Innovating in the Face of Internal Control Regulations
January 2004
Official standards and regulations can unwittingly
stifle innovation. Look for hidden flexibility in official documents, and consider
interpreting such guidelines as a structure for documentation rather than as
a literal procedure for thought.
by Matthew
Leitch
If you're involved in risk management, you've probably noticed that more
and more people want to tell you how to do it. New standards, regulations, statutes,
and guidelines are emerging all the time, mostly driven by concerns about internal
control. Some of this is helpful. If an organization is doing nothing and has
no understanding of what it should be doing to manage its risks, then the official
guidance and regulations are a massive step forward.
However, at the other end of the scale, if you are experts aiming to innovate
for competitive advantage, then standards and regulations can get in the way.
You want to tailor your approach to your organization's unique requirements
and try new ideas. Often it seems that the regulations would rather you did
neither.
This article discusses the most common ways that standards and regulations
currently are most at risk of stifling good innovations, and suggests ways for
practitioners to uncover the hidden flexibility in official documents.
The Common Problem Areas
Official risk management requirements often are driven by concerns about
internal controls and, naturally, reflect the favorite concepts and techniques
of the external audit firms that play a large role in writing them. The theory
is thin, with no serious attempt at quantification. The focus is usually on
bad things that might happen, with no room for upside risks. The actions required
are mostly about evaluation and tend not to be about design of controls and
planning for future needed improvements.
A common problem with technical guidance is that the advice assumes the items
on a risk register are individual risks, when in practice virtually all risk
register items are, and need to be, sets of risks. The ramifications of this
are explained in the next section.
Finding the Hidden Flexibility
If you feel that official pronouncements are making it harder for you to
perform the risk management function in a progressive way, don't give up. There's
usually a lot more flexibility in official documents than first seems the case.
First, a high proportion of such statements turn out to be no more than examples
of how the function could be accomplished. Perhaps this happens because rule
writers sensibly stop short of closing the door on valid alternatives. Look
for phrases like "such as," "sources of evidence should include," and "the illustrative
pro forma in appendix B." The exact wording of the key rules tends to be correct,
even when the examples used to illustrate the application are not.
Second, official risk management rules almost never forbid the other things
you might be doing in addition to meeting the official requirements. Furthermore,
the rules don't specify that they are the most important thing you should be
doing at any given time.
Third, a lot of the baggage around a set of rules is not just the rules themselves
but in common interpretations of them. Just because something is usually taken
as having a certain meaning does not mean you have to go with that meaning,
though of course it is much more difficult to argue the case for being different.
Some Specifics
Below are some specific examples to help illustrate the points made above.
Ratings of Probability and Impact. You may
want to rate risks in ways that seem different to that envisioned by the relevant
official documents. You may want more or less quantification, or to be selective
in some other way.
It is common for rules to require that risks be evaluated by considering
their probability and their impact if they occurred. The natural assumption
is that each item on a risk register should have a rating for its probability,
and another for its impact. This approach is often shown as an illustration
of how it might be done.
However, risk register items are almost never individual risks. Instead they
are, and need to be, sets of risks. It is illogical to make single ratings of
probability and impact for whole sets of risks. If you really want to do it
properly, you need a probability distribution of impact.
Before you conclude that the rules are asking you to do something illogical,
check the wording of the requirements (as opposed to the examples). A phrase
like "consider both probability and impact" does not necessarily mean that they
should be rated individually for every individual risk or every set of risks.
It just means that probability and impact should be considered in some way.
Generally, the rule won't specify that you have to consider those factors
for every item. In practice, there are many risk register items that are clearly
key or clearly trivial, and time consuming analysis would add nothing to the
trivial items.
Finally, if you were to rate each risk register item (i.e., set of risks)
for probability, and then for impact, would it meet the requirements? Is it
possible that doing something meaningless would meet the requirement to consider
probability and impact?
Risk Appetite. Along with the probability and
impact ratings, one often sees a section about risk appetite. The idea behind
this concept is usually that risks with a high probability and high impact require
action, whereas lesser risks may not. You may have your own ideas about how
to do this better and, indeed, this risk appetite approach is not strictly correct
because it fails to consider the scope for mitigation. Fortunately, this is
often reflected in the wording of the rules which typically make the risk ratings
a guideline, not an absolute rule.
Risk Factors. One useful technique that rarely
comes up in official pronouncements on risk management and internal control
is the use of risk factors. For example, when looking at a set of strategic
initiatives to assess the risk of failure of each, it is helpful to look at
factors that tend to drive the risk of failure. If an initiative scores badly
on every factor, worry about its future, especially if those involved say all
is well. (I have yet to see an official document that mentions this technique,
let alone rules it out.)
Upside Risks. Most risk management standards
are happily progressive in that they accept upside risks as well as downside
risks. However, they often fail to treat upside risks properly, and this can
cause problems if you are keen to integrate risk and potential opportunity management
in one management process.
For example, in the draft COSO ERM guide, exposed for comment in 2003, upside
risks could be identified but then had to be transferred into the strategy process
and removed from risk management. This was a definite statement, not just a
suggestion or example.
At first glance this looks like a fatal blow to progressive risk management.
However, suppose your strategy process had risk management integrated into it,
with both upside and downside coverage? Your upside risks could be transferred
in a conceptual sense and so would be outside the scope of COSO ERM, but they
could still be on the same documents and discussed at the same meetings.
The Top 10 Risks. Some regulations call for
a list or discussion of key risks. A list of about 10 risks is usually considered
appropriate. The problem is that risk register items are sets of risks, not
individual risks. What makes it into the top 10 depends partly on how aggregated
each risk set is. This undermines the whole concept of a list of key risks.
Fortunately, regulations tend to recognize the difficulties of saying that
a certain list of risks (or risk sets) is the top list. Even if the regulations
you are dealing with do require this, check if this aspect of your list has
to be externally audited. It probably won't have to be.
There are some logical approaches to describing your most important risks.
One is to divide all the risks your organization faces into about 10 sets, and
discuss each set in your list of "top" risks. Another is to find some basis
for equating aggregation. This can be done by looking at the units already recognized
by your management structure or in management meetings.
For example, suppose the organization has 20 ongoing strategic initiatives
and a meeting is held monthly to discuss them. It would make perfect sense to
rate the risk of each initiative and allocate time in the meetings in accordance
with its level of risk. This doesn't help with comparing strategic initiatives
with other sources of risk, but illustrates the principle.
Forward Planning of Internal Control Development. Regulations on internal control tend to read as if controls are improved only
when a deficiency has been identified. Of course controls are also improved
in advance of new needs, but that is not usually part of the official requirements.
If you want to focus attention on planning for internal control changes in advance,
the chances are that the regulations that apply to your organization don't even
mention it, let alone rule it out.
Linear Analysis. Finally, there's a subtle
assumption in most risk standards and guides that seems so obviously sensible
that it is easy to overlook its potentially damaging implications. Risk management
is usually portrayed as a linear process starting, perhaps, with objectives
and moving on through stages like risk identification, risk evaluation, and
so on.
Real-life thinking is not so simple. We dart backward and forward along the
analysis. Objectives can be influenced by perceived risks. There are times when
we don't have clear objectives but what we do know about our objectives has
to be the starting point, with detail on objectives coming later. The best way
to cut up the risk sets can be influenced by the structure of the internal controls.
All this is sensible and desirable, but does not fit into the simple linear
scheme.
If the official description seems at odds with the reality in your organization,
or you want to try alternative sequences, consider interpreting the guidelines
as a structure for documentation rather than as a literal procedure for thought.
Summary
Risk management is an exciting field with vast scope for innovation. We should
not let standards, guidelines, and regulations prevent us from trying new things.
In this article I've suggested ways to find more flexibility in official pronouncements.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.