Both internal control and risk management are complimentary and seeks to provide stability and control to the business. Read on for an understanding of the difference and common ground between these two concepts and the process of implementation.
Internal controls are processes aimed at providing reasonable assurance regarding the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Successful implementation of a project requires good internal controls.
Risk management is the process of determining maximum acceptable levels of overall risk and uncertainty to and from a proposed activity. The approach entails using appropriate techniques to determine the initial level of risk and developing strategies to ameliorate such risks as needed, to reduce risks or uncertainties to an acceptable level.
Traditionally, risk management concentrated more on the strategic initiatives of the business, whereas internal controls aimed at running a system. The risk management approach identifies and resolve risks and uncertainties related to strategy, operations, technology and the business environment, whereas internal controls usually focuses on smaller, recurring, internal risk events centered on audit or accounting procedures, IT and other controls, reporting systems, and the like.
The distinction between internal controls and risk management, however, blurs in recent times. The concept of internal controls now closely relates to risk management, with many people using the term interchangeably.
Of late, internal control is an integral part of enterprise risk management.
A good risk management program stipulates internal control requirements that need compliance when making strategic positioning or taking decisions related to company expansions, portfolio adjustments, and other key issues. A sound system of internal control mandates a thorough evaluation of the nature and extent of risks at periodic intervals, and remains flexible to adapt to changes in the risk environment. The nature of internal control depends on the extent of risk tolerance of the organization or project.
Hitherto, internal controls did not quantify risks, rather grading the risk level in a continuum of “high-medium-low." The latest approach in internal controls is quantifying risks by gathering data and deriving statistical relationship between the extent of control and potential operational risks.
The starting point of a risk management program is preparing a risk register to map the risks involved. The next step is making risk assessments in projects, followed by the most critical requirement of instituting effective internal controls in projects to mitigate the identified risks.
Internal controls remain indispensable for risk management, for mere awareness of risk does not ensure effective management of the risk. Without internal controls, managers might perceive risk mapping as an unnecessary obstacle, and choose to ignore it for the sake of expediency.
Success of internal control and risk management depends on effective information and communication. The nature of risks remains fluid in today’s business environment marked by constant changes. In such a scenario, the effectiveness of internal control and risk management depend on prompt updating of the nature of risks, and communication of the same to all concerned. The internal control mechanism requires flexibility to respond quickly to such changes.
Effective internal control and risk assessment is an ongoing process and requires constant monitoring and periodic reviews as the nature of risks changes. Many companies devote regular meetings, usually monthly for this purpose.
Increase in shareholder value is in essence, a reward for risk taking, and as such, the risk management and internal control procedures need to focus on managing and controlling risks appropriately rather than eliminate risks.
The effectiveness of internal control and risk management systems are that embedded in the operations of the company and constitute part of the corporate structure.
- Leitch, Matthew. “Seven frontiers of internal control and risk management ." http://www.internalcontrolsdesign.co.uk/frontiers/index.shtml. Retrieved 07 March 2011.
- NeuroSearch. “Key Elements in Internal Controls and Risk Management." http://www.neurosearch.com/Default.aspx?ID=7507. Retrieved 07 March 2011.
- Hong Kong Institute of Certified Public Accountants. “Internal Control and Risk Assessment: A Basic Framework." http://www.sgb.gov.tr/en/Internal%20Control/Internal%20Control%20and%20Risk%20Management.pdf. Retrieved 07 March 2011.
Image Credit: flickr.com/Cold Cut