
  2. A well-executed risk assessment that defines the risks to achievement of objectives
  3. Definition (which is preferably formal) of the level of risk that management and the board are willing to accept
  4. A combination of controls that provides reasonable assurance that the above-defined risks are within the above-defined acceptance levels
  5. An efficient combination of controls

How does the latest draft of the COSO ICF tackle this? I confess to being surprised when I read this in paragraph 22:

“achievement of operations objectives — such as a particular return on investment, market share, or entry into new product lines — is not always within the organization’s control. Internal control cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve operational goals. For these objectives, systems of internal control can only provide reasonable assurance that management and the board are made aware, in a timely manner, of the extent to which the entity is moving toward those objectives.”

While the first two sentences are true, I think the conclusion drawn in the last sentence is incomplete and may mislead.

“Bad judgments or decisions” cannot be totally prevented by internal controls, whatever the objective — whether operational, reporting, or compliance. That is why we say that internal control can only provide reasonable assurance.

But even for operational objectives and operational risks, the key is an effective set of processes for identifying (i.e., understanding), analyzing, evaluating, and treating the risks.

If the risk management program is effective (not perfect, but reasonable), and the combination of internal controls provides reasonable assurance that identified operational risks are at acceptable levels, then the system of internal control can be considered effective.

Do you agree? I welcome your perspectives and commentary. 

Posted on Oct 26, 2012 by Norman Marks

Share This Article:    

  1. Norman:

    Not surprisingly I don't agree with the COSO statement above,  Risk management is fundamentally about increasing certainty/reducing uncertainty objectives will be achieved - all types of objectives including capturing X% of market share, reducing unnecessary costs, customer service, product quality, preventing fraud, and others. 

    The terms "efficient and effective operations" were invented by auditors (like the authors of COSO) and create an unnecessary and low value distinction that implies controls are primarily about financial statements and compliance not helping their organizations achieve key value creation objectives and avoiding major value errosion events.   

    What the board should be made aware of is the composite uncertainty attached to all important business objectives.  This is something that is not currently done well with respect to the objective of "ensure reliable external financial disclosures" and rarely done by internal auditors on key value creation objectives linked to strategic plans.   This needs to change. 

  1. I agree to a certain extent as no system is fool-proof therefore "effective" is all we can reasonably expect to achieve.  No amount of internal controls can eliminate risk completly as it is ran by humans (I hope) and therefore subject to human error, perspective and the like.  Unfortunately internal controls can be circumbented and as I have seen too many times too many factors play in whether or not these failures are detected in time or even detected at all.  I have instances in where the limits imposed by headquarters for large purchases were circumbented by splitting the purchase in separate purchases and a very large piece of equipment was purchased without the knowledge of headquarters by purchasing in "parts" so when internal controls were actually effective it was not necessarily fool-proof when deceit was involved.  I have encountered too many instances in where the controls were effective and well designed therefore these instances where the IC where circumbented was eventually caught by others BUT only because those performing the analysis in HQ had experience, had attention to detail and really understood where the number came from so it goes all back to the human factor rather than the system being fool-proof.  I think is important to realized that all these (COSO, internal controls, etc) are after all guidances, systems, etc that are SUBJECT to human nature and therefore nothing is fool-proof, perfect, devoid of risk, etc.

  1.  What matters within the framework of BASLE committee definition of operation risk that excludes strategic and reputational risk mean quantification of operational capital charge for financial statement auditors. This further includes executive compensation issues within the operating expenses of the financial statement. Senior management and Board of Directors have financial statement auditors sign off utilizing the threashold figures based on the risk assessment performed by audit firm. The same audit firm does not have the obligation to share their quantification of risk assessment and professional liability assessment with professional internal auditor, yet, internal auditor has to share everything to financial statement auditors since senior management or Board cannot deal with unsigned or qualified opined financial statement. Whereas, internal auditor who blew the whistle in case of Enron or other companies end up becoming a legend carved in stone. Northing more or nothing less. Independent validation work by specialists are clearly defined to exclude strategic and reputational risk assessment also. All in all strategic risk and reputational risk end up becoming a piece of data item for only those who want to see it and not for investors or public or who may have inclination to review such data items on an ongoing basis to help their own decision making process.

  1. I have to admit that I'm also surprised at the COSO ICF choice of wording.  I agree that information and communication are key to an effective control framework, but it's an oversimplification to focus on those two areas.  Yes, achievement of many business goals is not within the entity's control; however, a proper ERM program should be in place to ensure unmitigated risks are within the entity's risk appetite.  To me, the key is knowing that top Management and the Board have accepted the risks being taken, not just made aware of them through information and communication.  If there is acceptance of these unmitigated risks at the proper level, and the goals are clearly defined and being measured for achievement, then one can conclude that controls are adequate.  Every business takes risks, and many will have negative outcomes, but that hardly means the business is out of control.

  1. While I agree with the comments made here, I do think we tend to pick on COSO a little too much. Perhaps our audit mentality has something to do with that, not sure? ;) 

    For the most part, there's nothing COSO has said that should mislead anyone as to what the basic principles of risk management are. They could be a little clearer with specific language, and yes, I do like the ISO framework better as it seems more intuitive, but remember, they are creating frameworks for all types of entities and I think it's up to those specific sectors to shape the details so it works for them. I just don't think it's a valuable exercise to 'word smith' COSO, when 99% of their work is excellent.

    As for Norman's original question, "assessing controls over operational risks". I think it's often beyond the scope of a typical internal auditor. You really require subject matter expects to properly identify and evaluate the true risks. Without a detailed knowledge of the operations, there's a good chance you'll miss something and an even greater chance that the operating department won't find you credible. It's not enough to look at simply what controls management has implemented to reduce operational risk to an acceptable level; you have to have the specialized knowledge to be able to assess 'what controls are NOT there'.

  1. If one accepts that internal auditors are expert in matters of management control (the 17 COSO IC framework principles), then internal auditors, properly trained and supervised, are in the best possible position to evaluate control (mitigation) of risk, be it operational, compliance, or financial. The premise is not that the internal auditor is "expert" in operational risk, but rather that the internal auditor is "expert" in evaluating how well management has exercised its obligation to identify and mitigate risk by applying the 17 principles of management control ( I prefer that term to “internal control”, which calls to mind the 20th century concept that “controls” were activities like dual signatures and segregation of duties).

    The system of internal control is designed adequately and operating effectively if the 17 principles are present. That  also implies in the normal course of events, management is made aware timely of adverse circumstances that exceed its risk tolerance, and timely corrective measures are taken to bring events back within the risk tolerance level and not permitted to become persistent or pervasive. That meets the criteria – a process that understands, analyzes, evaluates, treats.

  1. I am fully supportive of a total advocate of what Tim Leech said in his comments: The terms "efficient and effective operations" .... implies controls are primarily about financial statements and compliance not helping their organizations achieve key value creation objectives and avoiding major value errosion events." I think internal auditors could be a lot more helpful and relevant to an organization, if they did more reviews or audits on risks that prevent attainment of agency goals, degree of use of industry best practices, and do more audits and advisories to assess and improve key business practices. Tom
  1.  Sorry, but "efficient and effective operations" is NOT limited to financial reporting. It applies to manufacturing, sales, logistics, and even internal audit. It is about the objectives of (for example) manufacturing with limited rework and scrap a high quality product.

Leave a Reply