Assessing Controls Over Operational Risks
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
“Operational Risks” and “Operational Objectives” have been defined in a number of ways. For example, the COSO Enterprise Risk Management–Integrated Framework talks about Operational Objectives as relating to the “effective and efficient use of its resources.” The latest draft of the COSO Internal Control–Integrated Framework (ICF) has somewhat longer language: “Operational Objectives… pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.”
Operational risks would then, I presume, be risks to the achievement of the organization’s objective(s) to be effective and efficient.
More common in my experience is the use of "operational risk" to refer to matters that arise from the normal course of running the business. For example, the Basel Committee on Banking Supervision’s Sound Practices for the Management and Supervision of Operational Risk (2011) has this: “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”
Whichever you like, my process for assessing the adequacy of controls over these risks is the same as I described in my earlier post on How to Assess the System of Internal Control.
“An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories”. (COSO ICF updated 2012 draft, paragraph ¶86)
In order to achieve this, you need:
- Clearly defined objectives
- A well-executed risk assessment that defines the risks to achievement of objectives
- Definition (which is preferably formal) of the level of risk that management and the board are willing to accept
- A combination of controls that provides reasonable assurance that the above-defined risks are within the above-defined acceptance levels
- An efficient combination of controls
How does the latest draft of the COSO ICF tackle this? I confess to being surprised when I read this in paragraph 22:
“achievement of operations objectives — such as a particular return on investment, market share, or entry into new product lines — is not always within the organization’s control. Internal control cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve operational goals. For these objectives, systems of internal control can only provide reasonable assurance that management and the board are made aware, in a timely manner, of the extent to which the entity is moving toward those objectives.”
While the first two sentences are true, I think the conclusion drawn in the last sentence is incomplete and may mislead.
“Bad judgments or decisions” cannot be totally prevented by internal controls, whatever the objective — whether operational, reporting, or compliance. That is why we say that internal control can only provide reasonable assurance.
But even for operational objectives and operational risks, the key is an effective set of processes for identifying (i.e., understanding), analyzing, evaluating, and treating the risks.
If the risk management program is effective (not perfect, but reasonable), and the combination of internal controls provides reasonable assurance that identified operational risks are at acceptable levels, then the system of internal control can be considered effective.
Do you agree? I welcome your perspectives and commentary.
Posted on Oct 26, 2012 by Norman Marks
Share This Article: