Can Weak & Ineffective Controls Save You Money?
by William Hord
March 10, 2017 10:03 am
I was honored to speak last month at NAFCU’s Strategic Growth Conference about “Transforming Your ERM Program from Enterprise Risk to Enterprise Opportunities.” The topics covered were Risk Appetite Opportunity, Weak & Ineffective Control Opportunity and Effective Key Risk Indicators for Opportunity.
After the presentation, I appreciated the level of questions and comments that came from those in attendance. It was great having discussions across all three topics, but it seemed most of the questions were focused on the second topic, Weak & Ineffective Control Opportunity.
So, with that in mind I thought it might be good to share with you some of the highlights related to that topic.
First off, what is a Control in the context of Enterprise Risk Management (ERM)? In the simplest of terms, it is a business process mitigation activity designed to reduce or eliminate one or more risks.
As a business, you obviously have hundreds or possibly thousands of controls across your organization within every department. When those controls were first designed and put into place the probability was very good of them being strong and highly effective. However, over time as our business changes, process changes are introduced and therefore potentially new risks. If new controls aren’t introduced or existing ones properly evaluated the probability that those controls are still producing the same risk mitigation as originally designed may be impaired.
When evaluating process risk and controls I can’t tell you how many times I have heard the responses, “I don’t know” or “We’ve always done it that way.” When I’ve asked the question, “Why do you do it that way?” Which brings me to my first point, if the employee responsible for completing a control or set of controls to mitigate risk don’t understand why they do it, its effectiveness is going to be less than ideal. Additionally, in the absence of your control assessment how would risk management even begin to know if the employee can’t articulate its intended mitigation and therefore its perceived deficiency?
However, you generally only find out the answer to that question and others by sitting down and assessing the controls within your organization. My second point is how often are you really evaluating your controls to determine which ones are weak and ineffective to the point that they potentially elevate your process residual risk to levels outside your established risk appetite and tolerances?
Impacting Your Bottom-Line
When you begin to effectively evaluate your controls and determine which ones are weak and ineffective you can truly begin to have a positive impact on your organization’s bottom-line. This can easily be accomplished in a couple ways:
1. Can the control be automated? If a control is still relevant to reducing risk and the deficiency is tied to lack of understanding or lapses on the part of employees performing them, can they be automated?
You could train and counsel the employee(s) but that takes additional time and other resources to maintain and/or improve the control’s effectiveness. If the control can be automated a quick cost benefit analysis can be performed to show how the overall cost of automating the control may not only improve its effectiveness but save the organization resources and money over time.
2. Should the control be removed? If a control is still relevant to reducing risk and can’t be automated or the cost benefit analysis shows the ROI isn’t optimal, then can it be removed
A quick cost benefit analysis here can possibly show that the time it takes to complete the control and continually monitor and train to maintain its effectiveness far exceeds the benefit derived from the control. In this case, risk management can make the sound recommendation for removing the control and document its reasoning.
The Starting Line!
Several conference attendees asked me, “Where is the best place to start?” Well without a full understanding of your organization, its risk management practices and other factors it’s tough to say. However, a baseline place to start would be as follows:
1. Review your existing Control Library;
2. Sort your Weak and Ineffective Controls;
3. From those Controls start with the processes that have the highest level of Residual Risk;
4. Ask the employees responsible for those Controls:
a. “Why do you do it that way?”;
b. “Do you have ideas on how we can improve it?”
5. Begin your analysis
8. Automate and/or;
One of the last questions I got before leaving the conference was “Do you really believe that Weak and Ineffective Controls Save You Money?”
Of course they do, but only if you are effectively assessing them on a periodic basis. Otherwise, the money, time and resources you waste is never truly realized and your perceived risk mitigation is simply that…..a perception. When was the last time you evaluated your Controls?
ERM Strategy for Credit Unions – Podcast
by Dan Banning
October 12, 2016 09:10 am
In the latest installment of the NAFCU podcast series, “A 360 View of ERM,” Devon Lyon, Director of Education for NAFCU, asks ERM expert Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate, tactical questions credit unions need to know in order to implement an ERM program structure strategically and successfully. (more…)
What Do You Really Need to Know About Zika Virus?
by Andrea Tolentino
October 05, 2016 10:10 am
Unless you have been living under a rock, you probably are familiar with the recent Zika virus outbreak that has been spreading across the globe through the bite of an infected mosquito. You may be asking yourself; ‘Does it matter?’, ‘Should I care?’, ‘What should I do to protect my organization?’. Disaster prevention, mitigation, and preparedness are some of the key roles a Business Continuity professional plays within any organization. Due to this fact, Business Continuity managers play a critical role in safeguarding an organization and countering the risks Zika (and other infectious diseases) pose. (more…)
Is an 18% Hit to Your Net Income Within Appetite?
by William Hord
August 26, 2016 10:08 am
18% Hit to Net Income
Yesterday the CFPB released the following statement: “CFPB Orders First National Bank of Omaha to Pay $32.25 Million for Illegal Credit Card Practices.” As I read this press release several things came to mind and maybe yours as well. I will break them down into 4 areas. (more…)
ERM Risk Quiz
by Dan Banning
August 08, 2016 11:08 am
With Enterprise Risk Management (ERM) getting increased attention in many organizations and across industries it is important to understand the various parts of an ERM program and how they affect the program overall. Proper implementation of ERM can facilitate better decision-making, increase efficiency, and enhance an organization’s risk control efforts to support critical Governance, Risk, and Compliance (GRC) initiatives. Effective ERM enables management to cope with potential future events that create uncertainty and helps management respond in a manner that reduces negative outcomes. (more…)
COSO ERM-Integrated Framework Update – Now Open for Public Comment
by William Hord
June 28, 2016 01:06 pm
On 6/14/16 COSO announced their much anticipated update to their ERM Integrated Framework. They indicated in their press release that “The update, Enterprise Risk Management — Aligning Risk with Strategy and Performance, is designed to address the needs of all organizations to improve their approach to managing new and existing risks as a way to help create, preserve, sustain and realize value.” (more…)
FFIEC Issues Statement on Cybersecurity
by William Hord
June 08, 2016 08:06 am
FFIEC Issues Statement on Safeguarding the Cybersecurity of Interbank Messaging and Payment Networks
The Federal Financial Institutions Examination Council advised financial institutions yesterday afternoon to monitor the risks associated with interbank messaging and wholesale payment networks. Coming just two weeks after a malware attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) breached 12 banks. The FFIEC stated “financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment networks, including risk assessment; authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.”
If you haven’t already been assessing this process risk via your ERM program and/or your IT/GRC program, you should. Ensuring you have all the necessary controls in place to mitigate your risk and provide assurances to examiners and stakeholders is critical for such a highly utilized and trusted financial service.
Maximizing Risk Results
by William Hord
May 31, 2016 01:05 pm
Maximizing Risk Results: Combining Qualitative & Quantitative Risk Assessments
To bring value to our organization’s enterprise risk management is becoming increasingly more complex as we attempt to set strategy and objectives to strike a balance between growth and return related to risk. Boards and senior management are demanding more data from their risk managers to effectively set their strategy and objectives. It is incumbent upon us to deliver this valuable information in a timely, appropriate and objective fashion to help steer the organization’s success. (more…)
What’s Your Risk Culture?
by William Hord
May 27, 2016 10:05 am
When I have asked various industry leaders what does their Sales and/or Service culture look like and how is it effective they almost always perk up and deliver an enthusiastic and detailed account. However, when the same question is asked about their Risk culture I am usually met with pause, shrugged shoulders and generally at best a high-level “we do a good job managing risk everyday” type of response. (more…)
Regulatory Reform and a Sunday Drive
by William Hord
March 14, 2016 12:03 pm
It’s over, regulatory reform is finished and we can get on with the business of running our business, right? Not so fast Speed Racer. Wait a minute you ask? Aren’t we just about complete with implementing Dodd-Frank? Although that is true, unfortunately the stable landscape we thought would come from it is still just as rife with change as it has ever been. It appears Congress is very unlikely to repeal Dodd-Frank and the banking industry will begin to feel pressure from additional reforms related to money laundering, terrorism financing and cyber threats. Combine this with a new vigor to hold executives accountable for their governance failures both personally and sometimes criminally, and the road looks even more concerning. (more…)