Is Risk Management Part of Internal Control or Is It the Other Way Around?
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
There is a very clear relationship between internal control and risk management.
Basically, internal controls provide reasonable assurance that risks to the achievement of organizational objectives are at acceptable levels. (The organizational objective when it comes to financial reporting is to provide financial satements that are free of material omission or error.)
So, you need risks to be identifed, understood, and assessed (against levels defined as acceptable) before you know what controls you need.
At the same time, you need controls to manage those risks and ensure they are at and remain at acceptable levels.
Does the process start with risk? Actually, the process starts with the setting of objectives. If the wrong objectives are set, the organization is highly unlikely to deliver best value to its stakeholders. Risks, or at least the risks that matter, are identified and assessed in relation to the objectives, so setting the objectives is a pre-condition.
So, objective-setting is a pre-condition to risk management and risk management is a pre-condition to internal controls.
Is that right? While COSO has both internal control and enterprise risk management frameworks, the processes of identifiying and assessing risks to objectives are included in the internal control framework! (Although objective-setting is an assumed pre-condition).
Add to that the COSO enterprise risk management framework encompasses and expands their internal control framework — so, internal control is part of risk management? (By the way, if you examine the global standard on risk management (ISO 31000: 2009) it talks about controls but not in detail. It spends more time talking about whether the controls have left the risk at an acceptable level and whether additional risk treatment is needed (including additional or changed controls)).
Now that is confusing! Risk management is part of the COSO internal control framework and internal control is included in their enterprise risk management framework.
Let me add to the confusion.
There are risks to the setting of objectives (such as failing to have reliable information on the competitive business environment), and there are controls to manage those risks (such as ensuring that reliable information on competitors and the market in general is obtained and provided to those setting objectives)! Neither of these facts is recognized in either the COSO frameworks, but that doesn't make them any less true — or important.
When assessing either risk management or internal control, it would be a mistake (in my view) to ignore risks and controls related to objective-setting. I understand that COSO has, for convenience and simplification purposes, assumed objective-setting as a pre-condition. But, the management of risks and controls related to objective-setting is perhaps the most important of all, as they establish the direction of the entire organization.
And... there are risks to effective risk management! This is frequently overlooked and poorly addressed. For example, one risk is that key managers do not include the consideration of risk in their decision-making. Another is that the information used to assess risks is incorrect. There should be controls to address these risks!
And... there are risks to the operation of controls — such as the inability to retain competent personnel. These are addressed by indirect entity-level controls within components of the internal control framework such as Control Environment, Information and Communication, and Monitoring.
At the end of the day, it doesn't really matter whether, in theory, internal control is part of risk management or the other way around. What is important is understanding the relationships between all these activities and making sure your organization is handling them well.
In purely practical terms:
- Understand the relationships between objective-setting, the management of risks to those objectives, and the internal controls that manage those risks to acceptable levels.
- Understand that it is important to identify, understand, and manage risks to the setting of objectives, and that is achieved by effective related internal control. (One way of thinking is that the setting of appropriate objectives is itself an organizational objective.)
- Ensure you have an effective set of processes for identifying, understanding, and assessing risks to the setting and achievement of objectives.
- Understand the risks related to your risk management process.
- Understand what levels of risk are acceptable.
- Ensure that the assessment of risk compared to acceptable levels is an integral part of running the organization and making decisions every day.
- Ensure that you have the right, efficient and effective combination of internal controls to manage risks to objective-setting, risk identification and assessment, and then the achievement of objectives. This should include understanding and treating, as necessary, risks to the operation of internal controls.
- Select frameworks that work well for you. I personally like the ISO risk management standard and the COSO internal control framework.
Have I confused or clarified? Do I have this wrong?
Do you agree that we often fail to identify risks to objective-setting and to risk management?
I welcome your views and comments.
Posted on May 27, 2013 by Norman Marks
Share This Article: