Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Simple Introduction Graphic

A simple introduction to risk management and internal control in organisations

by Matthew Leitch, 10 November 2004 (slightly expanded 7 March 2005 and 6 November 2006)

This complicated field of risk management and internal control needs a simple introduction. It needs an overview that puts everything in place and gets us thinking in the right direction.

But it's not so easy to write. This is a massive subject in which much of the established advice is not good advice. Regulations differ between countries and sectors. Techniques and concepts derived from different sciences and professions often contradict each other in fundamental ways.

Here's my view. It is a bit different and I hope it works for you as it does for me.

Please note

If you like the ideas in this article – and many people do – the easiest way to use them properly is to engage me, the author, for some individual technical tutoring or teletutoring sessions.


There are many, many definitions around for "risk management" and "internal control" and the one thing they have in common is that they are rather abstract. Some people say risk management is part of internal control, while others say internal control is part of risk management.

Over the years I have noticed that the meaning of both terms, in practice, has expanded so, today, there is no useful difference in meaning between "risk management" and "internal control." The explanation below is just as true whichever terms you use.

More recently some have suggested using a new term, "uncertainty management", to refer to the field. There are several excellent reasons for this and I increasingly write "uncertainty management".


The main objective of risk/uncertainty management programmes is simply to improve the way uncertainty is managed.

Within that I find it helpful to focus on two sub-objectives: (a) open minds to the full range of things that may happen in future (i.e. to take off the mental blinkers we wear most of the time) and (b) help people cope with the complexity thus revealed and so act in accordance with their expanded view. All the techniques I recommend concentrate on these. Whether it's reminding an accounts clerk that bank statements and cash books can be wrong so a reconciliation is needed, or helping an executive director think widely about the future direction of a charity so that she will recognise the value of flexibility, the mind has to be open or risk management seems unnecessary.

Psychologists have shown that we tend to be overconfident in predictions and believe we have more control than is really the case. That agrees 100% with my observations. When we work together in organisations the tendency towards a blinkered view of the future is usually increased by various social pressures and management systems.

In practical terms

An "internal control" or "uncertainty management" system is not a gadget or computer system, so what in practical, concrete terms are we talking about? An internal controls improvement exercise involves changing the way work is done (and the things that are used to do that work) to deal with the uncertainties the work involves. The changes are connected so they work together so in that sense they make a system.

. . . . .
There's more
The whole text of this article is freely available to you without registration by just clicking the link below. Please remember that this website exists because people (perhaps including you) express their thanks for its help in practical ways, such as thinking about how to use its ideas, my services, the book, taking part in research, suggesting topics, etc. Thanks for reading this and I hope you enjoy the full article.

Full article
© 2004, 2005 Matthew Leitch
New website, new perspective: - Related articles - All articles - The author - Services