Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Risk management

2 Internal controls

In Session 5 the importance of controls as a form of mitigation was discussed; the activities of an internal control professional takes these concepts and builds on them. Internal controls are a fundamental part of good risk management, so much so that many of the governance codes (discussed in Session 7) require boards to take an active role in reviewing the effectiveness of the internal control environment. To remind you, look at this extract from the 2018 FRC Corporate Governance Code:

Internal controls are a central component of a good risk management system as Video 3 shows.

The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

Download this video clip.Video player: Video 3 The importance of internal controls
Skip transcript: Video 3 The importance of internal controls

Transcript: Video 3 The importance of internal controls

OK. So why are internal controls important? I feel they're fundamental to management of risk. If we think about risks in a business, 90% of those risks are actually known risks, i.e. they've happened before, they've materialised before, especially in the operational risk area.
And as risks have happened in a business, as things have gone wrong, they have materialised, controls have been developed in order to manage and mitigate those risks and prevent them from happening again. So therefore, if we think about that- if we think that we have a plethora of controls out there, they're all there to manage known risks- we could- as far as risk management is concerned, we could say, well, those known risks, as long as we are monitoring the controls and we are happy and assured that the controls are working as intended, we no longer have to dedicate resource, necessarily, specifically to try and manage those risks separately. And therefore, we can use that resource to manage other risks that are less certain and less known, and that actually, we don't have controls to manage.
So that whole control framework is- acts as a risk management- it's there to manage risk. That's why it's been developed. So in many organisations, I think we tend to forget that the controls were developed and put in place for a reason. Ultimately, production techniques may change. The actual product may change. People change. Technology changes. So those controls also need to change with that.
Another risk is that we don't change the controls. So we shouldn't be unsighted on that. And that's why assurance of controls is very, very important to understand that they are still actually one being implemented in a way in which they are intended to be implemented, but two, that they are still achieving the outcome they were intended to achieve- i.e., are they still designed to do the right thing?
So for me, the assurance, the second line assurance in a three line of defence model- the second line assurance has that duty that they have that responsibility to be reviewing controls for both of those elements. And they are the eyes and ears of the business. They are- it can be a very, very important role as much as they can look at control effectiveness and feed back to the relevant business owners whether those controls are still actually managing the risks they were intended to manage, whether they're still effective, whether they're still efficient. And it's the basis for process improvement and cost savings, potentially, but ultimately, making sure that those controls are still managing the risks that they were intended to manage.
End transcript: Video 3 The importance of internal controls
Video 3 The importance of internal controls
Interactive feature not available in single page view (see it in standard view).

A bow tie is a great way of displaying this risk/control picture graphically, as shown in Session 3 during risk identification. Now watch Video 4 which covers the key elements of a bow tie and the internal controls.

Download this video clip.Video player: Video 4 The key elements of a bow tie
Skip transcript: Video 4 The key elements of a bow tie

Transcript: Video 4 The key elements of a bow tie

So a very useful tool that risk managers use in order to articulate risk in a very visual way is a risk bowtie. And fact you've got a risk bowtie is is it has in the very middle of it where the knot of the bowtie is is a risk event that your company is trying to manage. And if the risk event becomes an issue, it could pretty much derail your organisation, your small business, whatever it is you're trying to achieve. And what happens is you put on the on one side, you put all the causes of that risk event, and on the other side, you put all the consequences or the impact if that risk became an actual issue and materialised.
So let's say that you are a new company, and you are setting up for the very first time your restaurant. And your chef, who's worked really hard, and one of the things that you really want to not have in your first maybe week of opening is a food poisoning scare. So you might put on the causes side what are the things that might cause food poisoning or anything that you don't want to come out of the kitchen to be served out to one of your customers.
So you start to list down all the causes of that. It might be that your waiters haven't washed their hands, or they don't understand maybe that the hygiene rules. It might be around washing plates carefully and making sure you don't mix up the old plates with the new plates and then the impact of that. So what are the consequences if something goes wrong, and how would you deal with it?
Then with the risk bowtie, you can start to think about, what are the controls that you need to put in place in order to manage those causes and also minimise the impacts. And often, time can be running quite close. So you might be thinking right if perhaps a critique came in and didn't have a good experience, how would I make sure that I've limited the impact on the business going forwards?
So that's the principle behind a risk bowtie method. And many organisations use it in order to kind of capture what are the really- what's the worst thing that could happen to the organisation? And how can I make sure that I'm really managing and understand what are the causes of that risk? And then also thinking very carefully about what the impacts would be if that risk then actually materialised.
End transcript: Video 4 The key elements of a bow tie
Video 4 The key elements of a bow tie
Interactive feature not available in single page view (see it in standard view).

Activity 2 Key elements of a bow tie

Timing: Allow approximately 10 minutes

Take a look at the image below and match up the correct answers to the numbered labels.

Described image
Figure 4 BowTie diagram (without labels)

Using the following two lists, match each numbered item with the correct letter.

  1. inadequate hand washing

  2. unsafe food produced

  3. plates not clean

  4. induction training

  5. temperature check of food

  6. loss of trade/legal action

  • a.4

  • b.2

  • c.3

  • d.5

  • e.6

  • f.1

The correct answers are:
  • 1 = f
  • 2 = b
  • 3 = c
  • 4 = a
  • 5 = d
  • 6 = e


Take a look at the image below to see the whole BowTie diagram and how your answers compared.

Described image
Figure 4 BowTie diagram (with labels)

More advanced risk management may start to apply quantitative assessments to these types of assessments. Techniques such as ‘HAZANs’ (hazard analysis) are commonly applied in high-hazard process industries. This technique builds on the bow tie thinking of identifying root causes and controls. It then asks how likely it is that a certain root cause will occur and how likely it is that a certain control will fail. This can then be brought together to give a mathematical model of how likely a certain risk is, based on the controls in place and their effectiveness. This modelling is often quite complex and is performed by trained engineers.

However, it is worth sharing some of the common observations that flow from this thinking:

  • high-hazard systems normally have several controls and care is taken to make sure these controls cannot be circumvented by a ‘common mode of failure’
  • controls that rely on people are normally the least effective
  • controls that are directive should not be the sole prevention for high-impact risks.

Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371