Strengthening Corporate Governance Using a Risk-Intelligent Framework

Moving from Reactive to Proactive Risk Management

In 1990, Dwayne Jorgensen’s “Hierarchy of Internal Control Needs” was first published -- a pyramid that represents the different stages of maturity in risk management and controls.

At the bottom of the pyramid is the “Compliance” stage at which organizations manage risks and controls in order to comply with specific regulations, as well as organizational goals and objectives. At the next “Operational” stage, organizations have moved a step higher, and are now trying to proactively fix risk issues, so that they don’t recur. Organizations reach the “Consultative” stage when they strive to understand and learn more about their risks and how to effectively manage them.

The highest stage is that of “Control Self-Assessment” where an organization has reached such a level of risk awareness that they are constantly analyzing their risk universe, identifying new and emerging risks, determining which of those risks are important, and then managing and mitigating the risks in a timely manner. This stage of proactive risk management is when organizations achieve a truly high level of good governance, and start to benefit from it.

Many thought-leading organizations, at this point, also focus more on the “spirit of the law” rather than the “letter of the law” when it comes to regulatory compliance. They understand what governance is really about, and they educate their employees to effectively prioritize, mitigate, and document risks. As a result, these organizations have a much better control environment than most others.

In 2004, two new foundational layers were added to the Hierarchy of Internal Control Needs pyramid – “Objectivity” and “Independence.” These layers indicate that for governance to work effectively, there have to be independent and objective auditors who periodically evaluate the risk and control framework, and ensure that the organization hasn’t become complacent in risk management. These processes are performed both internally (by Internal Audit functions) and externally (by CPA firms): internally as a function independent of operating management, and externally for regulatory reporting and external public confidence.

That being said, auditors are not responsible for implementing the risk-control framework or ensuring good governance. Those are the responsibilities of the Company Owners or Board of Directors and the management team. They need to set the “tone at the top,” understand the organization’s risk appetite, and establish the appropriate controls.

 

Getting the Most Out of the COSO ERM Framework

When it comes down to risk management and governance, many industry experts believe that the best framework out there is COSO. Notably, COSO treats internal controls not as a one-time effort, but as an on-going process or journey.

Based on the COSO ERM framework, risk management is:

• Effected by people (not merely policies or surveys)
• Applied across the enterprise at every business level
• Designed to manage risk within the organization’s risk appetite
• Designed to provide reasonable assurance of risk control to the management and board

For companies setting up the COSO framework for the first time, the key is to:

• Conduct an initial risk assessment, using the COSO model to define and categorize risks (e.g. strategic risks, operational risks, compliance risks)
• Determine which key risks should be mitigated
• Document those processes
• Test the effectiveness of the processes through auditing, and then remediate issues proactively
• Finally, ensure periodic risk reporting, both internally and externally

Don’t try to execute this approach across all your organizational processes at one time. Pick a key business process as a pilot or trial, and run the above methodology through it. Work with external auditors to determine if the approach you have chosen is satisfactory. If it is, then implement it through all the processes in the organization.

If you already have a control framework, you might do well to assess which stage of maturity it falls into:

• Initial stage: Control structure is not defined. Controls occur incidentally.
• Repeatable: Control structure is not defined but control processes may occur based on past successes and management oversight. 
• Defined: Control structure is documented, standardized, and integrated into control processes.
• Managed: Control processes are regularly assessed and tested. Detailed measures of the control process are collected and reported.
• Optimized: Continuous process improvement is enabled by quantitative feedback from the control process.

As you proceed through these five stages, the predictability, effectiveness, and efficiency of your internal controls programs will improve greatly.

 

Delving Further into the Risk-Based Approach

In addition to the Risk Pyramid referenced earlier, Mr. Jorgensen has pioneered an effective program for identifying and mitigating key risks, which has been used by many companies since 1990, both small and large, public and private. Here are some additional practices from Dwayne’s program to keep in mind while managing your risks and controls.

First, determine executive management’s strategies, goals, concerns, and objectives, so that you can better understand the associated risks. Then, define your risk universe, classify your internal and external risks, and map them to key controls, as well as management objectives.

The next step is to assess your risks both qualitatively and quantitatively, and measure their severity and likelihood. If applicable, obtain an external auditor’s assessment of your risks and controls. Also, talk to business unit level managers to discover any new or emerging risks that you might have missed.

Define a model of risk factors that are relevant to your organization. Weigh risks based on these factors, and review the scores with management and process owners.

Finally, direct audit resources to the areas of highest risk, and constantly remediate any issues that arise.

 

How Technology Can Help

Technology plays an invaluable role in building an effective risk management and governance program. Many organizations leverage software solutions to minimize risk inconsistencies and silos, and to establish a single risk taxonomy and culture across the organization. Others use sophisticated reporting tools and analytics to transform risk data into valuable business intelligence.

Apart from these capabilities, technology can also help streamline and automate risk management workflows. In fact, at every stage of risk management, it acts as a significant enabler:

Risk Identification: Some software solutions provide the ability to define and maintain a central risk register where you can capture and categorize risk, assign risk owners, and determine risk severity, impact, consequences, and rating. You can also create a centralized data model of organizational risks that are tightly mapped to the corresponding controls, regulations, policies, business processes, units, control evaluations, issues, and action plans, as well as business objectives. The result is better risk visibility, and greater ease in managing changes to regulations, risks, or business processes.

Risk Assessment and Analysis: Most organizations use technology to automate risk assessments, score inherent and residual risk, and conduct what-if scenario analyses. Through powerful dashboards, stakeholders can correlate, analyze, and visualize risks to determine areas of concern and opportunity. Many software solutions also help define risk thresholds, and monitor KPIs and KRIs. Automated alerts indicate when thresholds are breached.

Risk Monitoring and Reporting: Technology offers a highly structured and standardized method of reporting risk results. Risk reports, heat maps, dashboards, and charts can all provide real-time risk information, enabling you to stay one step ahead of new and emerging risk areas. Drill-down capabilities allow you to study the risk data at finer levels of detail. You can also slice and dice the data to proactively analyze risk trends and statistics, and make informed decisions. Some solutions go a step further and offer advanced risk modeling capabilities and analytics to help you effectively anticipate and mitigate emerging risks.

Loss Event Management and Issue Remediation: In many organizations, technology simplifies the process of capturing loss events, issues, and risk exposures across multiple lines of business. It also helps streamline loss investigations and corrective action.

 

Conclusion

If we want to prevent another Enron-like scandal or a repeat of the recent global financial crisis, it is imperative that we take the steps now to build stronger, more risk-aware corporate cultures. Risk management is no longer just about complying with regulations. Instead, it’s about consistently identifying, managing, mitigating, and documenting risks – using frameworks such as COSO – so that we are able to build better governed and more resilient organizations. Let’s leave the corporate failures, scandals, and recessions where they belong – in the past!