Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Embed Quiz results Graphic
What is attractive about embedded risk management?

by Matthew Leitch, 27 May 2004

Comments by respondents
Respondent profile
Further information

Thank you

First, thank you to everyone who responded to this survey. This is only the start of an investigation that will have to move on to another phase to get answers to more questions, but this has been an intriguing start.


Most people think that embedded risk management sounds like a good idea. They feel it should be part of ordinary work, not something added on. It should be natural, easy, and helpful. What it should not be is a form filling exercise driven by a calendar schedule piled on top of their existing work. Embedded surely does not mean "bureaucracy done so often that it now seems like part of my normal job."

This simple survey asked people to make three choices, in each case between two alternatives. One alternative was an example of risk management being "added on" while the other was risk management being integrated into ordinary activities.

Respondents were asked to say if they were risk management specialists responsible for promoting risk management in their organisations.

Overall, the majority of the 41 respondents favoured the integrated options on all three choices. There were also differences between the risk management specialists and other respondents.

However, these results must be interpreted cautiously. The survey asked for only a small amount of data, the number of subjects who were not risk management specialists was just 12, the vast majority of the risk management specialists were almost certainly internal auditors (who can be expected to prefer interviews over form filling), and there are clearly many other factors besides how integrated something is that decide what people prefer. A more detailed study to analyse out these factors is needed.


The percentage of respondents preferring the integrated option in each of the three choices is shown in the following graph, divided between risk management specialists and others. In general the integrated options were more often preferred and non specialists preferred them more, except that non-specialists did not like the idea of sending their documents to a central risk management function, even though it would have meant they did not have to create any new documents.

Non-specialists do not like the idea of being trained to use a database that requires them to describe their controls and then confirm they are in place and operating. Specialists weren't keen on this either but a few thought it preferable. The conversational approach is typical of internal audit work and its popularity in this survey may be because most specialists were internal auditors.

The following table shows the full results including the actual words used in the survey. (The words used if the respondent was not a risk management specialist were slightly modified e.g. instead of saying "Give training..." it said "Receive training...") In each case the integrated option is second. In the survey the order of presentation of each pair was randomly chosen.

ChoiceOptions% overall% RM specialists% other
Kick off"Give training in how to use a web-based tool for confirming controls, that lists control requirements, including some specific controls (where possible), and requires various confirmations."17240
"Hold discussions with managers on how risk and uncertainty are currently managed, where improvements might be made, and how evidence of it can most easily be provided for regulatory compliance."8376100
Ongoing evidence"Receive forms into a database confirming things are under control."342850
"Receive electronic copies of documents from managers that have previously been agreed as providing evidence of risk management (e.g. KPIs, reports, meeting minutes)."667250
Business cases"As part of getting approval for a plan/bid, people must complete a document, or section of a document template, that requires a list of risks and responses to those risks, and an overall summary of the level of risk involved."373833
"People must follow a process for developing the plan/bid that involves a flexible but systematic exploration of the uncertainties involved, and uses that and other information to build the plan/bid, and forecast the range of outcomes to expect."636267

(One respondent had no preference between in the second and third choices and that respondent's responses have been omitted from these results.)

The survey also asked which approaches respondents had actually experienced and the results are shown on this graph.

Comments by respondents

The survey asked if the respondent had any other comments they would like to make about risk management audit evidence. Most respondents made no comment but some made interesting comments, which are quoted below.

"Matthew, I think this is good and the answers will reflect a mixture of where an organisation is on the journey to getting RM embedded or the extent to which they want buy-in or are just 'telling' people what to do and are at risk of getting inconsistent results.  Initially you'll need a discussion to sell the concept but later on line functions should use the tools and only have discussions with audit/RM staff as part of the review of risk management. Also you may initially receive forms and enter these yourself but later review the electronic submissions when the process is up and running. Autocratic organisations may like to tell rather than sell but will it work? On item 3 I personally feel that the creative entrepreneurial types who present the projects should need to submit a piece of paper or the risk assessment won't get done - too often I've been consulted on something that was going live and was considered too far advanced to stop (so it was safe to ask)."

"In a large company with several lines of business, I think it might be too difficult to set up web based training or a database to manage risks.  It seems to me that the web based training or database could provide some benefits in the overall process but I think that these tools would have to be too generic to be the main control in managing risk (i.e. what is required is some formal process with flexibility depending upon the types of risks that may be encountered)."

"An awareness amongst executives of business volatility should be imparted to reduce the level of risk."

"I am employed by a not-for-profit. Management and the audit committee are very keen to assume best practice processes and procedures but the education for a risk management approach is daunting, to say the least. I would imagine that this is not an isolated situation."

"Risk measurement, where financial matters are not involved at micro level but at the macro level, is really a task which most people do not know. They are of the view that only finances are the subject matter of risk and only those can be measured."

"Extremely difficult. Risks are always "LIVE" i.e. difficult to list down and ever changing. Be vigilant. Follow the policies to minimize inherent risks. For other risks, know and make an assessment of what kind of risks you can face. Even the remotest can happen, so cross your fingers and hedge."

Respondent profile

Responses were generated by a request on the AuditNet discussion list and AuditNet newsletter, a resource for auditors which is mostly used by internal auditors.

There were 41 respondents, comprising 29 risk management specialists and 12 others.

Slightly under half the respondents were from the United States of America. The countries of respondents are shown on this graph:

Further information

If you would like to analyse the original data yourself I can provide a matrix of the ratings given. The information will not allow you to identify respondents or their organisations.

Copies of the original survey are also available. Please contact me at

© 2004 Matthew Leitch

New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr