I was honored to speak last month at NAFCU’s Strategic Growth Conference about “Transforming Your ERM Program from Enterprise Risk to Enterprise Opportunities.” The topics covered were Risk Appetite Opportunity, Weak & Ineffective Control Opportunity, and Effective Key Risk Indicators for Opportunity.
After the presentation, I appreciated the level of questions and comments that came from those in attendance. It was great having discussions across all three topics, but it seemed most of the questions were focused on the second topic, Weak & Ineffective Control Opportunity.
So, with that in mind, I thought it might be good to share with you some of the highlights related to that topic.
First off, what is a control in the context of enterprise risk management (ERM)? In the simplest of terms, it is a business process mitigation activity designed to reduce or eliminate one or more risks.
As a business, you obviously have hundreds or possibly thousands of controls across your organization within every department. When those controls were first designed and put into place, the probability was very good of them being strong and highly effective. However, over time as our business changes, process changes are introduced and along with potential new risks. If new controls aren’t introduced or existing ones properly evaluated, the probability that those controls are still producing the same risk mitigation as originally designed.
When helping organizations evaluate process risk and controls, I ask , “Why do you do it that way?” I can’t tell you how many times I have heard the responses, “I don’t know” or “We’ve always done it that way.” Which brings me to my first point: If the employee responsible for completing a control or set of controls to mitigate risk doesn’t understand why they do it, its effectiveness is going to be less than ideal. Additionally, in the absence of your control assessment, how would the risk management team even begin to know if the employee can’t articulate the control’s intended mitigation and therefore its perceived deficiency?
However, you generally only find out the answer to that question and others by sitting down and assessing the controls within your organization. Secondly, how often are you really evaluating your controls to determine which ones are weak and ineffective? You need to determine the point at which your controls may potentially elevate your process residual risk to levels outside your established risk appetite and tolerances.
When you begin to effectively evaluate your controls and determine which ones are weak and ineffective, you can truly begin to have a positive impact on your organization’s bottom line. This can easily be accomplished in a couple ways:
1. Can the control be automated? If a control is still relevant to reducing risk, and the deficiency is tied to lack of understanding or lapses on the part of employees performing them, can they be automated?
You could train and counsel the employee(s), but that takes additional time and other resources to maintain and/or improve the control’s effectiveness. If the control can be automated, a quick cost-benefit analysis can be performed to show how the overall cost of automating the control may not only improve its effectiveness, but also save the organization resources and money over time.
2. Should the control be removed? If a control is still relevant to reducing risk but can’t be automated or the cost-benefit analysis shows the ROI isn’t optimal, then can it be removed?
A quick cost-benefit analysis here can possibly show that the time it takes to complete the control and continually monitor and train to maintain its effectiveness far exceeds the benefit derived from the control. In this case, the risk management team can make the sound recommendation for removing the control and document its reasoning.
Several conference attendees asked me, “Where is the best place to start?” Without a full understanding of your organization, its risk management practices, and other factors, it’s tough to say. However, a baseline place to start would be as follows:
One of the last questions I got before leaving the conference was ,“Do you really believe that weak and ineffective controls save you money?”
Of course they do, but only if you are effectively assessing them on a periodic basis. Otherwise, the money, time and resources you waste is never truly realized, and your perceived risk mitigation is simply that…..a perception. When was the last time you evaluated your controls?