What thoughts do you have on rationalizing and aligning the concepts and terminology of the internal control community with the risk management community?

Question asked by Web User

AFERM Experts Say...

Rationalizing and aligning the concepts and terminology of the internal control community with the risk management community is an ongoing challenge for many in the public sector and beyond. This is in part because these two communities come from a history relying on similar terms to mean different things.

Take for example the concepts of inherent risk and residual risk. The GAO Green Book—the “rulebook” for internal control in the US Federal government—defines inherent risk and residual risk as follow:

• Inherent risk is the risk to an entity in the absence of management’s response to the risk.
• Residual risk is the risk that remains after management’s response to inherent risk.

In the internal control community, these definitions are typically thought of as the risk prior to implementing internal control (inherent risk) and the risk after implementation of internal control (residual risk). However, from a risk management perspective, there are multiple problems with these definitions. First, what exactly is “the absence of management’s response to the risk”? Good process design should inherently consider what might not operate as planned in a process, and then design the process in a way that considers the possibility of not achieving the desired result.

For example, on a semi-automated factory assembly line, the assembly process considers how parts are to be moved along the line toward final assembly, how to reduce random variation in the process to gain stability over a quality output, when to have human intervention to minimize variation or to even temporarily stop the assembly process, etc. At what point are controls being “added”? Even more to the point, after the assembly process has been fully designed and implemented, how much of the designed-in process controls do you remove to be able to assess the inherent risk? In the assembly line example, internal controls are not added to a process that first has no controls, but are instead designed into the process from the very start. There is no meaningful basis to assess an inherent risk as might be practiced by auditors in looking at, for example, the risk of inaccurate financial reporting.

While this assembly process was chosen to highlight the problems in meaningfully defining inherent risk, that problem remains with any process, whether it be something as straightforward as the employee pay process, or something never attempted before, such as a NASA interplanetary mission.

What may be an even more important question from a risk management perspective is asking what the value is of such an exercise? From a risk management perspective, there are two points of risk measurement that are important. The first is our current level of risk given existing controls, and while operating within the current external and internal environment. The second is what is our targeted level of risk?

Our current level of risk should be compared to our risk appetite—that level of risk we are willing to accept in order to appropriately balance considerations of opportunities and threats. That comparison will tell us whether or not the risks we are in reality accepting are within that level we have agreed are appropriate to accept. Artificially removing from consideration existing internal controls to evaluate inherent risk is not a useful exercise in understanding our current level of risk with our current controls.

However, in addition to our current level of risk, another consideration is the level of risk we are targeting to be at in the future. We may seek to move from where we are today in order to reduce threats or go after greater opportunities. In either case, we need to understand current risks, targeted future levels of risks, and actions we plan to take to move from where we are today to where we wish to be in the future.

The new A-123 moves a step in the right direction by defining inherent risk as “…the exposure arising from a specific risk before any action has been taken to manage it beyond normal operations.” (emphasis added). This modification of the GAO definition would suggest that OMB requires agencies to understand their current risk (i.e., that which is reflected in “normal” operations), and then to address how that level of risk might be further acted upon by the agency to reach a new level of risk (i.e., future residual risk). This minor tweaking of the inherent risk definition by OMB may help facilitate the needed discussion between the internal control and risk management community to provide an effective and value-added risk assessment and monitoring process.

While these comments have focused on inherent risk and residual risk, they are but a reflection of a need for a broader discussion of concepts and terminology between practitioners of internal control and the broader risk management community.  The two communities need to develop a common understanding of how the two concepts fit together in achieving organizational success.

Leave a Reply

Your email address will not be published. Required fields are marked *