Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Frontier Graphic

Seven frontiers of internal control and risk management

by Matthew Leitch, 15 February 2006

Frontier #1: More controls design and less audit & remediation
Frontier #2: Corporate risk management getting closer to internal control
Frontier #3: Better quantification
Frontier #4: Behaviour change beyond risk registers
Frontier #5: Risk management that targets psychological factors
Frontier #6: Risk and performance management merging through a causal model
Frontier #7: Technical risk register reforms


The corporate world, and government, increasingly look to internal control and risk management to give calm and reassurance. How ironic. These fields are so young, so chaotic, so muddled, and churning with change that they remind me of the Wild West. I can't decide if we're on a wagon train or caught up in a gold rush, but I do know we're still at the log cabin stage, that there are smartly dressed men who will sell you a tonic that cures anything, and that Coso is a bar maid working in the "Rogue Trader" saloon.

If you are working in this wild territory you're either a pioneer, or someone following someone else who is a pioneer - even though they may be trying to pretend they know exactly what they are doing.

If you are a pioneer, please read on, for these may be the next big frontiers for you.

Frontier #1: More controls design and less audit & remediation

A war is going on. A war between the quality movement, the previously dominant approach to process reliability (and efficiency), and the internal controls movement, which is gradually gaining ground. Perhaps this trend has something to do with the change in employment from manufacturing towards services, and financial services in particular.

It surely has little to do with technical merit. Although the internal control perspective has the advantage of risk thinking and explicit consideration of fraud risks, it is still far behind the quality movement on measurement and design engineering.

Why doesn't the internal controls movement have a thriving tradition of controls design? Simply, it is because the controls movement has been led by auditors, and auditors do not design. Indeed the few experiments in internal controls design have usually produced disappointing results, very slowly, because they applied audit techniques to design problems.

However, as quality and internal control gradually swap ideas, and as more and more money is spent on controls, people are beginning to spend more of that money on people whose job is to design and implement better controls.

Another driver is the deluge of "remediation" produced by projects to comply with section 404 of the Sarbanes-Oxley Act 2002. Some companies and their auditors have listed thousands of control remediation actions and too many of these have been poorly thought out. I predict a backlash that includes putting competent people in charge of controls improvement.

Also, it is becoming increasingly clear that the key to low cost compliance with section 404 is to design control systems that efficiently generate and capture evidence of effectiveness as they operate. This, perhaps more than anything, should be a reason to focus on skilled controls design.

Frontier #2: Corporate risk management getting closer to internal control

Over the last couple of decades the definitions of both "risk management" and "internal control" have become ever broader and now I see no worthwhile distinction between them. Perhaps that's not quite true in the definitions stated by influential guidance documents and standards, but it is the way more and more people are thinking.

However, risk managers and internal controls managers tend to have different backgrounds and preoccupations. Risk managers tend to be concerned with big, non-recurring risk events and often have insurance or engineering backgrounds. Internal controls people are more concerned with smaller, recurring, internal risk events and tend to have audit or accounting backgrounds.

Already this difference is breaking down and I have met operational risk managers in banking who seem almost equally interested in both routine and non-routine risks, and whose background no longer seems to have much influence on their approach.

There is also a technical reason for internal control and risk management coming even closer together.

While risk managers tend to be better at getting involved in the big business issues and talking with senior management about things that really concern them, the internal controls community is getting better and better at running a "system". The trend is towards documenting risks and controls in detail and using confirmations and self assessment to make sure every last control is complied with all the time.

Gradually people are seeing that the grinding power of the "system" approach can also be applied to the risks that management, even senior management, take. I have coined the phrase "intelligent controls" to refer to things that managers can do to manage uncertainty more effectively. Scenario planning, for example, is an intelligent control and a company can make a policy of using it, just as it would make a policy for doing bank reconciliations.

Frontier #3: Better quantification

It's ironic that internal controls thinking, despite being a movement led by the big audit firms (of accountants), has paid almost no attention to quantifying risks or the benefits of controls in a credible, mathematically competent, and data-supported way. Most assessments don't get past "high-medium-low."

This is a huge contrast to the quality movement, with its vast array of statistical process control techniques and its emphasis on measurement and on results.

However, as organisations spend more and more on internal controls they reach a point where intuition is no longer enough and reassurances that the work is worthwhile need to be backed up with facts.

Again, operational risk management in banks may be the leading edge of a trend towards better data gathering and quantification. Many banks have done a lot of work to measure operational risk. Some have also begun to look for statistically important relationships between potential drivers of operational risk and the events that result. Gradually intuition is giving way to a more scientific approach.

Frontier #4: Behaviour change beyond risk registers

The objectives of a risk register are to have better risk management and to confirm by the risk to control mapping that the main risks are covered. When risk managers begin introducing risk management systems in an organisation this is typically where they start.

Once that particular system is running smoothly they often get involved with initiatives to improve controls, such as injecting risk assessments into projects, working out procedures for business case approval, and developing policies for resilient sourcing.

They do this because, in practice, having a nice looking risk register is no guarantee that risk is being managed well. If managers still pretend to be more certain than they really are (or should be) to get their way, if people hold back bad news in the hope that things will turn out right in the end, if risk management procedures for bids are seen as an obstacle to be gamed until the right answer comes out, and if the company still staggers from one "unexpected" crisis to another then it doesn't matter what the risk register looks like; risk and uncertainty are being mismanaged.

It is common sense that a risk management programme should cause managers to manage risk better and that means they should behave differently (and not just to the extent of filling in the risk register).

This individual progression from risk registers to directly improving behaviour may be the way that the risk management profession as a whole progresses.

Perhaps we will also see risk managers turning their attention to ways of influencing managers' behaviour directly, such as by education programmes that explore cognitive biases, social factors influencing risk perception and communication, and skills for communicating uncertain information without losing face.

Frontier #5: Risk management that targets psychological factors

I often talk about the psychology of uncertainty and how it leads to bad planning and decisions. This is something people find very interesting and everyone can think of examples from their own experiences of occasions when someone suppressed uncertainty about something, usually with unfortunate results.

For example, at a company whose business involves bidding for large contracts, a system was introduced that worked out minimum bid prices. This system asked sales people for information about risk factors and used this as a significant part of the calculation. Unfortunately, when the system gave a price the sales people did not like some would delete risk factors until they got a number they preferred.

This kind of thing is astonishingly common and so I think we can expect to see increasing interest in ways to counter it. At the moment it is often mentioned informally but in future it could become an accepted part of risk management (and internal control) theory.

Frontier #6: Risk and performance management merging through a causal model

Go into a typical large organisation and ask for their risk register and their scorecard or something similar that states their major goals and measures of progress. Now compare the two and you will notice that they are remarkably similar.

Very often something stated as a "critical success factor" perhaps on the scorecard, has a similar item in the risk register that is just the potential failure to achieve what is stated in the critical success factor. Where you find a critical success factor that does not have a matching risk you have to wonder why not, and conversely where there is a risk without a matching critical success factor and the risk does not refer to some external condition, you have to wonder why the critical success factor is missing.

This is hardly surprising as risk analyses are very often driven from statements of objectives. What is surprising, however, is that there are two separate documents looked after by two separate teams. One group is trying to come up with actions that will make something happen. The other is trying to come up with actions that will make sure it does not fail to happen.

Obviously some kind of integration looks promising. However, once you start down this route you discover something more interesting still that offers to solve some of the most frustrating and difficult problems in corporate risk assessment.

The current leading thinking in performance management is that measures of performance should be based on a causal model of how the organisation and its environment work. This model links levers management can pull to the results ultimately achieved. Kaplan and Norton, the original Balanced Scorecard gurus, call this a Strategy Map.

One way of building a risk model would be to derive it directly from one of these causal models. There would be a "risk" for the future values of each variable in the model, and another "risk" for each connection between variables, representing our uncertainty about the structure and parameters of the model itself.

This solves our problems with understanding the causal links between risks and of estimating impact in some way. Think about it: how can you work out the impact of something without analysing how one thing leads to another? Isn't it odd that companies who have not modelled how their actions lead to results nevertheless expect risk managers to work out how failures could damage those results.

Frontier #7: Technical risk register reforms

My final Frontier is more of a plea than a prediction. I have seen many risk registers over the years and not one has been entirely free of serious technical flaws. Many of these flaws are so widespread they are usually accepted as good practice. Surely this cannot go on.

The main problems stem from what I call the Single Risk Fallacy. This is the belief that the items on a risk register are single risks. In fact they are nearly always sets of risks as indicated by the fact that the impact of the events described can usually vary e.g. a fire is not just a fire but a range of possible fires causing varying levels of damage.

If you believe a risk register item is a single risk it is obvious that no effort is needed to define the boundaries of that risk. It also makes perfect sense to rate the impact if that risk occurred. Consequently most risk register items are so vaguely worded that it is hard to tell what is included, and risk sets that clearly need to be modelled with a probability distribution over impact are instead reduced to a single impact level, typically "Medium."

There are many simple ways to improve risk registers, even if you choose not to use an explicit causal model.


Imagine the effect of making progress on all seven Frontiers of risk management and internal control. Imagine systematic implementation of hard hitting risk management controls, with measured benefits, profound behaviour change leading to wiser management at all levels, techniques that are both simple and effective, and the satisfying feeling of having efficient controls carefully designed and implemented in good time.

Of course that won't happen in one go. Take it little by little, looking for small but tangible improvements all the time.

Let's enjoy this Wild West, with its many opportunities for innovation, while it lasts. Yeeeehaaaa!

Words © 2006 Matthew Leitch

New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr