Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Column 2004 number 1
Embedded risk management should be easier

by Matthew Leitch

(This article first appeared under the title "The Matthew Leitch Column: Strip away the mystique: embedded risk management should be easier" in Emerald Insight's publication "Balance Sheet", volume 12 number 1, 2004.)

When you hear someone say "We need to embed risk management into the organisation" do you groan inwardly at the thought of more of those interminable workshops? If so you are not alone, but it doesn't have to be that way. Embedding should be easier, faster, and better.

There are two main interpretations of "embedding". One holds that risk management is the thought process you go through in a control risk self assessment or risk management workshop, where you identify risks, assess their possible impact, and say what you are doing, or plan to do, about the ones that seem important. Embedding risk management means taking that process and repeating it more often at more levels of an organisation. Consequently a project to embed risk management involves defining the one true pattern of thinking and rolling out training.

All this is very easy to do but persuading people it is a good use of their time is not. People who attend the workshops often enjoy the experience and say it was useful. It can be a safe opportunity to air issues and concerns. But that is not the same as saying they would rather do that than something else.

The other interpretation of "embedding" holds that risk management is something almost everyone does very often, in different ways at different times. A lot of risk management already is embedded so a project to embed risk management should:

The last point is important for this is how you can reduce the overhead of audit and control risk self assessment.

Embedding involves expanding our concept of an internal control to include more intelligent, risk-based patterns of thinking, and involve managers, not just accounts clerks. Here are some examples to make things clearer.

Credit control

Though there are spectacular exceptions, most companies manage the risk that their customers will not pay. They have credit risk management procedures, often supported by computerised controls, which involve some intelligent, risk-based decision making, monitoring of risk factors, and layers of corrective action. They monitor the effectiveness of their credit risk management using statistics reported at least monthly. They review and improve their methods from time to time.

These elements - multiple procedures forming a system, risk-thinking, and continuous monitoring of effectiveness - are characteristic of efficient embedding.

Strategic marketing

In contrast, the theory of marketing has hardly been touched by risk management and good management of risk and uncertainty in strategic marketing planning is rare. This is dangerous as the risks involved can destroy a company.

Embedding risk management here involves identifying the risk management that's already embedded, like product portfolio management and test marketing, then working on the gaps. For example, there are simple techniques that take a few minutes to apply and work during planning to direct planning effort, then inform the plan itself. SWOT analysis can be made more forward looking. Estimates of revenues and profits can include uncertainty explicitly. There are also some sophisticated analytical approaches that may be of use to very large companies.


Somewhere in the middle ground lies project management. Increasingly, project managers hold workshops and maintain risk registers, but a lot of the risk management action is in estimation, plan structuring, feasibility studies, and continuous horizon scanning.

Rather than seeing risk management as a list of individual responses to individual risks it is easier, quicker, and more effective to see controls as an organised system designed to deal with uncertainties ranging from very specific, known worries to more general unknowns.

Considering areas of risk in more detail is a way to refine that system, shaping it more exactly to the demands of particular projects and programmes.

Shorter workshops

Risk workshops still have a place. They can be used to anticipate areas where internal controls work is going to be needed, they can give people a safe opportunity to air concerns, and they can be useful for identifying risks and actions.

However, they can be easier and faster. Many workshop and risk register designs suffer from a huge bias towards risk analysis and away from controls and actions. Time is consumed by listing more detailed risks and impacts than necessary and debating meaningless ratings of risks. It is controls and actions that should be prioritised, not risks. Besides, for the vast majority of risks and actions it is obvious if the action is worthwhile so it should only be necessary to look more closely at expensive actions whose value is unclear.

Being open minded about possible outcomes and thinking about their impact is important, but time must remain for discussing controls and potential control improvements.

Even if the workshop is primarily for control risk self assessment it makes sense to give proper attention to controls. As an auditor I often found controls that appeared to be operating and meeting a risk were too badly designed to be effective. For example, a finance director who insists on authorising all journals personally and therefore has to give more signatures than he can possibly have time to consider properly, or a numerical comparison that is too approximate to show up the errors it is supposed to detect.

Here are some tips for shortening workshops:

New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr