Internal Controls Design graphic Internal Controls Design
consulting and research for internal control with risk management


Useful links

Interesting people

Here are some people to check out if you are interested in risk and control. They're in alphabetical order.

The team at Asuret has developed a well thought out approach to assessing project risks, particularly for ERP implementations. I love the information graphics of their tool and their questionnaire is head and shoulders above anything similar I've seen. I'm on their Advisory Panel and look forward to seeing how the tools and client work progress.

The Beyond Budgeting Round Table are as fond of budgetary control as I am. They want to rid the world of it and they've collected plenty of evidence to show there are better alternatives. It's been a pleasure presenting at their events and meeting members. Jeremy Hope leads the research side and writes most of the books. Despite the cheesy business book titles Jeremy's books are definitely worth buying; he puts in good ideas with lots of supporting cases and statistics.

There's nothing cheesy about "Managing project risk and uncertainty: a constructively simple approach to decision making" by Chris Chapman and Stephen Ward of Southampton University, and nothing academic about it either. I think their "constructively simple" approach to building risk/uncertainty models is both common sense (in retrospect) and a brilliant breakthrough. Both the authors are worth taking an interest in. There are others who have written more on project risk, or have achieved a higher profile, but quality is more important than quantity.

For authoritative debunking of popular but logically flawed approaches to risk analysis I strongly recommend work by Tony Cox of Cox Associates in Denver. Tony is a prolific contributor to the RISKANAL discussion list and can be relied on to blind everyone with mathematics. Fortunately he can also speak plain English.

Chris Dale and his colleagues at Business Transition Technologies have cleverly combined several powerful ideas in business thinking into a single approach to making business processes perform better and more predictably. Chris favours evolutionary projects, uses systems dynamics in modelling, and is a fan of the Theory of Constraints. That's a powerful combination and they're getting some good results.

Tom Gilb has produced a string of good ideas over the years. I first got enthusiastic about Evo, his approach to project management, but having got to know him and his methods in more detail I now realise that he has a lot to offer on prioritisation and effective reviews as well. He may not have the most mathematics, or the best graphics, or be the most famous guru in his field of interest but Tom's ideas just work really well. No doubt over the coming years he will convert me to yet more of his thinking.

Stuart Hartley is president of FocusROI and an expert in audit and controls. I have found him particularly knowledgeable on all matters concerning the Sarbanes-Oxley Act.

Michael Mainelli is a director of Z/Yen with lots of ideas about finance, risk, and reward. He's basically a former rocket scientist who likes to have fun at work and practices what he preaches.

Unlike just about everyone else on this list Adrian Poffley is not a consultant. He currently works at the World Bank and before that he was head of finance at the charity Sightsavers International. Consequently you probably haven't heard of him or his book "The financial stewardship of charities." However, fame and being right do not correlate very well and I urge you to get hold of a copy of this book. Adrian is interesting and pleasant, and also a superb public speaker.

Peter Sandman is a genius of risk communication. The best I've come across.

Professor Sam Savage coined the phrase "Flaw of Averages" along with others like "consumer stochastics" and "blitzograms". Lurking beneath this accessible exterior is his vast knowledge of simulation and an impressive flow of good and important ideas. Sam occasionally comes to the UK. His software company is called Analycorp. I use XLSim, which is a simple Excel add in for Monte Carlo simulation. I have had no technical problems with it and particularly value Sam's tutorial that comes with it. There are more sophisticated tools than XLSim but it is hard to beat that tutorial.

Martin Ternouth does not have a website but at last one is in the pipeline. That is worth waiting for because Martin has a lot of important things to say on project managment, cost saving, management information, and much else besides. Contact him if you are interested in his ideas for going "Beyond The Gantt Chart." Martin's approach to keeping a tidy desk has been a revolution for me and you can read all about it in his extensive posting to Edward Tufte's discussion list, through which you can make contact.

Regulations in the UK

In the UK, requirements for "risk management" and internal control are laid out in a document called "Internal control: guidance for directors on the Combined Code", published by the Institute of Chartered Accountants in England and Wales. The committee that produced this guidance was chaired by Nigel Turnbull, so the guidance is normally referred to as "the Turnbull guidance".

The main guidance for auditors appears in a briefing paper called "Providing Assurance on the Effectiveness of Internal Control" issued by the Auditing Practices Board. Although the principles of this paper are strong, some of the technical details appearing in the example report and particular techniques referred to in the text are flawed. The APB are keeping the area under review and point out that the paper says the details of the example should not be taken as a guide to current good practice.

The Turnbull guidance applies to all UK listed companies. It supplements the "Combined Code of the Committee on Corporate Governance" which contains lots of other rules on corporate governance applying to companies listed in on the London Stock Exchange.

In the USA the strongest requirements for internal control and risk management come from the recently enacted Sarbanes-Oxley Act of 2002. See, in particular, sections 302 and 404. These have been interpreted by the SEC as rules.

Much of the thinking about what internal controls are and why risk management is important was captured in a document called the "COSO report". This odd name is short for "Committee of Sponsoring Organisations of the Treadway Commission" and refers to a report called "Internal Control - Integrated Framework". The COSO organisation has a website and some of its guidance is free online.

Uncertainty suppression

Once you are attuned to it you can see uncertainty suppression at work any day of the week, but if you would like research to back up your observations try "Embracing Uncertainty: the essence of leadership" by Phillip G Clampitt, Robert J DeKoch, and M E Sharpe, 2001. The authors have a handy overview of their book, free on the web. Click here. They also have a paper on uncertainty suppression. From here choose "Other Publications".

This is not to be confused with "Embracing uncertainty" by Susan Jeffers, which is an altogether more mushy style of psychology.

The "upside" of risk

An interesting article about the helpful effects of events we would normally consider bad has been written by Richard Anderson of the Corporate Risk Group. The article is "Risk Management into the New Millenium."

Steven Ward and Chris Chapman of Southampton University have suggested that "risk management" be renamed "uncertainty management" to help people remember that unexpected favourable events are included. Good idea. Their article is called "Project Uncertainty Management as a Desirable Future".

Others have used "risk and opportunity" management as their name. For example in "Integration of risk and opportunity thinking into projects" by Kalle Kahkonen and in A new approach to busines risk" by David McNamee.

Reasoning errors related to uncertainty

This area has been researched ad nauseam, and yet there is still much to be discovered and almost all of it is still to be properly explained.

One of the classics is "Judgement under uncertainty: Heuristics and biases" edited by Daniel Kahneman, Paul Slovic, and Amos Tversky, 1982.

Showing uncertainty explicitly in spreadsheets etc

Dr Sam Savage of Stanford University is entertaining and authoritative. His explanations of the flaw of averages are invaluable. He has a company, Analycorp, that sells software for modelling uncertainty explicitly.

Crystal Ball is an example of an Excel add-in tool that makes it comparatively easy to show and quantify uncertainty in spreadsheet models and so avoid the Flaw of Averages and similar mistakes. Their site has many examples of models for different purposes to show how it's done.

Another leading tool in this area is @risk from Palisade.


Author and services


The author (picture, CV)

Books and services

The NEW BOOK: "A pocket guide to risk mathematics: key concepts every auditor should know"

The FIRST BOOK: "Intelligent internal control and risk management: designing high performance risk control systems"

Tutoring and mind expanding events

Consulting services

Preferred ways of working

Contact the author

Conference schedule

Useful links

Add to favourites

Other websites by Matthew Leitch

  © 2004 Matthew Leitch