Is Risk Management Part of Internal Control or Is It the Other Way Around?

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


There is a very clear relationship between internal control and risk management.

Basically, internal controls provide reasonable assurance that risks to the achievement of organizational objectives are at acceptable levels. (The organizational objective when it comes to financial reporting is to provide financial satements that are free of material omission or error.)

So, you need risks to be identifed, understood, and assessed (against levels defined as acceptable) before you know what controls you need.

At the same time, you need controls to manage those risks and ensure they are at and remain at acceptable levels.

Does the process start with risk? Actually, the process starts with the setting of objectives. If the wrong objectives are set, the organization is highly unlikely to deliver best value to its stakeholders. Risks, or at least the risks that matter, are identified and assessed in relation to the objectives, so setting the objectives is a pre-condition.

So, objective-setting is a pre-condition to risk management and risk management is a pre-condition to internal controls.

Is that right? While COSO has both internal control and enterprise risk management frameworks, the processes of identifiying and assessing risks to objectives are included in the internal control framework! (Although objective-setting is an assumed pre-condition).

Add to that the COSO enterprise risk management framework encompasses and expands their internal control framework — so, internal control is part of risk management? (By the way, if you examine the global standard on risk management (ISO 31000: 2009) it talks about controls but not in detail. It spends more time talking about whether the controls have left the risk at an acceptable level and whether additional risk treatment is needed (including additional or changed controls)).

Now that is confusing! Risk management is part of the COSO internal control framework and internal control is included in their enterprise risk management framework.

Let me add to the confusion.

There are risks to the setting of objectives (such as failing to have reliable information on the competitive business environment), and there are controls to manage those risks (such as ensuring that reliable information on competitors and the market in general is obtained and provided to those setting objectives)! Neither of these facts is recognized in either the COSO frameworks, but that doesn't make them any less true — or important.

When assessing either risk management or internal control, it would be a mistake (in my view) to ignore risks and controls related to objective-setting. I understand that COSO has, for convenience and simplification purposes, assumed objective-setting as a pre-condition. But, the management of risks and controls related to objective-setting is perhaps the most important of all, as they establish the direction of the entire organization.

And... there are risks to effective risk management! This is frequently overlooked and poorly addressed. For example, one risk is that key managers do not include the consideration of risk in their decision-making. Another is that the information used to assess risks is incorrect. There should be controls to address these risks!

And... there are risks to the operation of controls — such as the inability to retain competent personnel. These are addressed by indirect entity-level controls within components of the internal control framework such as Control Environment, Information and Communication, and Monitoring.

At the end of the day, it doesn't really matter whether, in theory, internal control is part of risk management or the other way around. What is important is understanding the relationships between all these activities and making sure your organization is handling them well.

In purely practical terms:

  1. Understand the relationships between objective-setting, the management of risks to those objectives, and the internal controls that manage those risks to acceptable levels.
  2. Understand that it is important to identify, understand, and manage risks to the setting of objectives, and that is achieved by effective related internal control. (One way of thinking is that the setting of appropriate objectives is itself an organizational objective.)
  3. Ensure you have an effective set of processes for identifying, understanding, and assessing risks to the setting and achievement of objectives.
  4. Understand the risks related to your risk management process.
  5. Understand what levels of risk are acceptable.
  6. Ensure that the assessment of risk compared to acceptable levels is an integral part of running the organization and making decisions every day.
  7. Ensure that you have the right, efficient and effective combination of internal controls to manage risks to objective-setting, risk identification and assessment, and then the achievement of objectives. This should include understanding and treating, as necessary, risks to the operation of internal controls.
  8. Select frameworks that work well for you. I personally like the ISO risk management standard and the COSO internal control framework.

Have I confused or clarified? Do I have this wrong?

Do you agree that we often fail to identify risks to objective-setting and to risk management?

I welcome your views and comments.

Posted on May 27, 2013 by Norman Marks

Share This Article:    

  1. Norman: I think you have correctly described at least some of the confusion that COSO creates in the area of objective settings role in an IC framework. The confusion has been pointed out in detail to COSO in a number of comment letters. COSO has decided for unknown reasons to reinforce and confirm that they believe setting and communicating objectives is a precondition to internal control. This is described in a fairly confusing way in the 2013 framework. On the technical front I prefer the term "risk treatments" to "internal controls" as it encourages much broader analysis of how the risks are managed. I would also like to see an international globally accepted and useful "risk treatment framework" emerge to help users consider the full range of risk treatments when completing risk assessments. An IIA presentation I made on the subject can be found at: I believe the hierarchy of what is a subset of what is best described as: Corporate Governance framework - the really big picture ERM framework - how objectives are set and managed to an acceptable level of residual risk Risk treatment frameworks (which includes as one element what has traditionally been called internal controls) COSO asks us to believe that it is possible to conclude on the question of whether and organization does, or does not, have effective "internal control" without evaluating whether an organization has effective ERM or effective governance and use this information for SOX 404 reporting. Commissions that studied root causes of the 2008 global crisis disagree and so do I.
  1. Simply said, the logical chain is : objectives, risks, controls.  So, risks come before controls.

    Communication has to be straightforward to be understood.

  1. Johan...I completely agree.
  1. Norman....that's a useful post!  I sure hope you are involved and provide this input to your US TAG to the update of ISO 31000 and Guide 73.....there are other 'broken' or 'missing' links in the relationship of risk and internal control to how an organization manages and operates (e.g. management systems) and this is another interesting area that needs to be flushed out along with the very topic you've raised. Keep it comin!

  1. Completely agree with the comments made above. An organisation has objectives. Risks hinder the achievement of objectives. Internal controls mitigate risks. Internal audit provides an opinion on whether internal controls are reducing risks to below the organisation's risk appetite. Not only is this approach simple, it also allows the internal audit tests carried out to be directly linked to the achievement of the organisation's objectives. Thus making reporting to board more relevant and showing the importance of internal audit as part of the organisation. So why do we need COSO's many pages and dense terminology?
  1. Dear Norman, this is a very interesting question. My opinion is the following:
    Board of Directors (Top Management) is responsible for the Policies,Processes ,Strategy and Risk Appetite.
    Risk Takers (Treasurers-Traders) are responsible for taking the Risks in specific limits.
    Risk Managers (Controls) are responsible to measure and control these Risks and excesses from limits (Appetite) with systems , processes and procedures.
    Auditors are responsible to measure with audits that these policies,systems,processes and procedures are in place and are followed. Any gaps in the this chain should be identify by the auditors. Their job is to inform Top Management.
    I beleive that auditors are NOT
    1.Strategy Designers and Makers
    2.Risk Takers
    3.Risk Measurers
    but are Policies,Processes and Procedures Gaps Identifiers. Their Audit findings will help the Top Management to have a full picture of their Organization. The solutions comes from the top. Top Management committment is the key.

  1. Norm,

    Very good discussion as usual but my question relates to objective-setting. Are you referring to this in generic terms across all verticals i.e. ROI etc. or company specific BOD directives? What are your thoughts regarding the framing / classification of objectives....should it be strategic, operational etc.? I ask because as you well state, the objectives should drive risk and internal controls....but how does a company know their objectives are correct?  How can the definition of objectives be constructed to add value to the company?

  1.  John, thanks for the comment. I see objectives as referring to the direction set by management and the board at the highest level, but in practice management at each level will have their own objectives they are trying to achieve. If they want to succeed, they had best understand manage the risks to those objectives.

    I don't classify objectives myself, but can see the value of doing so.

  1.  All, is it not appropriate for management and the board to understand the risks in the business environment before setting objectives?

    Also, are there not risks in objective-setting?

  1. Norman and John. Aren't the ultimate objectives set by the 'stakeholders' investors, owners, partners etc. Another set of objectives come from legal requirements.For example, in the charity where I was a trustee, the original donor in his will of 1704 included provision for 'some little houses' as well as for buying coal for the poor. So our objective, as trustees was to provide housing for the 'poor' (in practice, those receiving housing benefit). All objectives flowed from this, together with the requirements of various charity acts. These included the requirement to safeguard assets, ensure the safety of residents and so on.(I must confess that we had stopped providing coal).
  1. Norman:

    The more time I spend on the risk management stuff, the greater distaste I have for the internal control material whatever the framework. Tim makes a number of key points such as preferring the term risk treatments to internal controls. If you understand how to manage risk which includes risk treatment and can manage this risk to the established risk appetite/risk criteria of the company, then why would you even care about the term internal control. It is part of the entire risk management framework. But if we must use an internal control model, we should dispense with COSO- unless the final document (which I have not read yet) differs significantly from the drafts which we commented on. There are better frameworks that can be used that are more helpful. So in summary, I see internal control as being a smaller subset of risk management- an important one.

  1.  Norm....are there risk for objectives ? great question which gets to the heart of the deal. As you well know,risks are always present . The question is what risk are important/priority. In my opinion the art is in defining the risk universe yet contrasting that with probability. I tend to the believe that the higher the level of access (IT) and the higher level of Mgt. the greater threat. Re: SOX - if a new user request for low level access is not this a deficiency? the process flawed...OK lets talk about that...

    In the SDLC methodology the first step is requirements that envision the end-state (input/output, #of users, etc.,) ..... I'm thinking along the lines of a 360 degree methodology. I don't think we risk folks have gotten there yet to provide real value to our clients.

    Thanks for your feedback Norm.....and your continued thoughts.    

  1. Irregardless the models or theories, RISKS are uncertainties about the achievement of objectives, once such RISKS are identified and assessed, it relies on INTERNAL CONTROL to deal with them (ARTA), where Reducing risks involve prescribed procedures and policies such as review, approval,computer control etc. In my opinion, INTERNAL CONTROL should be part of RISK MANAGEMENT system. They do interrelate but the focus may be different: IC focus on past, compliance with procedures and rules, RM is more proactive and foreward-looking, to prepare for the uncertainties, up and downs with pre-determined procedures (IC).
  1. Arnold. I agree that internal control should be part of risk management but for this reason cannot agree that internal controls focus on the past. Internal controls exist to mitigate risks and they must do this into the future. The past is gone and nothing will change it. The focus of internal audit should be to ensure that internal controls will properly manage risks below the risk appetite for the foreseeable future. For this reason internal controls must always adapt to changing risks.
  1. The logic is right. but no matter how we look at it, you cannot establish controls to mitigate a risk when you have not identified and assessed those risks. Internal controls are a product of risk management and risk management is a product of set objectives. Risk management is a continuous process and does not end with establishment of controls.

  1. Norman, great and timely article. Objective setting at the top is key to effective risk management within the organization. The organization's objectives are at least partially based on an assessment of the external/internal environment (competitors, regulations, current financial state/goals, etc) and there is always a risk of misguided objectives based on inaccurate information/wrong focus, but that also can be mitigated. Agree the proper order must be 1) top down strategy/objectives to set the direction for risk identification, 2)risk assessment tied to those strategies/objectives, 3)controls around mitigating risks to reaching those objectives.
  1. I hope that my comments below add a little to  clarifying some of the issues.

    1. I agreee with the observation that Internal Control is very limitting - treatments of risk extend beyond this to outsourcing risk or terminating activities which give rise to particular risks. In this sense Risk Management is the broader concept unless Internal Control is refdined to be something which is not immediately obvios from the name.

    2. Objective setting is not limited to the executives and the board. Once the broad strategic objectives have been set at the highest levels these cascade downward to successively lower levels of management which set more detailed objectices to support the objectives of the exec and board but which are more limited in scope.  

    3. In practice, I am not certain that it is immaterial whether risk management is a subset of internal control or vice versa . From the perspective of the structure of an organization the former would leave the risk management  function a part of internal audit, the latter reverses this structure. The differences in the structure might have real consequences for the risk management process. The point was made above that , the former tends to rectify problems in arrear  while the former would be more forward looking. 

  1.  I agree with Greg. In my opinion, Internal Control deals with control that the organisation has developed internally to address the risk-- this is what the Auditors look for in an organisation to address the operational risk.  Risk Management extends further from Operation, Financial and Compliance risk to include other management action to address the enterprise risks, including the strategic risk,-- as the name implies--- Enterprise Risk Management.

    I think it is an interesting point to note that the definition of which is a subset of which may result in a different structure of an organisation.  That may be true.  Interestingly, IA are asked to to evaluat the risk management process to ensure the organisation has an effective risk management.  From this perspective, Risk Management and IA should be independent.    

  1. I fully agree with Norman. Risks areuncertainties about the achievement of objectives. Objectives are critial to identification and assessment of risks whether at strategic or operational level. Management should be able to identify the risks that are inherent to the decisions they make and the most important and critical of all decisions is the direction of the organisation. Hence is it important that risk management is embedded in strategic and operational planning.

  1.  Norman- the logic is sound enough but one could say that all of the activities do not follow a distinct order especially objective setting and risk managment. IC is likely to follow the former but there may be a reason to consult with IC when identtifying risks and contemplating controls if they have the relevant experience. The important thing is that that they (IC) do not own or seem to own the risks or controls. 

    On the subject of objective setting I think that RM can play a part before the objective(s) is set and i see it as an iterative process. It is possible that an organisation will set a new or modified objective once they have scanned their risk profile. Using a different profession/anology I have often though that the building inspectors could have a very valuable input into builidng design as they have seen the mistakes and pitfalls.

    So I am not sure about the preconditions ( quoted below) but think of the whole thing as an integrated managment effort with plenty of scope for  crossover whilst maintaining the inegrity of audit.

    "Risks, or at least the risks that matter, are identified and assessed in relation to the objectives, so setting the objectives is a pre-condition.

    So, objective-setting is a pre-condition to risk management and risk management is a pre-condition to internal controls."

  1. I have observed that the objectives setting process is often not considered when identifying and assessing risks which is a major mistake. I have also observed that risks associated to the ERM process itself are rarely asessed....

    I have also observed that only few internal audit departments have already audited both the objectives setting  and ERM processes of their organization.

    And I have also observed that only few internal audit departments have already assessed the risks associated with the management of the internal audit department itself, starting with its own objectives setting process....




  1. I have observed that the objectives setting process is often not considered when identifying and assessing risks which is a major mistake. I have also observed that risks associated to the ERM process itself are rarely asessed....

    I have also observed that only few internal audit departments have already audited both the objectives setting  and ERM processes of their organization.

    And I have also observed that only few internal audit departments have already assessed the risks associated with the management of the internal audit department itself, starting with its own objectives setting process....


  1.  Norman,

    Thanks for an excellent discussion topic.  This is a real chicken and egg debate!  For me it flags the importance of keeping audit and risk management activities linked.  I think the answer to your question is down to how you define internal control.  At an enterprise level, risk management is one of your key controls to inform and manage risk to acceptable levels whereas, having set strategic objectives, risk management informs what controls are needed to achive that objective.  So it's as clear as mud!  

    I like to think of it as a cyclical relationship so that it all depends where you break into the cycle as to whether you think one is a subset to the other.  One informs the other.


  1.  Hi Norman, great post!

    IMO, one of your comments is the key to this confusion. You wrote: "All, is it not appropriate for management and the board to understand the risks in the business environment before setting objectives? Also, are there not risks in objective-setting?"

    I didn't study COSO enterprise risk management or internal control frameworks in detail but I guess the confusion arises because COSO's objective setting comes before strategy formulation? If that's the case then it is the key to the confusion, IMO, because objectives are set after the strategy (re) formulation as well. 

    To make things clear, we need to come up with a distinctive terminology. Let's call those objectives that come before strategy overriding objectives or goals (BHAGs) and those that come after the strategy simply objectives. 

    Now we know that objective setting is also a decision making process and since risk management is part of decision making, therefore, managing risks to objective setting at all levels is done.

    So it comes out to be risk management (situation analysis) is a precondition to objectives setting (highest level objectives or overriding objectives or goals/BHAGs) which in turn is a precondition to risk management of all activites - from strategy (re)formulation to objectives setting to execution to monitoring and review of every activity (including risk managemet processes and internal controls/treatment plans). 

    Does it make sense?


  1.  Norman, thanks for the blog post. I agree with the ordering of objectives, risks, controls. Regarding risks in objective setting, then i see two types of risks, 1) risks in the objective setting process, 2) risks that could impede an already agreed objective. A useful tool to address point 2 is PESTEL. Also Dr. Kaplan has developed some approaches for strategic risks using his balanced scorecard execution methodology.

Leave a Reply