The Evidence is the Control

The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. From a Risk Management perspective, controls are irrelevant; only the evidence of the functioning of the control is the control.

Let's consider the role of Risk Management in providing real assurance, and how to make this real.

I've posted the article on LinkedIn here

And below:

The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. We are so used to the SOX-generated idea that the system of internal controls needs to be documented, and where there are perceived to be inadequate controls, more controls need to be introduced and documented. This is limited, of course, to “controls over financial reporting”, as required by SArbanes-Oxley (SOX).  

This has resulted in probably hundreds of millions of dollars, probably billions, being spent to document controls over financial reporting, and then Internal Audit (and External Audit) testing of those control. A windfall for the Internal Audit profession and for External Audit firms. After all, well-documented controls, especially when the critical controls are tested, are the backbone of a sound system of internal controls. Or is it? 

We need to move from the paradigm that a documented system of internal controls equates to an effectively controlled entity. Nothing could be further from the truth, and this is why we have both Internal and External Audit. Internal Audit tests the controls, recommends improvements to controls and provides “assurance” to senior management and the board that the controls are functioning. External Audit places limited reliance (anything more and they couldn’t demand the level of fees they do) on the work of Internal Audit and on the controls. 

I’ve missed the “risk” word above. Of course, Internal Audit should determine the controls to test on a risk-assessed basis. Yet too frequently, Internal Audit focuses on the highest-risk areas (that is appropriate) while year after year, the non-high-risk areas effectively get a pass. There simply are not and never will be enough Internal Audit resources to test all areas.  

After all, a fire will destroy the kitchen and house, while the ants will slowly denude the pantry. So we audit the fire alarms, and make sure there is a fire extinguisher (have you checked the date on it recently), but we don’t hunt for ants unless they are right in front of our faces.  

To paraphrase Hemmingway, internal control failures happen slowly, and then all at once.  

So the classic three-year rolling Internal Audit programme never seems to get to the bottom two-thirds of the potential auditable areas. What does this mean? Fundamentally, too much of the entity will never be audited, and there will never the evidence that the controls are or are not functioning.  

And here is our problem. It will be one of those areas, probably not directly related to ‘financial reporting’ that will ‘go bad’, resulting in significant problems and costs. 

The evidence IS the control.  

Who cares if there is a full set of documented controls if operational management knows perfectly well that Internal Audit will never reach two-thirds of the entity? I.E., their function, system, or process? This means more resources that said operational manager could spend on resources, people, supplies, laptops, etc, because they know that the cost of the control can be deferred, because the chances of their every being audited are minimal. 

In some enterprises, the “Second Line” in the form of Risk Management contributes to the identification of appropriate controls, and should be monitoring the control environment. This augments and does not detract from the role of Internal Audit, whose role is to perform detailed reviews of processes, systems, or functions, confirming through testing that the stated controls are functioning.  

So what is the role of Risk Management, as 'second line', in providing assurance over the system of internal controls? Risk Management can provide the framework to ensure that controls are functioning, by providing the repository and process to enforce confirmation of the functioning of controls. So what can Risk Management do?

1. Risk Management assists management in the identification, description (including quantification) of risks, and 
2. Assists management in determining and quantifying the level of risk that is acceptable, and in gaining senior management and board endorsement of the level of acceptable risk (the Risk Appetite applicable to the risk), and 
3. Works with management to identify what ‘controls’ would provide confidence that the risk is being mitigated or otherwise managed within appetite, and 
4. Provides a framework for the regular assessment and reporting on the functioning of the identified controls, and 
5. Provides an independent repository for the collection and retention of the evidence that each control is functioning, and finally 
6. Reporting to senior management and the board on management’s reported assessment of the effectiveness of controls, to confirm that the entity is functioning within Risk Appetite, or 
7. Provide reporting and recommendations to senior management and the board on additional steps that may be required to bring the entity into appetite (which may include the explicit modification, ‘upward’ or ‘downward’ of the actual Risk Appetite. 

In this way, it is not the fact of the existence of a documented control that matters, it is the provision of evidence by management that the control is functioning This evidence is the control. Without the evidence, it must be assumed that the control may not be functioning, and, therefore must be tested by Internal Audit, something that probably will never happen for the vast majority of non-high-risk areas. 

Quite some time ago, you probably started saying, “But this isn’t the job of Risk Management”, and in a purist sense, I agree. But I also know that someone needs to do this, and that someone needs to have access to the board and to management. Relationship management across the first line is critical, as is the ability to synthesise the information provided in the evidence of functioning controls.  

Most importantly, there cannot be an adversarial relationship such as too often exists between Internal Audit and the business, and between External Audit and everyone. Note I’m saying ‘too often’, not that this should be the natural state of things. 

Risk Management has many responsibilities, and this one fits nicely. 

Where there is an ongoing demonstration of performance of the system of internal control, identification of new or evolving risks, and a risk appetite that is both detailed and macro, Risk Management should be there. As risk specialists (both ‘downside’ and ‘upside/opportunity’) with the ability to communicate potential impacts as well as provide  

So consider a framework that includes a quarterly provision of the evidence of each control, coupled with management’s assessment of the effectiveness of that control. Consider also a regular relationship meeting between Risk Management and operational managers to confirm that the range of risks is current, the rating of the risks continues to be in line with management’s understanding of the risk, and the mitigation in place, as evidenced by the provided evidence of the functioning on the controls, ensures that the entity, or at least this risk, continues to be managed within appetite.  

Finally, the evidence provided by management and monitored by Risk Management also enables Risk Management to provide greater confidence in their reporting of the current risk status of the entity, improving the quality of assurance provided.

After all, documented controls by themselves are worthless. The Evidence of the functioning of the control is the Control. 

#Risk #InternalAudit #SOX

Risk Managers in Uncertain times

Over the past few weeks I have been thinking about the world as we move into 2016. Most of that thinking is not about daisies and pixey dust, but about the changes over the past few years, many of which seem to be leading either to crisis, trouble, or the slow boiling of the frogs. Personally I'm hoping for a few crises that will, although probably fairly terrible at the time, actually bring about some fundamental changes that will create real change and improvement, at least in the medium term.


What's a Risk Manager to do? Below I contrast "the Usual Suspects" that we are (or should be) watching every day as Risk Managers, and then "the Big Stuff" and implications for Risk Managers now.

We are going to see the world change through 2016 and 2017, potentially dramatically - and not necessarily positive change. That is my view. Of course, I could be very wrong, and we could see a world that "muddles along". At heart are our individual answers to the question "how do we best help our businesses manage the coming risk world?"

I am not confident, but that is my view.

So let me suggest, based on my view, the potential impacts on Risk Managers for the coming couple of years. Two years is a very short time in a world of potential regulatory change and economic cycles. Anything shorter than two years would fail to consider the potential impact of major business and economic cycles such as the current commodity depression, the US (and China) manufacturing recession, and the very serious systemic debt and migrant issues that Europe may or may not manage through the coming year.

The Usual Suspects:

Of course the world of Risk will be both immediate and longer term, local or specific as well as systemic and international. We'll start by reminding ourselves of some basic risks that have no direct link to the wider situation.

1. Cyber threats. This category of risk continues to be on the rise, and can be an existential threat to companies from a data-loss or damage perspective, while civil and regulatory sanctions continue to increase. This is a threat that has been growing, and increased access and growth in skill sets will increase the number of hackers and the breadth of tools and techniques they will use. Companies will be taken down by Cyber attacks. Companies can prepare for and attempt to limit the impact of Cyber attacks, but can do little to reduce the likelihood of such attacks (as exogenous threat likelihood is not subject to risk reduction activities on the part of the company). Reducing the impact requires planning, careful review of the potential threat (what are the data-crown jewels, and how are these protected?) and remediation where infrastructure is not adequately protected. Reputation damage limitation if an element of planned responses, and finally, consideration should be given to Cyber Insurance.

2. Fraud, Bribery and Corruption. If the economy continues to grow and unemployment continues to fall, there will be little impact on the likelihood of Fraud, internal or external, though of course these risks remain. However, if we see a degradation in economic conditions, this will probably lead to an increase in fraudulent activity, starting with external fraud and followed by an uptick in potential internal fraud. Of course, some fraud, bribery or corruption is simply due to greedy people, and has no linkage to economics. Exercise skepticism.

3. Solvency. For the insurance industry in Europe, this is the year Solvency II fully comes into effect, and insurers across the continent are getting their reporting houses in order. Yet the risk is not simply that companies may or may not be solvent, it is a question of the quality of internal processes supporting production and maintenance of the ORSA (Own Risk and Solvency Assessment). As risk managers we can learn from companies that have been through the process, such as the importance of the quality of documentation of the process, effectiveness of systems of control (nothing new there), and the ability to demonstrate how the ORSA contributes directly to business decision-making.

4. All Your Risks. Every risk on your Risk Register will remain as critical (or otherwise) through 2016 and 2017 as they are today. Some will increase in potential impact, many will eventuate in actual issues or problems. These risks will become incidents, and you will manage them through to resolution - or not. There will also be a host of issues and incidents that will result in you reviewing the Risk Register, and probably adding risks to the Register.

You can never go wrong keeping your eyes on the day-to-day risks, and ensuring that the business either has effective controls in place, or is building a control environment that can actually be monitored to indicate areas of existing or emerging risk.

Now for the Big Stuff:

A global correction may be underway, with no sign of a low for some time to come. Certainly there may be up days or weeks, but it appears that there is more likelihood of a longer down trend for the coming months. The questions now are "how far, how fast, how long, and how much stimulus"? There are no serious commentators calling for a near-term renewal of a global bull market. The IMF recently downgraded their expectations for global growth from 3.8 (July 2015 forecast) to 3.4 (January 20016) with developed economy growth downgraded from 2.4 to 2.1, the same level as 2015.

The US markets are down 15% from their highs (DJIA - 15,900 from 18,200 in 2015), and China is at 2014 levels (Shanghai is at 2750 from a high of 5100 in 2015). [as at 26 January 2016]  Where will they go?

Total global debt has continued to rise all through the supposed deleveraging after the Global Financial Crisis (GFC), increasing by $(US)57 Trillion since 2007 to almost 200 $(US) Trillion. The majority of this increase has been government debt, yet corporate debt (and personal debt) has also risen through that period. This also cannot continue without impact.

At the same time in developed countries we see a close to stagnation in growth in real incomes. Personal income in the UK has finally (May 2015) caught up with where it was before the GFC, and the strong employment growth has been reflected in falling unemployment and increased wages. The introduction of a "living wage" will also increase personal incomes (although some worry that imposed minimum wages reduce employment growth). All good news, but will the UK continue to grow as the rest of the world slows down, if the UK votes to leave the EU, or if markets continue to fall (the FTSE is now at 5800 from just over 7000 in 2015, and continues to fall). [as at 26 January 2016]

In the US, employment growth appears to be strong, at the same time that the labor participation rate continues to fall. The unemployment rate is around 5%, a level that is close enough to full employment that we should be seeing serious upward pressure on wages. Yet the continued fall in labor participation indicates that there remains a (growing) untapped pool of labor. The picture remains murky.

Recommendations for Risk Managers

The current economic situation is, in my view, as scary as it has been since the GFC. Fear has an impact on risk and companies' and individuals' perceptions of appropriate levels of acceptable risk. How do we translate this into meaningful decision-making by companies, and counsel from Risk Managers?

1. Risk Appetite. There should be no better time than now to review (or write) the Risk Appetite for the business. Risk Appetite will provide a construct for decision-making by management that is in line with the level of risk that is acceptable to the Board and through them the shareholders. Risk Appetite is not a single statement, but needs to be broken into key business activities or processes, and potentially high level business units / companies. When reviewing (or writing) the Risk Appetite, speak directly with the directors and in private companies, with the key shareholders.

2. Identify your Key Risk Indicators (KRIs). These are the indicators whose movement provides insight into the potential increase or decrease in the likelihood of the materialization of any particular risk. For example, this may include items such as average days receivables (expanding may indicate deteriorating customer business conditions), or less obvious indicators such as unplanned staff turnover rates (with falling unplanned turnover being a surrogate for a degrading jobs market for your employees).

3. Stress tests (EKRIs). Build the models, and then test them beyond what your CFO/Finance Director thinks are possible. Build in extremes such as cost of fuel for distribution networks, cost of capital, internal project huddle rates. Stress until the model breaks, then look at why the model broke. That will give you a strong indication of the most important factors to be watching on a daily basis - your External Key Risk Indicators (EKRIs). I know of a very large manufacturing company that failed to hedge fuel costs, resulting in significant business costs when oil did spike. While that may not be the case today, if cheap oil turns out to be transitory, will cost-reduction based profits evaporate?

4. Outside-In. Having built or reviewed the Risk Register, the KRIs and the EKRIs, how are the risks identified reflected in the Risk Registers and risk reporting? Is the current risk environment too inward looking, focusing on the specific risks, controls, actions and people that are within the organization and therefore "observable" to management? How strong is the monitoring of external factors, and how can this be built into risk reporting?

5. Regulation Watch. Times of crisis almost always breed new regulation, or changes to existing regulation. I'm not going to opine on the benefits or otherwise of regulation, but as Risk Managers we must ensure that our organizations has fully considered the potential impact of such changes. When SOx (Sarbanes Oxley) and the section 404 requirements were passed, who predicted $170/hour for bulk standard Internal Auditors spending thousands of hours documenting mundane financial reporting processes and identifying controls - followed then by the massive increases in compliance costs to test those controls? Something like this is in our collective futures.

These are a few of the considerations for Risk Managers today. Are these different from what Risk Managers should be doing or concerned with in good times or steady global growth? No. And that is the rub, and the message; times like today provide strong reminders of what we should be doing every day. The increased fear do however provide us with the energy to get this done.