AFERM EXPERTS SAY...

To answer the second question first, risk responses are not internal controls.  Industry professionals know that agencies identify risks, develop risk responses, and then implement internal controls.  If risk responses are not internal controls, then what is the relationship between the two?

Internal controls ensure that the objective of a risk response is carried out effectively.  When comparing risk responses and internal controls to the construction of a building, one could say that the risk response is more of the “blueprint” or “architectural diagram” and the internal control is the “engineered solution.”  Internal controls ensure the execution of the risk response.  In addition, the relationship between risk responses can be one to one, or one to many, and in some rarer circumstances, many to one.  One risk response could be affected by one internal control or by several.  Multiple risks responses could be affected by one internal control if the risk responses are very similar or if the internal control is complex and multi-faceted.

Now, what happens if an organization already has internal controls, and how is that considered when establishing the likelihood of risk?  There are three parts to this process.  In part one, “inherent risks” are identified based on risk impact (calculated using probabilities of incidence and severity), assuming a world without controls.  In part two, the agency develops a risk response, applies an internal control, and re-measures, which leads to “controlled risk.”  In part three, agencies measure the risk impact and/or output over time given the implementation of the control to determine if there is any “residual risk.”  As such, internal controls become very important in parts two and three when establishing the likelihood of risk.