Monitoring risks, is a challenge for the ages! To be successful we need to be clear on outcomes and simplify the process of monitoring.
Oversight. Assurance. Audit. Checking. Testing. There are many ways to articulate the activity of providing comfort to stakeholders on how effective your risks and controls are operating.
But what does it all mean? Why is it important?
For thousands of years people have been performing activities to achieve a goal or purpose. As time has advanced things have become more complex, include more moving parts and involving more people.
And for thousands of years things have gone wrong. Disasters, failures, errors, mistakes and the thesaurus list keeps going.
Every moment of every day businesses across the globe face into this battle. The battle between customer experience and delivery of activities, and the potential for something to go wrong.
Over the last few years many organisations have considered how to better manage their risks and how to best evaluate whether the risks and controls they perform are operating as they expected.
In this activity, organisations utilise a multitude of functional teams to provide this view.
Audit, particularly external audit, provide the independent 3rd party perspective. The external view. Then there is internal audit, independent (to an extent as they are still part of the employees of the organisation but have reporting lines direct to Boards and Directors) and a function dedicated solely to the testing of the risks and controls.
Then we shift to functions such as Compliance, Risk, Finance (in particular Sarbanes Oxley) and Technology. Compliance focus on the risks related to laws, regulations and in some organisations internal policies. Risk focus their activities on overseeing the activities surrounding all risk categories and in particular operational risk. Finance focus on the financial processes and the financial risks. And finally Technology focus on security and information technology practices and procedures.
This is a very unclear and complex picture. As many risks overlap, some if not all of, these areas.
Organisations need to work through not only their risks but also how they can provide stakeholders, both internal and external, with a clear view of the risks and the effective operation of those risks. The role of these teams in no way takes away from the requirement that the owner of the process manage their risks and ensure they operate effectively. Instead these teams provide senior management, Boards and regulators with a clear view of the adequacy and performance of these controls through groups of people that are not involved in the daily performance of the task. Many organisations refer to these groups as “lines of defence”.
The key point of innovation surrounding monitoring risk is to make it clear and keep it simple. Is this innovation? Not really, but if you let all these layers and groups get out of hand it can feel like innovation is required!
What is truly important for organisations is to design an approach to monitoring that ensures that the business risk and controls are adequately assessed and monitored but also reduces inefficiency and ineffectiveness. Particularly in regards to multiple groups reviewing the same risks and controls repeatedly whilst other areas of risk and control get left almost untouched in regards to monitoring. It is easier for each of these groups to perform their own monitoring activities from scratch as it provides them full control, but in what you gain in control you lose in effectiveness.
Six parties all looking at one particular risk and set of controls will give you some additional comfort but at some point that benefit is completely washed away by 2 things.
- The first is over analysis of a risk and controls resulting in the potential for “group think”. In addition the value added from each additional check is exponentially reduced as more parties check the same area, particularly if they do so in a short period of time.
- Second is the potential to miss risks and controls that could impact the organisation because there is no or extremely limited coverage of that area.
The key challenge is therefore to be able to clearly articulate your processes, risks and controls in a simple and transparent manner. Then to overlay your monitoring (or assurance) activities across these areas. And then to report on the gaps in coverage as well as the issues or errors identified through the monitoring activity. If you can successfully do this, then you should be able to see more reliance on monitoring from other parties, a better balance of activity across monitoring and expanded coverage of monitoring across all risks.
All organisations have a finite budget to manage their risks and controls. The best managed organisations establish precisely the processes, risks, controls and monitoring activities, and are able to report this n a clear and concise manner to all stakeholders to provide confidence on the operations of the business.
Is it time for you to think about this for your organisation?
Where are you in the journey of monitoring risks and achieving success in the challenge for the ages with clear outcomes and simplified processes.