IN THIS ISSUE
CSA: A Means to an End
A consulting firm in Canada is using CSA to convince management of the importance of the ERM investment. Your company can too.
By Éric Lavoie, CIA, CCSA, CA
Partner, Lemieux Nolet Consulting
Risk Management and Performance
Canadian-based consulting firm Lemieux Nolet has been helping companies get a handle on their enterprisewide risk through the innovative use of CSA since 2000. As the firm built its clientele, the consultants quickly learned the importance of having everyone throughout the organization — especially managers — take ownership of the risk-management process in their daily jobs. Selling enterprise risk management (ERM) through the use of CSA tools like facilitated workshops and questionnaires has enabled clients to implement controls commensurate to their unique risks.
Lemieux Nolet started using CSA to persuade management to see the virtues cutting across the “silos” of individual business units to evaluate their organization’s risks. Often commissioned by the internal audit department rather than upper management, Lemieux Nolet’s consultants know that the first — and most important — step in the ERM process is to get the company’s top executives on board. This can be a difficult sell. We have found management is often reluctant to invest in ERM unless they are compelled by peer pressure or governance requirements. So we often start performing CSA workgroups at the strategic level and then watch management sell it on down the chain of command. Once management has gone through the process and seen the value at the strategic level, they are more likely to allocate resources to the program.
BREAKING DOWN THE PROCESS
Although the CSA process is anything but simple, keeping it organized — by following a few key guiding principles — has helped Lemieux Nolet consultants build their clientele into the success it is today.
Determine the scope.
Knowing what you’re analyzing is a critical aspect of planning the CSA workshop. To get the most out of a CSA, we often focus on the company’s individual processes rather than business units. Although analyzing a process can be more complex because participants are often from several business units, processes supply more information than individual units. Many companies Lemieux Nolet has worked with have found that using a process view for the risk assessment provides a more complete risk identification and a better CSA because controls can appear at any point during the process. For example, lately we’ve been using a process of planning, allocation, and management of financial resources in a government department. We tried to reconstruct the process universe by involving people from the central head office and multi-level people from different divisions — managers, professionals, and administrative workers. It is not necessary or feasible to involve all of the employees who work in a particular process, but we do target employees from different business units to get a better view of where trouble areas might exist. The quality of the participants, not the quantity, is what matters.
Determine the manager’s role.
Once you’ve decided on the scope, it’s important to establish the manager’s role. If you have chosen to go with the process approach, you might have more than one manager involved. If the manager(s) decide to attend the workshop, ask if he or she will be acting as an observer or a participant. We explain to managers that other participants might be more inhibited if they are there, and come up with a backup plan together in the event that happens. If the manager(s) chooses not to attend, the CSA facilitator will then circle back to the manager(s) with the workshop results.
Choose participants carefully.
The workshop’s success depends on the attendees. Consult with the manager to determine who should be selected to participate in the CSA. You’ll want to ensure that every facet of the process or business unit is represented. We usually limit our workshops to 10 to 15 participants, and we generally use a U-shaped table. Placing participants in succession around a table like that enables the facilitator to go around the table one-by-one to solicit feedback. This technique is especially effective early on in the workshop or when working with participants who are less inclined to speak up.
Lemieux Nolet consultants occasionally suggest splitting the group into two — one with managers and another with the staff — right from the planning stage to give any staff members who may feel intimidated an opportunity to speak freely. The outcome of both sessions would then be combined and the final results given to management.
If management decides to group everyone together at the workshop, there are a number of techniques facilitators can use to draw everyone into the discussion.
- Specify clearly at the beginning of the workshop that the participants have been selected because they all have something to bring to the workshop.
- Ask people to introduce themselves at the beginning of the workshop to encourage them to speak during the workshop.
- Hold a brainstorming session once participants have introduced themselves and are feeling more comfortable. Ask everyone to provide one example of a risk, so everyone gets a chance to be heard.
- Get a consensus on where participants stand on an issue through the use of anonymous voting technology. Good voting technology can evaluate where sub-groups within the workshop (e.g., managers, professionals, and administrative staff) stand on particular issues. In addition to allowing participants to rate risks and controls under the cloak of anonymity, it also highlights the different points of view among members of sub-groups. At the end of the workshop, the facilitator can look at the risk profile of each sub-group, as well as the whole group.
- For the really tough cases, where participants are hesitant to speak candidly, consider adding a separate mini-workshop to get their input or distribute a questionnaire they can fill out. If you choose to distribute a questionnaire, meet with those people afterwards to go over the results.
Provide materials in advance.
At Lemieux Nolet, we prepare kits for the participants and send them out early enough that they have sufficient time to read them and start thinking about the process before the workshop. If you have the luxury of doing two workshops — one to assess the company’s risks and another to evaluate its controls — you’ll need to send out a kit for each workshop. The kit for the first workshop should include a description of the process, an explanation of risk concepts, a risk model, tools for risk identification, and possibly a preliminary list of risks. The kit for the second workshop should summarize what was done in the first workshop and help participants begin assessing to which extent risks are mastered — residual risk — and what are basic risk management choices and techniques.
BEFORE, DURING, AND AFTER: EVALUATING RISKS AND CONTROLS
Planning is a key element throughout the CSA process. The more we do on the front end, the smoother the facilitated workgroup tends to go. With the aim of coming away from the CSA with a clear risk profile in hand, here are some steps we would recommend:
- During the planning stages, define the scope and indicate what participants will be evaluating before they get to the session. We use the toolkit or pre-session interviews for this purpose.
- Brainstorm with the group to identify the risks, using flip charts to capture ideas. Allowing everyone to see all the ideas at the same time is a very effective tool. One creative tool we’ve discovered recently is a flip chart that is in the form of a giant Post-it note pad. After taking copious notes, we can just pull the paper off and stick it to the wall — with no damage to the wall or hassling with tape. Being able to see the notes in front of them keeps the process moving along efficiently.
- Create a risk profile once the risks have been identified by measuring them in terms of impact and likelihood. Lemieux Nolet uses simple assessment scales such as small, medium, high, and very high to rate both dimensions. Companies we have worked with have found using a scale with an even number of choices — to prevent people from choosing the middle, or “neutral” — is a great way to make participants take a stand on issues.
- In between the two workshops, inventory the controls and link them to the risks. This creates a risk-control matrix, a chart with two columns — risks on the left and controls on the right. Use that matrix to inventory the controls that are in place and link each of the controls with the risks to form the inventory of the existing controls.
Use the risk-control matrix to assess how well each risk is mastered — control effectiveness regarding each risk. Look at the control portfolio that is currently in place to assess whether the controls are appropriate, insufficient, or even excessive. Because the risk levels have been measured in terms of impact and likelihood, it is desirable to have a good balance between the risk level and the intensity of controls. Use the following scale to measure both the effectiveness and efficiency of controls:
1: Very low
3: Appropriate (the coverage of the risk is effective and sufficient)
4: Superior (too many controls)
5: Excessive (way too many controls)
If you have too many controls, determine which ones are most cost-effective and do away with the controls that are costing your company more money than they are worth.
Implementing a CSA can be quite difficult, but Lemieux Nolet has found these tools to be immensely helpful in improving their clients’ knowledge about the risks and controls. A successful CSA can help you effectively solve the challenges your company faces.
Lemieux Nolet is a professional services firm operating five offices in Quebec City. In addition to traditional accounting, certification and tax services, Lemieux Nolet provides consulting services in risk management, control, governance, performance improvement and internal auditing. As partner in charge of Lemieux Nolet's consulting practice, Éric Lavoie has been using a participative and CSA approach to deliver value to its clients since 1994 and, focusing on ERM, since 2000.