Question asked by Web User
(part 1 of 2) I have worked with A-123 and Internal Controls for years, but now I am hearing a lot about ERM. Isn’t this just a more mature way to implement internal controls? After all, the GAO Green Book states that internal control is a process “…that provides reasonable assurance that the objectives of an entity will be achieved.” Is this the same as saying risk is well managed?
AFERM Experts Say...
The distinction between internal control, risk management, and ERM is often a point of confusion. In translating a definition into a working concept, it is often important to understand the application of the concept, and what words in a definition might be lacking to further explain the concept. To start, the full GAO Green Book definition of internal control is:
“…a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories:
• Operations – Effectiveness and efficiency of operations
• Reporting – Reliability of reporting for internal and external use
• Compliance – Compliance with applicable laws and regulations”
In each of these cases, processes and procedures can and should be set in place to achieve operational results, allow for appropriate reporting, and do so while ensuring compliance with applicable laws and regulations. Internal control is indeed important to developing reasonable assurance that the applicable processes will operate as designed and achieve the desired objectives.
However, what is unstated in the Green Book definition is that organizations can have objectives outside of these three categories. Any choice of a future action typically entails risk. Those choices extend far beyond the execution of currently implemented business processes, and include any decision for future action not dependent on an existing process.
Let us agree for purposes of this explanation that risk is the uncertainty of achieving objectives, and risk management is that set of activities used to assess and control risks to acceptable levels that contribute to maximizing stakeholder value. We manage risks in part by choosing to treat risks through one of the following options: acceptance, avoidance, transference, or mitigation. If our choice is to mitigate a risk, we are looking to take action through an internal control to reduce either the likelihood that a risk transitions into an adverse event, or the impact of that event is lessened, or both. This internal control can be placed on an existing process (if the process is in operation), or prospectively if the process is being designed or otherwise intended for future implementation. Internal controls are thus a means of lessening the risks to business processes.
Based on this description, internal control is clearly an important element of risk management. However, there are aspects of risk that are not addressed by internal control. Many risks occur outside the control of the organization (e.g., the likelihood that a federal agency will be allocated their requested budget by Congress). Other risks arise from plans that are made, well before processes are designed or put into place to deliver products or services in accordance with those plans (e.g., strategic planning options). Internal control cannot be applied to future trade-off considerations when there are no processes to control. While internal control may not be an option for managing some risks, that does not make the risk in those various trade-offs any less important.