Transcript

SPEAKER 1

OK. So why are internal controls important? I feel they're fundamental to management of risk. If we think about risks in a business, 90% of those risks are actually known risks, i.e. they've happened before, they've materialised before, especially in the operational risk area.

And as risks have happened in a business, as things have gone wrong, they have materialised, controls have been developed in order to manage and mitigate those risks and prevent them from happening again. So therefore, if we think about that- if we think that we have a plethora of controls out there, they're all there to manage known risks- we could- as far as risk management is concerned, we could say, well, those known risks, as long as we are monitoring the controls and we are happy and assured that the controls are working as intended, we no longer have to dedicate resource, necessarily, specifically to try and manage those risks separately. And therefore, we can use that resource to manage other risks that are less certain and less known, and that actually, we don't have controls to manage.

So that whole control framework is- acts as a risk management- it's there to manage risk. That's why it's been developed. So in many organisations, I think we tend to forget that the controls were developed and put in place for a reason. Ultimately, production techniques may change. The actual product may change. People change. Technology changes. So those controls also need to change with that.

Another risk is that we don't change the controls. So we shouldn't be unsighted on that. And that's why assurance of controls is very, very important to understand that they are still actually one being implemented in a way in which they are intended to be implemented, but two, that they are still achieving the outcome they were intended to achieve- i.e., are they still designed to do the right thing?

So for me, the assurance, the second line assurance in a three line of defence model- the second line assurance has that duty that they have that responsibility to be reviewing controls for both of those elements. And they are the eyes and ears of the business. They are- it can be a very, very important role as much as they can look at control effectiveness and feed back to the relevant business owners whether those controls are still actually managing the risks they were intended to manage, whether they're still effective, whether they're still efficient. And it's the basis for process improvement and cost savings, potentially, but ultimately, making sure that those controls are still managing the risks that they were intended to manage.