Internal Control & Risk Management
I. Introduction to Risk Management & Internal Control
1. Who, what, why?
Brief history of ERM: ancient civilizations, maritime insurance, medieval guilds, renaissance and early
modern period, industrial revolution, financial crisis in the 20 th & 21st century, today
The Deming Circle:
Recent trends and developments on RM&IC:
- Adaptation of AI and technology: Highly relevant for risk management due to its ability to
enhance various aspects of the process. Some key reasons: real-time risk identification,
improved decision-making, efficiency and automation, fraud detection, predictive analysis,
and enhanced cybersecurity. Organizations must also be aware of the risks such as bias and
privacy issues.
- Geopolitical risks: Increasing geopolitical tensions encourage companies to reconsider their
dependence on external suppliers and focus more on regional or local solutions.
- Proactive risk management: There’s a shift from reactive to proactive risk management.
Companies are increasingly taking measures before risks occur. Some examples include:
scenario planning, employees training and awareness, diversification, and technology and
automation.
- Cybersecurity and data breaches: Essential to implement effective cyber incident reporting
and security measures given the rise in cyberattacks.
2. What is risk
ERM considers all the risks faced by the firm and attempts to integrate these disparate risks into a
single unified analytical framework. Traditionally, risk has been management in the compartments of
financial risk, operating risk, credit risk, etc. ERM insists on bringing these together into one system,
rather than keeping risk in “silos”.
“(Internal) Control”: Control mechanisms are all those arrangements and procedures in place to
ensure that business objectives may be met.
Definition of risk (ISO 73): “Risk is the effect of uncertainty on objectives”
links risks to objectives; effect may be negative, positive or a deviation from expectations;
relates it to a loss, an opportunity, or the presence of an uncertainty
Classification or risk: Useful for analysing risks, no classification system is universally applicable,
however. ISO Guide 73 sets out these three categories based on impact:
- Hazard or pure risks: Risk events that can only result in negative outcomes. These are often
thought of as operational risks and are often insurable. May include people, premises, assets,
suppliers, inefficient operation, IT. Companies typically have a “tolerance” of hazard risks and
need to manage these risks withing these levels of tolerance. There’s often a trade-off to be
made between preventive and corrective measures.
1
, - Control or uncertainty risks: Risks that give rise to uncertainty, which represents a deviation
from the required/expected outcome, about the outcome of a situation. These are very difficult
to quantify as they’re unknown and are associated with project management. Control
management is concerned with reducing the uncertainty and minimizing the potential
consequences of these events. Companies in general have an aversion to control risks and
the danger exists that they become obsessed with these, companies thus must accept a
certain level of uncertainty when undertaking a project.
- Opportunity (or speculative) risks: Occur when companies deliberately take risks in order
to achieve a positive return. In general, these result from taking or not taking an opportunity.
These are often of financial nature and associated with the development of new strategies but
can also arise from enhancing the efficiency of operations. Opportunity management seeks to
maximize the benefits of taking entrepreneurial risks. Each organization has its specific risk
appetite and there’s a link between opportunity management and strategic planning.
There is no ‘right’ or ‘wrong’ in the subdivision of risks. The most important is that companies adopt a
risk classification system that is most suitable for its own circumstances.
3. What is (internal) control
“Control”: Control mechanisms are all those arrangements and procedures in place to ensure that
business objectives may be met. Classification by COSO:
- Preventive: Limit the possibilities of an undesirable outcome being realized. Taken by a firm
to detect noncompliance with policies and procedures. These controls ensure that systems
work in the first place. (e.g. supervision, training, IT access approval, locks: physical access)
- Detective: Identify occasions of undesirable outcomes having been realized. Is necessary in
a good internal control system. These rarely works well as a deterrent in the absence of
severe penalties. (e.g. bank reconciliations, monitor actual expenses vs budget, post incident
review)
- Corrective: Limit the scope for loss and reduce any undesirable outcomes that have been
realized. When violations or problems are identified, some corrective action is required. These
controls ensure that where problems are identified, they are properly dealt with. (e.g.
correcting financial records after mistake was discovered, changing IT access when people
change jobs)
- Directive: Ensure that a particular outcome is achieved. To ensure compliance, a clear,
consistent message from management that policies and procedures are important is required.
Positive arrangements to motivate people and to give them a clear sense of direction (and the
ability) to make good progress. (e.g. corporate policies/procedures)
- Compensating: Intended to make up for a lack of controls elsewhere in the system.
Dimensions of control: formal vs informal control (link with management control)
- Behaviour control: Process of finding ways to control behaviour so that a job is completed in
a pre-specified manner. (Task or action control)
- Output control: Methods focused on measuring employee performance against stated
objectives. (Results control)
- Social control: Informal control based on unwritten rules within the organisation (People
control)
4. Development of Enterprise Risk Management (ERM)
2
,The last 25 years, we saw a number of scandals (like Enron, L&H) and the financial crisis, but there
were also other risks like disasters (Katherina hurricane) and terrorist attacks. We can’t pretend like
there are no problems and we thus need to act proactively. Risk management has increasingly
become popular.
Risk management is nothing new, but historically this description was only used to approach hazard
risk and there was little recognition that these risks were connected (“silo- approach”). In the early
2000s, ERM emerged as an attempt to manage enterprise risks in an integrated way.
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued
guidelines that defined ERM as:
“A process, effected by an entity's board of directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives”
Drivers of ERM development:
- External: corporate scandals, economic crisis, corporate governance requirements/legal
developments, ERM standards/frameworks/best practices, regulatory pressure including
credit rating agencies
- Internal: management and board of directors increasingly accountable for risks, rising volume
and complexities of risks affecting firms – but few organizations have robust key risk
indicators, ERM can increase value by creating a greater understanding of the business and a
competitive advantage
Major benefits of ERM: The FIRM risk scorecard offers a formalized structure for risk identification but
can also be used as a template for the identification of corporate objectives, stakeholder expectations
and, most importantly, key dependencies. (For benefits, see table on slide 45)
Financial
Infrastructure
Reputational
Marketplace
5. Corporate governance and regulatory context (external control)
External controls: Mechanisms or regulations imposed by external entities to ensure an organization
complies with laws, standards, or societal expectations. On way to ensure the external regulatory
context in management properly, is to have a Corporate Governance code in place.
Corporate Governance (CG): The way organizations are directed and controlled; it is a set of codes,
guides, regulations, and standards. De development of CG codes was needed to re-establish the
performance/conformance balance. It covers a wide range of topics, and risk management is an
integral part of a successful corporate governance of every organization. But CG also comprehends
other elements like strategic direction and business model. There are two main approaches for
countries to impose CG requirements on companies: comply/explain or full compliance with detailed
requirements. These requirements are particularly strong to companies quoted on stock exchanges.
The purpose of CG: Facilitate accountability and responsibility for efficient and effective performance
and ethical behaviour.
OECD principles of CG (2023):
- Effective corporate governance framework
3
, - Rights of shareholders
- Equitable treatment of shareholders
- Role of stakeholders in CG
- Disclosure and transparency
- Responsibilities of the board
Sarbanes-Oxley Act in 2002, US: SOX sets new or enhanced standards for all U.S. public company
boards, management and public accounting firms. Enacted as a reaction to a number of major
corporate and accounting scandals.
Risk management and control frameworks: Cadbury report (UK), COSO (US), CoCo (Canada), ISO
31000 (the new international RM standard), Basel norms, COBIT (Control Objectives for Information
and Related Technology), INTOSAI
6. Control responsibilities
6.1. Internal control
“Internal control is a process, effected by an entity’s board of directors, management and other
personnel.”
This process is designed to provide reasonable assurance regarding the achievement of objectives in
- effectiveness and efficiency of operations,
- reliability of financial reporting, and
- compliance with applicable laws and regulations
Characteristics of internal control:
- Process, not an end in itself
- People at every level of the organization
- Reasonable assurance
- Achievement of objectives
System of internal control plays an important part in the successful management of risks by an
organization.
Objectives of internal control (IIA):
- Accomplishment of objectives and goals
- Efficient use of resources
- Compliance with policies, plans, procedures, laws, regulation, etc.
- Safeguarding of assets and prevention of fraud
- Reliable financial and operational reporting (internal + external)
6.2. Internal audit
“Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.” (Institute of Internal Auditing, IIA)
Internal auditor:
- Role: validation of controls and procedures in place to manage risks, he sets audit priorities
for the testing of controls
- Has direct reporting line to top in the organization
- Provides thus an assurance service on ERM processes, he’s not involved in developing them,
nor in managing risks
4
I. Introduction to Risk Management & Internal Control
1. Who, what, why?
Brief history of ERM: ancient civilizations, maritime insurance, medieval guilds, renaissance and early
modern period, industrial revolution, financial crisis in the 20 th & 21st century, today
The Deming Circle:
Recent trends and developments on RM&IC:
- Adaptation of AI and technology: Highly relevant for risk management due to its ability to
enhance various aspects of the process. Some key reasons: real-time risk identification,
improved decision-making, efficiency and automation, fraud detection, predictive analysis,
and enhanced cybersecurity. Organizations must also be aware of the risks such as bias and
privacy issues.
- Geopolitical risks: Increasing geopolitical tensions encourage companies to reconsider their
dependence on external suppliers and focus more on regional or local solutions.
- Proactive risk management: There’s a shift from reactive to proactive risk management.
Companies are increasingly taking measures before risks occur. Some examples include:
scenario planning, employees training and awareness, diversification, and technology and
automation.
- Cybersecurity and data breaches: Essential to implement effective cyber incident reporting
and security measures given the rise in cyberattacks.
2. What is risk
ERM considers all the risks faced by the firm and attempts to integrate these disparate risks into a
single unified analytical framework. Traditionally, risk has been management in the compartments of
financial risk, operating risk, credit risk, etc. ERM insists on bringing these together into one system,
rather than keeping risk in “silos”.
“(Internal) Control”: Control mechanisms are all those arrangements and procedures in place to
ensure that business objectives may be met.
Definition of risk (ISO 73): “Risk is the effect of uncertainty on objectives”
links risks to objectives; effect may be negative, positive or a deviation from expectations;
relates it to a loss, an opportunity, or the presence of an uncertainty
Classification or risk: Useful for analysing risks, no classification system is universally applicable,
however. ISO Guide 73 sets out these three categories based on impact:
- Hazard or pure risks: Risk events that can only result in negative outcomes. These are often
thought of as operational risks and are often insurable. May include people, premises, assets,
suppliers, inefficient operation, IT. Companies typically have a “tolerance” of hazard risks and
need to manage these risks withing these levels of tolerance. There’s often a trade-off to be
made between preventive and corrective measures.
1
, - Control or uncertainty risks: Risks that give rise to uncertainty, which represents a deviation
from the required/expected outcome, about the outcome of a situation. These are very difficult
to quantify as they’re unknown and are associated with project management. Control
management is concerned with reducing the uncertainty and minimizing the potential
consequences of these events. Companies in general have an aversion to control risks and
the danger exists that they become obsessed with these, companies thus must accept a
certain level of uncertainty when undertaking a project.
- Opportunity (or speculative) risks: Occur when companies deliberately take risks in order
to achieve a positive return. In general, these result from taking or not taking an opportunity.
These are often of financial nature and associated with the development of new strategies but
can also arise from enhancing the efficiency of operations. Opportunity management seeks to
maximize the benefits of taking entrepreneurial risks. Each organization has its specific risk
appetite and there’s a link between opportunity management and strategic planning.
There is no ‘right’ or ‘wrong’ in the subdivision of risks. The most important is that companies adopt a
risk classification system that is most suitable for its own circumstances.
3. What is (internal) control
“Control”: Control mechanisms are all those arrangements and procedures in place to ensure that
business objectives may be met. Classification by COSO:
- Preventive: Limit the possibilities of an undesirable outcome being realized. Taken by a firm
to detect noncompliance with policies and procedures. These controls ensure that systems
work in the first place. (e.g. supervision, training, IT access approval, locks: physical access)
- Detective: Identify occasions of undesirable outcomes having been realized. Is necessary in
a good internal control system. These rarely works well as a deterrent in the absence of
severe penalties. (e.g. bank reconciliations, monitor actual expenses vs budget, post incident
review)
- Corrective: Limit the scope for loss and reduce any undesirable outcomes that have been
realized. When violations or problems are identified, some corrective action is required. These
controls ensure that where problems are identified, they are properly dealt with. (e.g.
correcting financial records after mistake was discovered, changing IT access when people
change jobs)
- Directive: Ensure that a particular outcome is achieved. To ensure compliance, a clear,
consistent message from management that policies and procedures are important is required.
Positive arrangements to motivate people and to give them a clear sense of direction (and the
ability) to make good progress. (e.g. corporate policies/procedures)
- Compensating: Intended to make up for a lack of controls elsewhere in the system.
Dimensions of control: formal vs informal control (link with management control)
- Behaviour control: Process of finding ways to control behaviour so that a job is completed in
a pre-specified manner. (Task or action control)
- Output control: Methods focused on measuring employee performance against stated
objectives. (Results control)
- Social control: Informal control based on unwritten rules within the organisation (People
control)
4. Development of Enterprise Risk Management (ERM)
2
,The last 25 years, we saw a number of scandals (like Enron, L&H) and the financial crisis, but there
were also other risks like disasters (Katherina hurricane) and terrorist attacks. We can’t pretend like
there are no problems and we thus need to act proactively. Risk management has increasingly
become popular.
Risk management is nothing new, but historically this description was only used to approach hazard
risk and there was little recognition that these risks were connected (“silo- approach”). In the early
2000s, ERM emerged as an attempt to manage enterprise risks in an integrated way.
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued
guidelines that defined ERM as:
“A process, effected by an entity's board of directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives”
Drivers of ERM development:
- External: corporate scandals, economic crisis, corporate governance requirements/legal
developments, ERM standards/frameworks/best practices, regulatory pressure including
credit rating agencies
- Internal: management and board of directors increasingly accountable for risks, rising volume
and complexities of risks affecting firms – but few organizations have robust key risk
indicators, ERM can increase value by creating a greater understanding of the business and a
competitive advantage
Major benefits of ERM: The FIRM risk scorecard offers a formalized structure for risk identification but
can also be used as a template for the identification of corporate objectives, stakeholder expectations
and, most importantly, key dependencies. (For benefits, see table on slide 45)
Financial
Infrastructure
Reputational
Marketplace
5. Corporate governance and regulatory context (external control)
External controls: Mechanisms or regulations imposed by external entities to ensure an organization
complies with laws, standards, or societal expectations. On way to ensure the external regulatory
context in management properly, is to have a Corporate Governance code in place.
Corporate Governance (CG): The way organizations are directed and controlled; it is a set of codes,
guides, regulations, and standards. De development of CG codes was needed to re-establish the
performance/conformance balance. It covers a wide range of topics, and risk management is an
integral part of a successful corporate governance of every organization. But CG also comprehends
other elements like strategic direction and business model. There are two main approaches for
countries to impose CG requirements on companies: comply/explain or full compliance with detailed
requirements. These requirements are particularly strong to companies quoted on stock exchanges.
The purpose of CG: Facilitate accountability and responsibility for efficient and effective performance
and ethical behaviour.
OECD principles of CG (2023):
- Effective corporate governance framework
3
, - Rights of shareholders
- Equitable treatment of shareholders
- Role of stakeholders in CG
- Disclosure and transparency
- Responsibilities of the board
Sarbanes-Oxley Act in 2002, US: SOX sets new or enhanced standards for all U.S. public company
boards, management and public accounting firms. Enacted as a reaction to a number of major
corporate and accounting scandals.
Risk management and control frameworks: Cadbury report (UK), COSO (US), CoCo (Canada), ISO
31000 (the new international RM standard), Basel norms, COBIT (Control Objectives for Information
and Related Technology), INTOSAI
6. Control responsibilities
6.1. Internal control
“Internal control is a process, effected by an entity’s board of directors, management and other
personnel.”
This process is designed to provide reasonable assurance regarding the achievement of objectives in
- effectiveness and efficiency of operations,
- reliability of financial reporting, and
- compliance with applicable laws and regulations
Characteristics of internal control:
- Process, not an end in itself
- People at every level of the organization
- Reasonable assurance
- Achievement of objectives
System of internal control plays an important part in the successful management of risks by an
organization.
Objectives of internal control (IIA):
- Accomplishment of objectives and goals
- Efficient use of resources
- Compliance with policies, plans, procedures, laws, regulation, etc.
- Safeguarding of assets and prevention of fraud
- Reliable financial and operational reporting (internal + external)
6.2. Internal audit
“Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.” (Institute of Internal Auditing, IIA)
Internal auditor:
- Role: validation of controls and procedures in place to manage risks, he sets audit priorities
for the testing of controls
- Has direct reporting line to top in the organization
- Provides thus an assurance service on ERM processes, he’s not involved in developing them,
nor in managing risks
4
