Risk Management and Internal Controls
|
The COSO cube. The COSO is the Committee of Sponsoring Organizations creating best practices and guidelines for risk management and also refers to the framework developed for risk management. The cube illustrates the integration of the risk practices throughout the integrated business and functional levels of an organization.
The organization offers many essays on guidance and implementation of risk management in an organization and can be accessed through their website, link below. Internal Controls are a categorical risk mitigation activity within the overall framework and one that CFOs utilize regularly in the finance and accounting processes. COSO Home Page |
Understanding Risk and Risk Management might be best introduced from some initial assessment questions that are used to identify risk for a business.
- What are primary business objectives or strategies?
- What are key components of enabling the strategy and objectives?
- What internal factors could cause issues with these key components?
- What external factors could cause issues with these key components?
- What are the 3 most significant events that could cause these issues?
- What environmental hazards and operational catastrophes could be faced? How are you prepared for them?
- What 3rd Party exposure risks do company operations face?
- What financial market risks do you believe will be significant?
- What legal, regulatory, and/or governmental events and risks do you believe will be significant?
- What other emerging events and risks do you believe will be significant?
- What are key components of enabling the strategy and objectives?
- What internal factors could cause issues with these key components?
- What external factors could cause issues with these key components?
- What are the 3 most significant events that could cause these issues?
- What environmental hazards and operational catastrophes could be faced? How are you prepared for them?
- What 3rd Party exposure risks do company operations face?
- What financial market risks do you believe will be significant?
- What legal, regulatory, and/or governmental events and risks do you believe will be significant?
- What other emerging events and risks do you believe will be significant?
Again I strongly suggest visiting COSO as the guidance in their essays present these questions and frameworks for risk management implementation.
Broadly, risks are anything that might occur that will affect the value of the company. This includes anything that could impact normal day-to-day operations to strategic endeavors. Risks come from operation shutdowns due to accidents, machinery breakdowns, or supplier issues. They also come from natural disasters, lawsuits, financial markets, regulatory changes, and even executive management social media accounts that might have a negative impact on brand reputation.
With all the risks, where do you start?
Every endeavor to implement a change or new activity in a company is going to suggest the same starting point. Everything begins with
With all the risks, where do you start?
Every endeavor to implement a change or new activity in a company is going to suggest the same starting point. Everything begins with
The Tone at the Top.
If you don't have support from the top management that assist with the implementation and participate themselves, then there is already an endeavor doomed for failure. For this reason it is best practice to show benefits in the small steps when reporting updates are presented to executive management. Since this is a critical success factor, it is easy to remember the next key, build incrementally and start small.
We start then through the identification and assessment of risks. You probably carry insurance coverage(s) and you may even have experienced operational shutdowns and have worked out plans for handling shutdowns, and therefore you have already introduced risk management to your business. You continue with this process of identifying risks internally to your operations and value chain and then extending that to external factors for which your PESTLE (Political, Economic, Sociological, Technological, Legal, Environmental) analysis could be used as a guide. Once a list of issues and events is developed you can move onto the quantitative and qualitative descriptions of the events.
Risks have several characteristics. These are all approximations, but information can be gleaned from past experiences, experiences to competitors, industry journal case studies and other sources to arrive a figure and description of event. Any risk event has an approximate value of impact to the business, this impact may also carry longevity with it so it is important not to simply assign a value with regard to the immediate. Events also have a probability of occurring, number of occurrences over a given period of time, a level of exposure that areas of a business are subjected to during an events and some even have a best practices preparedness procedure that can be implemented. These characteristics assist with ranking, prioritizing risks and also preparing a response to risks.
We start then through the identification and assessment of risks. You probably carry insurance coverage(s) and you may even have experienced operational shutdowns and have worked out plans for handling shutdowns, and therefore you have already introduced risk management to your business. You continue with this process of identifying risks internally to your operations and value chain and then extending that to external factors for which your PESTLE (Political, Economic, Sociological, Technological, Legal, Environmental) analysis could be used as a guide. Once a list of issues and events is developed you can move onto the quantitative and qualitative descriptions of the events.
Risks have several characteristics. These are all approximations, but information can be gleaned from past experiences, experiences to competitors, industry journal case studies and other sources to arrive a figure and description of event. Any risk event has an approximate value of impact to the business, this impact may also carry longevity with it so it is important not to simply assign a value with regard to the immediate. Events also have a probability of occurring, number of occurrences over a given period of time, a level of exposure that areas of a business are subjected to during an events and some even have a best practices preparedness procedure that can be implemented. These characteristics assist with ranking, prioritizing risks and also preparing a response to risks.
High-Level Risk Categories:
- Hazard Risk
- Business Strategy Risk
- Operational Risk
- Investment Risk
- Legal/Compliance Risk
With a list in hand, there is another consideration before deciding how to deal with a risk and that is monitoring efforts for the potential risk to occur. Some risks are going to be identifiable through early indicators if monitoring is implemented. If this is a possibility, a monitoring plan will help with the next phase of the plan to handle risks.
How you handle risks is obviously influenced by total cost impact to how likely it is to occur, but there is also consideration for the cost-to-benefit ratio when determining how to handle an event. This is where we look at our four possible scenarios for management of risks,
How you handle risks is obviously influenced by total cost impact to how likely it is to occur, but there is also consideration for the cost-to-benefit ratio when determining how to handle an event. This is where we look at our four possible scenarios for management of risks,
Mitigation
Mitigation involves steps to reduce the total exposure to the risk event. In the event of a supplier issue, perhaps you always maintain a relationship with a second supplier by placing moderate orders for a similar item or material. Another example is the use of hedging in financial markets.
Transference
Transference involves transferring the risk. This is most commonly identified with insurance coverages.
Acceptance
Acceptance is exactly what you would expect. The company simply accepts that there is a risk and continues without addressing the event directly through mitigation or transference and perhaps 'self-insures' for the event through budgeting.
Avoidance
Avoidance is the plan to avoid the risk event. This may be choosing not to implement a strategy in a certain product line or choosing not to invest in an emerging technology.
Mitigation involves steps to reduce the total exposure to the risk event. In the event of a supplier issue, perhaps you always maintain a relationship with a second supplier by placing moderate orders for a similar item or material. Another example is the use of hedging in financial markets.
Transference
Transference involves transferring the risk. This is most commonly identified with insurance coverages.
Acceptance
Acceptance is exactly what you would expect. The company simply accepts that there is a risk and continues without addressing the event directly through mitigation or transference and perhaps 'self-insures' for the event through budgeting.
Avoidance
Avoidance is the plan to avoid the risk event. This may be choosing not to implement a strategy in a certain product line or choosing not to invest in an emerging technology.
A list of Many Available Insurance Coverages
- General Liability Ins
- Property Ins
- Worker's Comp Ins
- Cyber Risk Ins
- Political Risk Ins
- Director & Officer Ins
- Business Interruption Ins
- Umbrella Ins
- Commercial Auto Ins
- Errors & Omissions Ins
Identification, assessment, and planning are a great start, but as stated start small, continue incrementally. Even after identification and analysis has been completed, many of the methods for addressing the risk will involve procedures and activities. Planning and preparedness procedures are more involved, generally with collaboration from other functional areas such as operations or IT. For example, do you have a backup data center with servers, perhaps a cold-site or warm-site, ready to go in the event your primary data servers go down? This procedure won't be a quick fix and won't be a small step that will show benefits early to encourage adoption of risk management principles. These types of risk events are certainly an issue, but in order to implement a risk minded organization, risk activities need to the integrated into the functions and processes of the organization. This takes time and capital. With the exception of urgent issues, such as regulatory and compliance, in the identification of risks that have never been addressed, beginning small and incrementally is the best route to take.
One approach may be to begin in the finance department with insurance coverages, developing monitoring data models that can be used to display operations issues for later planning, and implementation of internal controls.
One approach may be to begin in the finance department with insurance coverages, developing monitoring data models that can be used to display operations issues for later planning, and implementation of internal controls.
Internal Controls
Internal controls are a key responsibility of a CFO.
A definition:
A definition:
Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the categories of operations, reporting, and compliance. Controls encompasses policies, procedures, and practices implemented to ensure the reliability of financial reporting, the efficiency and effectiveness of operations, the compliance with applicable laws and regulations, and are integral to ensuring that an organization's systems are secure, reliable, and compliant. Controls can be manual or automated, preventative or detective, but the are ongoing, dynamic processes that help safeguard an organization's assets - both physical and intangible, such as reputation and intellectual property -and designed to mitigate risks, prevent and detect errors or fraud, and promote accountability and transparency
This sounds great! Safeguarding assets, establishing trust, ensuring integrity, but the theoretical goal can seem a leap away from actual practice. There is a very good chance some internal controls are already in use in your accounting processes that may help in finding other areas that could use come controls.
Perhaps you have heard of the Segregation of Duties principle. The segregation of duties is the goal of separating responsibilities for the recording of a transaction, approval of a transaction, the custody of the assets involved in the transaction, and the audit or reconciliation of the transaction. Depending on the size of the company, the degree to which this is possible varies, but the concept should guide activities so that there is a way to verify transactions in their completeness, recording, approval, and custody. A couple of examples that you may already be familiar to you follow.
If you have ever worked in a storefront and dealt with cash management, then you have made use of controls. Cash registers are counted out every time they are assigned to an employee and when they are returned. They are also counted out again at the close. These counts generally include two people, the shift lead responsible for safe management and the employee who is responsible for the cash register. At the close, this may only involve the closing manager, but all cash is counted and recorded and entered into the system for the morning manager to count all of it again and document their counts. This is a procedure that involves documentation, counts, multiple audits, with multiple people signing off together and a final recording that gets sent to the primary corporate entity. In this instance, one person is responsible for the safe, another responsible for their cash drawer, and the final count is checked twice, once at close and once at open. This is a control process.
If you have ever worked in an accounting or purchasing department there are similar documentations and checks. Consider a purchase requisition process from procure to pay. There is a process for submission of an item, material, or inventory and a purchase requisition is established. A separate party or more than one party must approve the purchase. An approval is done be someone other that submitting the request and there may be different requirements and individuals that are required for an approval to pass depending on total cost or attributes of the request. Once approved, the requisition moves on to the procurement department to with the goal of becoming a purchase order. The procurement department arranges for purchase, selecting a supplier, negotiating contractual agreements and perhaps even needing a final approval by finance depending on budget and the final quote for the purchase. Once the purchase order is placed, three departments become involved, Accounts Payable, Inventory, and Treasury.
Accounts Payable will be triggered once the billing invoice is received requesting payment. Inventory will be triggered once the item is received, having received a goods receipt from the delivery and Treasury will submit the payment. Of course, to ensure that everything matches there is a three-way reconciliation to check that the vendor name, quantities and totals all match, PO and Invoice, Goods Receipt to PO, and Invoice to Goods Receipt. This is all just part of the process. Some of these activities will be manual, some will be automated. All are to ensure that items ordered and payments are actually received, in the proper totals, and documented in case a future audit requires verification.
If you are familiar with these processes, then perhaps you are beginning to identify other areas for which you document activities and there are levels of checks, reconciliations and approvals. Inventory counts, fixed assets inventory checks, equipment checks, customer returns and refunds, month-end and annual accounting closes, expense account purchases, any area that involves assets is a good place to begin your search for control processes; or perhaps these are areas that lack processes and could use control procedures. Since controls are an integral part of a risk management system, the same steps of identifying and assessing are required and may simply follow from a comprehensive risk assessment.
If you have ever worked in a storefront and dealt with cash management, then you have made use of controls. Cash registers are counted out every time they are assigned to an employee and when they are returned. They are also counted out again at the close. These counts generally include two people, the shift lead responsible for safe management and the employee who is responsible for the cash register. At the close, this may only involve the closing manager, but all cash is counted and recorded and entered into the system for the morning manager to count all of it again and document their counts. This is a procedure that involves documentation, counts, multiple audits, with multiple people signing off together and a final recording that gets sent to the primary corporate entity. In this instance, one person is responsible for the safe, another responsible for their cash drawer, and the final count is checked twice, once at close and once at open. This is a control process.
If you have ever worked in an accounting or purchasing department there are similar documentations and checks. Consider a purchase requisition process from procure to pay. There is a process for submission of an item, material, or inventory and a purchase requisition is established. A separate party or more than one party must approve the purchase. An approval is done be someone other that submitting the request and there may be different requirements and individuals that are required for an approval to pass depending on total cost or attributes of the request. Once approved, the requisition moves on to the procurement department to with the goal of becoming a purchase order. The procurement department arranges for purchase, selecting a supplier, negotiating contractual agreements and perhaps even needing a final approval by finance depending on budget and the final quote for the purchase. Once the purchase order is placed, three departments become involved, Accounts Payable, Inventory, and Treasury.
Accounts Payable will be triggered once the billing invoice is received requesting payment. Inventory will be triggered once the item is received, having received a goods receipt from the delivery and Treasury will submit the payment. Of course, to ensure that everything matches there is a three-way reconciliation to check that the vendor name, quantities and totals all match, PO and Invoice, Goods Receipt to PO, and Invoice to Goods Receipt. This is all just part of the process. Some of these activities will be manual, some will be automated. All are to ensure that items ordered and payments are actually received, in the proper totals, and documented in case a future audit requires verification.
If you are familiar with these processes, then perhaps you are beginning to identify other areas for which you document activities and there are levels of checks, reconciliations and approvals. Inventory counts, fixed assets inventory checks, equipment checks, customer returns and refunds, month-end and annual accounting closes, expense account purchases, any area that involves assets is a good place to begin your search for control processes; or perhaps these are areas that lack processes and could use control procedures. Since controls are an integral part of a risk management system, the same steps of identifying and assessing are required and may simply follow from a comprehensive risk assessment.
10 Steps for Effective Internal Controls
(Institute of Management Accountants)
(Institute of Management Accountants)
- Establish a Strong Control Environment (Tone at the Top)
- Conduct a Comprehensive Risk Assessment
- Implement Control Activities
- Segregation of Duties
- Document Policies and Procedures
- Communicate Information
- Leverage Technology and Automation
- Conduct Continuous Monitoring for Effectiveness
- Evaluate and Remediate Deficiencies
- Provide Training and Ensure Accountability
As with any change, there must be an effort to implement change management and an assigning of responsibility and accountability. For this reason, many use the IT and programming RACI model for communicating of information, monitoring and assignment of roles.
R - Responsible
The person or people who perform the work or execute the control. There can be multiple individuals designated as responsible for a single task.
A - Accountable
The single individual who is ultimately answerable for the correct and thorough completion of the control. This person has the final authority and must approve the work. Best practices within RACI is that only one person should be accountable for each task to ensure clarity.
C - Consulted
The people or groups whose opinions are sought before a decision is made or a task is executed. This is a two-way communication to leverage their expertise or insight.
I - Informed
The individuals who are kept up-to-date on the progress or outcome of a control. This is typically a one-way communication to ensure they are aware of the status.
The person or people who perform the work or execute the control. There can be multiple individuals designated as responsible for a single task.
A - Accountable
The single individual who is ultimately answerable for the correct and thorough completion of the control. This person has the final authority and must approve the work. Best practices within RACI is that only one person should be accountable for each task to ensure clarity.
C - Consulted
The people or groups whose opinions are sought before a decision is made or a task is executed. This is a two-way communication to leverage their expertise or insight.
I - Informed
The individuals who are kept up-to-date on the progress or outcome of a control. This is typically a one-way communication to ensure they are aware of the status.
Implementation of a control system is an involved task, but necessary as it is required for public companies to implement some risk management framework due to the benefits gleaned from its execution. While there are many frameworks to assist in the development and planning for controls, the method for application is going to depend on your processes that may be industry specific, may involve more manual than technological, and may be impacted by the size of the company. There is a certain amount of art to the design and implementation of controls due to these factors, but also because you do not want to implement process that may be cost prohibitive and so a control at one point in a process that would be costly may have to be minimal and a secondary control, more comprehensive, implemented at another point where the cost is acceptable. In the end, the point is to attempt to achieve the goal of operational integrity and trusted financials so that the financial that are presented are objective and or fair value. If you are certain your figures well-represent your company period to period then you may have a solid foundation of controls and may benefit from an external audit.