Which comes first, risk or control?
I think the relationship between risk (what might happen to affect the achievement of objectives) and internal control (what you do to ensure things are done the way you want) is not very well understood.
Here’s my attempt to explain it.
- You have controls to ensure that risks (the effect on objectives of potential events, situations, actions, or decisions) are at desired levels. (Note that I said ‘desired’ instead of ‘acceptable’. There’s an important difference.) So you can’t know whether you have the right controls or that the system of internal control is effective if you don’t have a reliable understanding of the more significant risks to objectives today and for the manageable future. You may have a lot of controls that are working just the way you want. But are they the controls you need when the future is shifting and the risks have changed?
Conclusion: any assessment of the system of internal control is predicated on an assessment of the systems around the identification and management of risk (again, what might happen).
- You cannot have effective management of risk if you don’t have effective controls around their identification, treatment, and so on. The processes around identifying, assessing, and acting on risks (what might happen) include a number of critical controls. For example, if you rely on analytics to identify emerging risks, you have controls over the development and use of the analytics. If you rely on workshops to debate and assess the potential effects of likely events, you have controls over workshop attendance, conduct, and actions taken. If you have a potential for bad debt, you rely on controls over credit approval.
You fool yourself if you believe risk is at desired levels if you have not assessed and obtained confidence in related internal controls.
Conclusion: any assessment of the effectiveness of risk management depends on the assessment of related controls.
Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.
What you can do is provide an overall assessment of the system of internal controls as it relates to the more significant risks that were addressed by completed audit engagements.
Can you assess risk management without considering related internal controls? I don’t think so.
What you can do is provide an overall assessment using a risk maturity model (such as I describe in World-Class Risk Management) or indicate that your assessment is subject to the system of internal control being effective.
In World-Class Risk Management, I describe a number of risks to the effective management of risk. For example, the wrong people might be assessing a risk, or individuals might be influenced by their cognitive bias when assessing and acting in response to a risk. If there aren’t effective internal controls to address those risks to the management of risk, how can you assert that risk management is effective?
I strongly encourage both management and risk and audit practitioners to assess both their systems of internal control and of risk management (including, especially, the quality of decision-making) formally, every year.
Boards should demand such assessments, both from executive management and the CAE and CRO.
But, such assessments should recognize their interplay and mutual inter-dependence.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I believe the conclusion is tautological.
As far as I know, the chicken/egg primacy has not yet been resolved by science. For the sake of argument, let’s start with the embryo: A perceived business opportunity. The nascent essence of a strategic control objective. It is conceived in a cloud of information and observations which are neither organized, complete or reliable. It is yet to be formed into something actionable called a strategy or business plan. But in its fragmented, coalescing origins, a perception of risks begins to evolve. Let’s call it ‘original risk’; as in the perceived threat of the Original Apple.
From that beginning both objectives which will determine directive controls, and risks which will motivate preventive controls, emerge and hopefully proceed forward, hand in hand.
The rest, as they say, is iterative. The process repeats itself as the enterprise evolves. But the perception of opportunity and associated risks precedes the implementation of controls to address them.
But there is one dynamic in which control precedes risk. Once a body of controls is implemented, particularly monitoring controls, they become the baseline for identifying unknown risks; the risks that were not anticipated in the prior control design and evolution because they were not knowable, but have evolved or been injected into the operating environment. In this scenario, control precedes risk identification.
This is why I prefer to refer to monitoring controls as ‘evaluative controls’ and not the old fashioned ‘detective controls’. A deviation from plan is not necessarily bad, though unexpected. It may be an opportunity if properly understood.
How do you know about opportunities? They are simply more things that might happen, and you have controls to ensure they are identified and so on.
How do you know you set the right objectives? You understand risks to strategy-setting and have controls to address them,
Chicken and egg and chicken and chef
Serendipity occurs in the absence of control. Not because of control. And it is the basis of much business opportunity. And that’s cool. Never turn one’s back on good luck. Next best thing to skill, and probably more dominant than may high paid executives would care to admit.
3M post-it notes and corningware and god only knows what else were accidents; not controlled design evolutions. Subsequent controls made them profit streams, once inquisitive scientists recognized the potential of the unanticipated.
Control is something that we rightfully strive for. It is the essence of management. But a too frequent conceit of management is that it thinks it has more control than it truly has. That conceit is the essence of post mortems in the business press. We-Work? Uber? Wells Fargo? Boeing? Theranos? PG&E? Enron?…..
Actually the egg came first – just it wasn’t an egg laid by something you would recognise as a chicken (because that’s how evolution works)…and thus might actually illustrate your serendipity comment?
Internal control is noted. What about externalities in the control. Having just experienced in Australia the most damaging bushfires and drought in more than 100 years how can ‘internal controls’ be used to improve enterprise resilience to such extreme, almost ‘black swan’ styled events?
The question is valid, though the example is flawed. In the case of Australia fires, there was precedent for which contingent plans (controls by another name) should have been in place. The current fires are severe, but with plenty of precedent, and made worse by national management’s refusal to acknowledge their causative dynamic.
Alternative examples might include the unknown health and environmental impacts of 5G technology; AI and sentient systems controlling health, environmental safety and security; unknown and undetected microbes hitchhiking on mined minerals from asteroids (the extraterrestrial equivalent of invasive species from China hitchhiking on the keels of freighters and inside containers).
Fun stuff ahead. Imagination required.
PS, which comes first?
Understanding what might happen, then
Setting objectives, with the discipline of controls over the strategy-setting process, given an understanding of risks to that process
So risk, but then it gets confusing.
Norman,
Who cares which came first?
When you make a decision it is based on facts and assumptions. Some of those may concern internal aspects of the organisation. Then you consider the options, which might involve taking steps to improve your confidence that the outcome you desire is certain enough. This might mean new ‘things’ or actions, or just monitoring that the outcome you want actually happens and that the assumptions or facts on which your decision was based have not changed significantly.
Simple!
And notice, no nasty jargon words like ‘risk’ or ‘control that scare and confuse normal human beings. So we don’t have to argue if a ‘control’ is a process or a ‘thing’. We don’t have to argue if a thing can be a ‘control’ if it’s not actually modifying ‘risk’ (duh!). We certainly don’t have to argue if an opportunity is just a “a time or set of circumstances that makes it possible to do something”, as normal people think, rather than the wacky idea that it is some kind of ‘negative risk’ (ugh!) that some sad souls cling to.
I’ve now wasted 10 minutes of a beautiful Saturday morning here in Australia when, I am sure, we could all find something more useful to do that arguing over arcane language that really doesn’t matter to anyone but ourselves.
My challenge to everyone who reads and contributes to this blog is to ask yourself:
a) whether normal people would understand what you are saying the the language you are using;
b) do they care anyway?
If the answer to either question is “no”, then maybe find something more useful to do with your time – so that you help people make better decisions, if you wish.
Norman,I’ve been looking at the relationship between risks and controls from the point-of-view of an internal auditor for many years (www.internalaudit.biz). My conclusion:
Organisations have objectives
The achievement of these objectives benefits from opportunities but is hindered by risks.
The likelihood and impact of opportunities and risks is improved/reduced by processes referred to as ‘controls’.
The important point for internal audit is that these opportunities and risks are those identified by management (with the assistance of ‘risk managers’ if available). They are not a separate list of risks dreamt up by internal audit. The IIA paper mentioned in your last blog (and many others) clearly hasn’t grasped this, since these is still talk of IA ‘liaising’ with risk management, as though it’s an option. There is still no clear guidance to internal auditors on the source of the risks they should be considering.
In answer to Grant: No, normal people wouldn’t understand what I have written. But they don’t need to, just as I don’t need to understand everything a doctor writes. Do they care? If they are investors, or taxpayers, yes.
Yes, but..
How do you set objectives? Only after considering what might happen.
How do you do that? You have controls to address the risk of getting the risks wrong.
Well David (I think it is),
If normal people (in other words, the people who make decisions that enable organisation’s to achieve their purpose) can’t understand what you are saying, where is the value in it?
Believe it or not, internal auditors and risk managers are not there just to talk to themselves. They are (only) there to help people make better decisions.
And as for the language you use – well I don’t agree with the way you describe ‘risk’, ‘controls’, ‘objectives’ or ‘opportunities’, so our conversation is pretty useless too. In fact, most specialists can agree what those words means. They are no-sense jargon.
Internal audit and ‘risk management’ have become belief systems, where we have lost sight of their purpose and they have become self serving, with their own language, rituals, cults and high priests. As a friend of mine often says: “if internal audit or risk management is the answer, what was the question?”
I can only quote Humpty Dumpty:
“When I use a word”, Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean — neither more nor less.” “The question is, “said Alice, “whether you can make words mean so many different things.” “The question is,” said Humpty Dumpty, “which is to be master — that’s all?”
I think we have forgotten who the ‘master’ is here. I’ll give you a clue. Its not us!
I should have said: “most specialists can’t agree”.
For example taking what you said, “opportunities” are not the opposite of “risks”, controls are not processes, they are things that modify risk, etc. Have a look at ISO 31000 – the language there is quite different to what you use!
And any way, what does ‘risk management’ or ‘internal audit’ mean? And who cares – apart from us who follow the a particular for of ‘religion’?
But who is to say which is right? We could spend days debating this, set up committees and working groups, meet up in exotic locations around the world – and it would not matter one iota to normal people who just want help to make better decisions where there is greater certainty of their desired outcomes!
Norman, the brutal and inescapable reality of what Grant says about the uselessness of the word ‘risk’ (useless, because there is neither agreement about meaning nor about use) and ‘control’ (ditto) becomes very evident from the premise of your post. You see, whatever it means, the risk is the risk, and it is what it is because of the sum of the related uncertainties as they act on the certainty of the outcomes that will flow from the decision.
That the extent of uncertainty may in part be the result of one or more optional components of a decision (components that you choose to call ‘controls’) such control cannot exist independently of the risk as your post implies. If it is there, the risk is as it is, and if its not, the risk is different and the ‘control’ is irrelevant.
That’s why I say that ‘risk’ is a new 4-letter word, that we should try to avoid using the word, and I wrote Risk Management in Plain English
Sage advice Norman ….. except, perhaps, for the following two small points:
1) Saying that we ‘should’ avoid the use of ‘risk’ seems a bit like advising that people ‘should’ avoid heroin. But what are heroin addicts to do with that advice? Only use it Mondays and Thursdays?(I jest!)
2) The other point (not to be carping) is that (irrespective of the number of letters) if ‘risk’ is an inherently meaningless and thus useless word (which I infer you agree is the case) how can a book about ‘risk’ management have meaning – irrespective of whether it uses plain or obscure language? Just asking!
I hope the book has value in explaining how it is possible to run the organization using only plain English, not the r-word.
The general conclusion is that ‘risk’ is not understood by ‘normal’ people and no one can agree on a definition. I disagree. Normal people understand exactly what a risks is, they just don’t understand what an ‘effect on the uncertainty of objectives’ is (ISO definition). That’s why the definition I use in my books is, ‘A risk is a set of circumstances that threaten the achievement of objectives’. Still jargon I admit but more easily explainable: You have a two year old child that is now walking. Your objective is to keep them safe. One set of circumstances that threaten this objective is that they run into the road. One way of managing this risk (a control) is to hold their hand tightly. (Other controls are desirable!).
Grant, you make the point that, ‘If normal people (in other words, the people who make decisions that enable organisations to achieve their purpose) can’t understand what you are saying, where is the value in it?’ I would argue that these are not ‘ordinary people’. They are people paid (in some cases paid very well) to make decisions and in that context should understand what a risk is. Let’s not forget that the law in many countries requires them to report on the risks facing their organisation.
Norman, you ask, ‘How do you set objectives? Only after considering what might happen ‘. I don’t agree. I think people set objectives because they have desires (‘I want to expand this company’) or because circumstance force them (‘My child is now walking’). The achievement of these objectives is threatened by risks which may result in the objective being abandoned. There is a risk that all potential risks are not identified. That is why the audit methodology I suggest in my books starts with an examination of the process that management used to identify risks.
I have argued before in these blogs that every living thing understands risks, otherwise they would have been eaten (or knocked down by a car). If risk managers don’t understand risk, does this make them a threatened species?
I’m not too sure what makes a person ‘normal’ but whatever it is, there can’t be many of them as I can truly say I have never heard anyone attach the label ‘risk’ to ‘a set of circumstances that threaten the achievement of objectives’ which is not to say that you are either right or wrong to do so, but it does rather make Grant’s point because, you see, others attach that label to other notions and in doing so, they too are neither right nor wrong, but are entitled to do so.
The point that Grant makes – which seems pretty obvious – is that any word that doesn’t mean the same thing to everyone in a conversation, has no utility value. Any thought that there could be a universal meaning of the word – for example, because you (or ISO or anyone else) assert that this should be so – is surely a bird that is long since flown. It is too late. Which raises the very obvious question, why attempt to do the impossible? Who needs the word? If for some reason you want to write about ‘a set of circumstances that threaten the achievement of objectives’ well, go right ahead although I must say that even in your explanatory examples (where you seem to conflate the meaning of ‘objectives’ and ‘circumstances’, it is far from clear to me what you are talking about.
We cannot ignore the word ‘risk’. ‘The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.’ (Principle O, UK Corporate Governance Code 2018).
So we need to tell the board what a risk is. I would hesitate to tell them it’s ‘The effect of uncertainty of objectives’ or ‘a set of circumstances that threaten the achievement of objectives’. Most ordinary people would say a risk is ‘something nasty which happens when you least expect it.’ But they would probably say that internal audit are ‘a bunch of people from Head Office who burrow about trying to find something that the real workers have done wrong’.
Perhaps these definitions are more realistic.
David, we need to appease the regulators.
But we also need to run the business for success.
I prefer to throw out the r-word and use plain English: what might happen. If we make intelligent and informed decisions that consider everything that might happen, we will be managing ‘risk’ on the way to achieving our objectives.
I only disagree with you only on one point, Norman. The risk workshops I have attended with ‘normal’ people (to use Grant’s phrase) indicate that the word ‘risk’ is plain English and they have no trouble considering everything that might happen. On the other hand, I have experience with regulators who don’t understand the word risk.
Do they see risk as something bad or just something that might happen, which can be good or a combination of good and bad?
The risk workshops were part of project management. I’m afraid the way we ran them did consider risks to be something bad that might happen to the project. Were I to run them again, I would emphasise the need to look for both risks and opportunities.