2 Internal controls
In Session 5 the importance of controls as a form of mitigation was discussed; the activities of an internal control professional takes these concepts and builds on them. Internal controls are a fundamental part of good risk management, so much so that many of the governance codes (discussed in Session 7) require boards to take an active role in reviewing the effectiveness of the internal control environment. To remind you, look at this extract from the 2018 FRC Corporate Governance Code:
Internal controls are a central component of a good risk management system as Video 3 shows.
The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.
A bow tie is a great way of displaying this risk/control picture graphically, as shown in Session 3 during risk identification. Now watch Video 4 which covers the key elements of a bow tie and the internal controls.
Activity 2 Key elements of a bow tie
Using the following two lists, match each numbered item with the correct letter.
inadequate hand washing
unsafe food produced
plates not clean
temperature check of food
loss of trade/legal action
- 1 = f
- 2 = b
- 3 = c
- 4 = a
- 5 = d
- 6 = e
More advanced risk management may start to apply quantitative assessments to these types of assessments. Techniques such as ‘HAZANs’ (hazard analysis) are commonly applied in high-hazard process industries. This technique builds on the bow tie thinking of identifying root causes and controls. It then asks how likely it is that a certain root cause will occur and how likely it is that a certain control will fail. This can then be brought together to give a mathematical model of how likely a certain risk is, based on the controls in place and their effectiveness. This modelling is often quite complex and is performed by trained engineers.
However, it is worth sharing some of the common observations that flow from this thinking:
- high-hazard systems normally have several controls and care is taken to make sure these controls cannot be circumvented by a ‘common mode of failure’
- controls that rely on people are normally the least effective
- controls that are directive should not be the sole prevention for high-impact risks.