Skip to content
Skip to main content
header search
ahihi OpenLearn
OpenLearn
Menu
sticky search

About this free course

Become an OU student

Download this course

Share this free course

Course content Course content
Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

More free courses

2 Internal controls

In Session 5 the importance of controls as a form of mitigation was discussed; the activities of an internal control professional takes these concepts and builds on them. Internal controls are a fundamental part of good risk management, so much so that many of the governance codes (discussed in Session 7) require boards to take an active role in reviewing the effectiveness of the internal control environment. To remind you, look at this extract from the 2018 FRC Corporate Governance Code:

Internal controls are a central component of a good risk management system as Video 3 shows.

The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

FRC Corporate Governance Code (Clause 29, p. 12, 2018)
Download this video clip.Video player: Video 3 The importance of internal controls
Copy this transcript to the clipboard
Print this transcript
Show transcript|Hide transcript

Transcript: Video 3 The importance of internal controls

SPEAKER 1
OK. So why are internal controls important? I feel they're fundamental to management of risk. If we think about risks in a business, 90% of those risks are actually known risks, i.e. they've happened before, they've materialised before, especially in the operational risk area.
And as risks have happened in a business, as things have gone wrong, they have materialised, controls have been developed in order to manage and mitigate those risks and prevent them from happening again. So therefore, if we think about that- if we think that we have a plethora of controls out there, they're all there to manage known risks- we could- as far as risk management is concerned, we could say, well, those known risks, as long as we are monitoring the controls and we are happy and assured that the controls are working as intended, we no longer have to dedicate resource, necessarily, specifically to try and manage those risks separately. And therefore, we can use that resource to manage other risks that are less certain and less known, and that actually, we don't have controls to manage.
So that whole control framework is- acts as a risk management- it's there to manage risk. That's why it's been developed. So in many organisations, I think we tend to forget that the controls were developed and put in place for a reason. Ultimately, production techniques may change. The actual product may change. People change. Technology changes. So those controls also need to change with that.
Another risk is that we don't change the controls. So we shouldn't be unsighted on that. And that's why assurance of controls is very, very important to understand that they are still actually one being implemented in a way in which they are intended to be implemented, but two, that they are still achieving the outcome they were intended to achieve- i.e., are they still designed to do the right thing?
So for me, the assurance, the second line assurance in a three line of defence model- the second line assurance has that duty that they have that responsibility to be reviewing controls for both of those elements. And they are the eyes and ears of the business. They are- it can be a very, very important role as much as they can look at control effectiveness and feed back to the relevant business owners whether those controls are still actually managing the risks they were intended to manage, whether they're still effective, whether they're still efficient. And it's the basis for process improvement and cost savings, potentially, but ultimately, making sure that those controls are still managing the risks that they were intended to manage.
End transcript: Video 3 The importance of internal controls
Download
Video 3 The importance of internal controls
Interactive feature not available in single page view (see it in standard view).

A bow tie is a great way of displaying this risk/control picture graphically, as shown in Session 3 during risk identification. Now watch Video 4 which covers the key elements of a bow tie and the internal controls.

Download this video clip.Video player: Video 4 The key elements of a bow tie
Copy this transcript to the clipboard
Print this transcript
Show transcript|Hide transcript

Transcript: Video 4 The key elements of a bow tie

SPEAKER
So a very useful tool that risk managers use in order to articulate risk in a very visual way is a risk bowtie. And fact you've got a risk bowtie is is it has in the very middle of it where the knot of the bowtie is is a risk event that your company is trying to manage. And if the risk event becomes an issue, it could pretty much derail your organisation, your small business, whatever it is you're trying to achieve. And what happens is you put on the on one side, you put all the causes of that risk event, and on the other side, you put all the consequences or the impact if that risk became an actual issue and materialised.
So let's say that you are a new company, and you are setting up for the very first time your restaurant. And your chef, who's worked really hard, and one of the things that you really want to not have in your first maybe week of opening is a food poisoning scare. So you might put on the causes side what are the things that might cause food poisoning or anything that you don't want to come out of the kitchen to be served out to one of your customers.
So you start to list down all the causes of that. It might be that your waiters haven't washed their hands, or they don't understand maybe that the hygiene rules. It might be around washing plates carefully and making sure you don't mix up the old plates with the new plates and then the impact of that. So what are the consequences if something goes wrong, and how would you deal with it?
Then with the risk bowtie, you can start to think about, what are the controls that you need to put in place in order to manage those causes and also minimise the impacts. And often, time can be running quite close. So you might be thinking right if perhaps a critique came in and didn't have a good experience, how would I make sure that I've limited the impact on the business going forwards?
So that's the principle behind a risk bowtie method. And many organisations use it in order to kind of capture what are the really- what's the worst thing that could happen to the organisation? And how can I make sure that I'm really managing and understand what are the causes of that risk? And then also thinking very carefully about what the impacts would be if that risk then actually materialised.
End transcript: Video 4 The key elements of a bow tie
Download
Video 4 The key elements of a bow tie
Interactive feature not available in single page view (see it in standard view).

Activity 2 Key elements of a bow tie

Timing: Allow approximately 10 minutes

Take a look at the image below and match up the correct answers to the numbered labels.

Bow Tie diagram (without labels)
Figure 4 Bow Tie diagram (without labels)
Show description|Hide description

A diagram which has a circle in the centre with the label 2. Coming out of the circle on the top is a line going to a black square, which has the label Opening a restaurant. The circle also has 3 lines coming out of the left-hand side, with three grey boxes, labelled from top to bottom: periodic inspections, 4 and dishwasher cleaning routine. From periodic inspections box, another blue boxes goes to the left, labelled 1. From the box labelled 4, there is a blue box going to the left labelled hygiene rules not understood. From the box labelled dishwasher cleaning routine, a blue box goes to the left labelled 3. There are also three lines going to three pink/red boxes on the right-hand side of the circle, labelled: ill customer, 6 and damage to reputation. In between ill customer and the red circle, there is a grey box labelled 5. In the top right-hand corner, there is a key labelled as follows: Red/pink box: consequences, blue box: root causes, grey box: controls, black box: hazard and red circle: event.

Figure 4 Bow Tie diagram (without labels)

Using the following two lists, match each numbered item with the correct letter.

  1. inadequate hand washing

  2. unsafe food produced

  3. plates not clean

  4. induction training

  5. temperature check of food

  6. loss of trade/legal action

  • a.4

  • b.2

  • c.3

  • d.5

  • e.6

  • f.1

The correct answers are:
  • 1 = f
  • 2 = b
  • 3 = c
  • 4 = a
  • 5 = d
  • 6 = e

Answer

Take a look at the image below to see the whole BowTie diagram and how your answers compared.

Bow Tie diagram (with labels)
Figure 4 Bow Tie diagram (with labels)
Show description|Hide description

A diagram which has a circle in the centre with the label unsafe food produced. Coming out of the circle on the top is a line going to a black square, which has the label Opening a restaurant. The circle also has 3 lines coming out of the left-hand side, with three grey boxes, labelled from top to bottom: periodic inspections, induction training and dishwasher cleaning routine. From periodic inspections box, another blue boxes goes to the left, labelled inadequate hand washing. From the box labelled induction training, there is a blue box going to the left labelled hygiene rules not understood. From the box labelled dishwasher cleaning routine, a blue box goes to the left labelled plates not clean. There are also three lines going to three pink/red boxes on the right-hand side of the circle, labelled: ill customer, loss of trade/legal action and damage to reputation. In between ill customer and the red circle, there is a grey box labelled temperature check of food. In the top right-hand corner, there is a key labelled as follows: Red/pink box: consequences, blue box: root causes, grey box: controls, black box: hazard and red circle: event.

Figure 4 Bow Tie diagram (with labels)

More advanced risk management may start to apply quantitative assessments to these types of assessments. Techniques such as ‘HAZANs’ (hazard analysis) are commonly applied in high-hazard process industries. This technique builds on the bow tie thinking of identifying root causes and controls. It then asks how likely it is that a certain root cause will occur and how likely it is that a certain control will fail. This can then be brought together to give a mathematical model of how likely a certain risk is, based on the controls in place and their effectiveness. This modelling is often quite complex and is performed by trained engineers.

However, it is worth sharing some of the common observations that flow from this thinking:

  • high-hazard systems normally have several controls and care is taken to make sure these controls cannot be circumvented by a ‘common mode of failure’
  • controls that rely on people are normally the least effective
  • controls that are directive should not be the sole prevention for high-impact risks.