How can you improve your risk management and internal controls?

Guest Blog by Spencer Pickett of Business Controls Training

Conducting Internal InvestigationsA quick search of the internet will pull up tons of material on risk management and internal controls, to help you improve your business. All organizations, be they private sectors, not-for-profit or public sector bodies have to adhere to whichever set of governance codes they fall under. One example is the UK Corporate Governance Code that is published by the Financial Reporting Council for listed companies that either have to comply or explain why not. The Sept 2012 version includes code C.2.1 which states:

‘The board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls.’

So, we have the codes and we have a good take-up, which means everything should be fine. But if you want to improve your risk management and internal controls, you will want to find out if your workforce needs any more training in this topic. I recently carried out a very informal experiment to see if I could spot any obvious room for improvement in the way business risk is being managed. One rainy winter evening, I scanned the Times Newspaper (16th January 2014) and extracted the following snippets of information:

  • Front page: Hundreds of teachers accused of sex crimes.
  • Police crime figures gave been stripped of the official quality assurance mark by the statistics office after recent claims they were fiddled.
  • US investigators interviewed staff at Citigroup in London as they stepped up an inquiry into alleged maniputaion of foreign exchange markets.
  • News page 15: Staff at a care home tied a grandmother to a chair to stop her wandering, according to a report that said more than a quarter of families had claimed that relatives had suffered poor treatment in care homes or by carers in their own homes.
  • Page 18: The official regime of four-yearly inspections is failing to ensure the welfare of animals in Britain’s 300 zoos and animal parks, a study has found.
  • Page 21: Liberal democrat women reacted furiously last night after the party announced that it would be taking no further action against a peer accused of sexual harassment.
  • Page 23: In a ruling late on Friday night, which has received relatively little attention here, the appeals court in New Orleans ruled that the settlement reached by BP in 2012, hours before the trial over the disaster was due to start at the New Orleans disctrict court, should stand – even if it meant that people and businesses who have suffered no loss due to the oil spill will benefit.
  • Page 28: Solid gold bathroom fittings, a fraudulent mausoleum and a vast subterranean cache of booze have brought down one of China’s most powerful generals and caused the People’s Liberation Army’s worst corruption scandal for years.
  • Page 30: Washington. The US military has suspended 34 officers in charge of launching nuclear missiles for cheating at a proficiency test.
  • Business page 36: On credit rating agencies. ‘The world has changed dramatically since the collapse of the US sub-prime market in 2008, which triggered the credit crunch. Jose Pocas Esteves, The ARC chief executive, said, ‘ARC and its five founding partners believe that the old methods and approaches are no longer sufficient for the post-Lehman financial sector landscape.’
  • Page 39: it has long been suspected that too many fund managers make too much from clients for doing too little. Now this theory is to be tested rigorously.
  • Law page 53: The RSPCA is one of the most popular charities in the UK… yet a key part of its activities (prosecutions) has seen its image tarnished. A series of cases has led to criticism that it is over zealous, and politically or financially motivated….The charity has now announced a review of its prosecution work…
  • Sport page 58: Bernie Ecclestone, the Formula One chief executive, is expected to face formal charges over secret payments to a German banker, it was reported last night.

The problem is that risk is something that just won’t go away and no one is exempt. My sample is a quick look at one newspaper on one particular day. Regulators act as referees and to slightly misquote the late, great football manager, Bill Shankly:

‘The problem with referees, is that they know all the rules but don’t always understand the game.’

We really need to get real since many employees ‘game’ their targets, their result and most of what they do at work to suit themselves. I can’t think of many people who put the needs of their employer above their own personal interests. Which means your improvements to risk management and internal control have to be set within the culture at work, to make any real sense. One way forward is to re-write the Corporate Governance Code to move away from an annual accountant-centric event that means very little to most people, to a more straightforward version. My suggested re-write of the code would be:

‘The board should establish a control strategy that is resilient in responding to the changing risk landscape and which ensures all employees retain key risks to acceptable levels through the design, implementation and review of sound controls. The control strategy should guard against fraud, waste, reckless behaviour, excessive caution, short-termism and suboptimal results; and be subject to on-going review and disclosed to shareholders on an annual basis.’

In this way we would hope to see four things firmly in place in all organizations:

1)      A board that takes responsibility for the risk culture in their organization.

2)      Management and teams who understand their key risks and the difference between acceptable and unacceptable behaviour.

3)      A suitable range of controls that help guard against fraud, waste, reckless behaviour, excessive caution, short-termism and suboptimal results.

4)      A transparent review process that ensures the above is happening.

If these four things are happening the hope is that there will be fewer headlines that undermine all kinds of organizations, and which ultimately damage the reputation of global economies. I asked whether there is a need to train employees to improve the way they manage risk and sharpen their business controls. I feel the answer is; ‘yes there is’ – which is why Business Controls Training will continue to develop a range of stand alone e-learning courses for

View our catalogue of Information Security and Fraud Courses

Keep up to date with what’s happening in the world of education, training and skills. Receive details of offers and newly launched courses, and tips on effective online and blended learning practise by signing up to our monthly newsletter. We guarantee not to sell or pass on your details and you can unsubscribe at any time.