Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

Embedded Graphic
"So embedded it's disappeared"

by Matthew Leitch, 8 November 2004



Is it possible to really embed risk management without it becoming invisible and then just fading away, forgotten?

If risk management isn't represented by dedicated documents and databases how can we verify it is operating? Is there anything we can do that's more convincing than just asking managers "Do you consider risk in all your planning and decision making?"

Yes. To see how it can be done we need to form a clear and detailed picture of what embedded risk management looks like. Certain characteristics are testable objectively.

In practice most organisations will have both types of risk management occurring to some extent.

Summary

The analysis below suggests the characteristics of genuinely embedded risk management, and the scope for objectively testing that risk management is truly embedded. The outstanding source of evidence, and the first thing to look at, is the extent to which the organisation's management information is accompanied by information about its uncertainty.

If "risks" are conveyed by separate reports and other management information can be reported as if exact and reliable even when it is not, then risk management clearly is not embedded in any meaningful sense.

Detailed analysis

Not really embedded

Truly embedded

Potential for assessment

Timing

Runs on a calendar schedule (e.g. monthly, quarterly, semi-annually, annually).

Timing driven by events and project plans.

Limited because many risk management activities are not identified separately as such.

Infrequent.

Very frequent - even daily for some people.

Ditto

Takes between hours and weeks to do.

Takes between minutes and hours to do - though it is often hard to say how much as it is interleaved with other activities.

Ditto

Discrete activity.

An activity interleaved with others.

Ditto

The process moves through (up or down) layers of management in sequence.

Operates concurrently at all levels.

Ditto

Source

Rolled out from a central source.

Developed from what is there already in each activity of the organisation. (With help from central team.)

Good. But activity of central support team does not directly indicate activities of everyone else.

Innovation occurs centrally only.

Innovation locally.

Not so good.

Looks the same wherever done.

Looks different in different places because of adaptation to different needs.

Good, but involves identifying RM activities by studying documents or observing behaviours across different areas and activities.

Driven by a specialist function and a system.

Driven by the desire of managers/executives to excel. (Though with help from specialists.)

Not easy to assess.

Carried by procedure documents.

Also carried by education, training, and coaching of people to develop their personal management skills.

Good, but evidence of training etc is not proof of change to everyday behaviour.

Core ideas

"Something we do"

"The way we do things"

Not practical to assess.

A corporate process.

A personal skill revered and desired by management/executives.

Ditto

Success is seen in complete documentation.

Success is seen in the mental outlook, skills, and habits of managers/executives, and in the rate of appropriate use of risk-smart techniques.

Good, but requires study of documents and perhaps observation to identify use of risk-smart techniques.

Employees are rewarded for following the risk management procedure.

Employees are rewarded for excellent management of risk and uncertainty, including their conversational skills and ethic of openness.

Some potential if formally listed as an evaluation criterion, but might easily be ignored in practice.

Driven by compliance. In conversations managers and executives can talk openly about what needs to be documented versus what is best not mentioned for fear of alarming the auditors.

Awareness of uncertainty is a professional matter. Concealment of uncertainty is a serious ethical failing. You could not suggest or admit it to a colleague without a feeling of guilt.

Not something that can be assessed unless somebody is actually reprimanded for concealing uncertainty.

Techniques

Few techniques - sometimes just one.

Many techniques - as natural as possible.

Good, but requires survey of techniques actually used.

Lots of checking, documenting, and authorising.

Lots of risk-smart planning, learning, anticipating, and modelling.

Ditto

Mainly a check of current risks versus controls, or evidencing operation of controls.

Mainly planning and doing control changes to meet anticipated and newly arising risks.

Ditto

Emphasis on checking the work of others and documenting things that should be happening already.

Emphasis on skilful handling of risk and uncertainty in management decision making and planning means that for managers and executives the emphasis is on "my" work.

None.

Risk is considered when decisions are made, if at all.

Risk/uncertainty is considered throughout the development of plans and decision options, and used to develop those ideas and direct research and analysis.

Some potential for assessment, but only where consideration of uncertainty is documented.

Communicated by forms and/or databases.

Communicated by conversations and e-mail.

Not easy. Could survey e-mails for evidence of risk management.

Risk information is conveyed by separate systems, documents, or sections of documents.

Risk information is presented along with other information, since it is considered wrong to present uncertain information without its uncertainty being clearly presented at the same place and time.

Excellent potential. Risk information should be virtually ubiquitous and indirectly gives evidence of a lot of other risk related thinking.

Risk information is communicated upwards by one, or a very small number, of document channels.

Risk information is communicated upwards and downwards in almost every channel of communication, written and oral, so there is evidence of explicit consideration of risk in most documents.

Ditto

Conclusion

Arises separately from the more routine activities of internal control.

An extension of the intellectual top end of a traditional internal control system, so that managers and executives perform controls too, including thinking that identifies and manages risk and uncertainty.

None.

What is really embedded are certain risk responses only.

Risk responses and the thinking that leads to them are embedded.

None.



© 2004 Matthew Leitch

New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr