Professional Documents
Culture Documents
T
he day before Christmas Eve, when every-
one’s attention was on the forthcoming fes- the long-term direction of their organisations. They need to
tivities and the potential threat posed by the set goals with varying timeframes. The impact of various risks
crystallising can be that the organisation’s realised goals are
Millenium Bug, the Turnbull Report came quietly
very different from the intended, desired ones.
into effect. However, since the publication at the
end of September of the final report of the Institute’s Managing risk effectively can make an organisation more
Internal Control Working Party, chaired by Nigel flexible and responsive to its external environment, enabling
Turnbull, there has been much discussion in the it to satisfy customers’ ever-changing needs more fully.
business community and the media about its likely Organisations can also gain an early-mover advantage by
impact in the coming years. Moreover, whilst its adapting more quickly than their rivals to new circumstances
primary purpose is to provide guidance to help list- (eg in taking advantage of the opportunities offered by e-
ed companies implement the internal control commerce), leading to an enhanced reputation in the medi-
requirements of the Combined Code on Corporate um and long term. Effective risk management and internal
Governance, the report can also be used as a catalyst control can also be used to manage change, to involve every-
one in the organisation in helping meet its business objec-
for performance improvement in the public and
tives, and to improve an operation’s ability to raise funds in
not-for-profit sectors as well.
the future. In addition, it can lead to fewer sudden shocks
The Turnbull guidance reflects good business practice in the and unwelcome surprises, and as a result less management
areas of risk management and internal control. It emphasis- time spent ‘firefighting’.
es that a company’s internal control system has a key role to
It is important that managers move away from a merely
play in the management of risks that are significant to the ful-
downside-based approach to managing risk. Risk is not only
filment of its business objectives. To implement the report
about ‘bad things happening’, it is equally about ‘good things
successfully, an organisation therefore needs a clear under-
not happening’, ie missed opportunities.
standing of its objectives. These should be expressed around
the future, not the past or present, in order to assist the organ- Identifying the Risks
isation in meeting the key challenges that lie ahead. Organisations should try to avoid ‘risk identification over-
Secondly, the focus should be on the significant risks that load’, as this can prevent the significant risks being given
could blow it off course. It is not about identifying 1,001 risks appropriate attention. If lots of risks have traditionally been
regardless of the likelihood that they will occur or the impact identified, they can usefully be analysed on the basis of rele-
they would have if they did materialise. Thirdly, the control vance to meeting the business objectives and to highlighting
system must be linked to managing in an effective manner areas where new objectives may be needed.
the risks an organisation consciously decides to carry; the
A recent survey by the accounting firm Deloitte and Touche
report is not about eliminating risk, per se.
revealed that the risks which were often of most concern to
The guidance also stresses that the internal control system organisations included: a failure to manage major projects
should be: firmly embedded in the organisation’s operations; (especially of a technological nature); a failure of strategy; a
be capable of responding quickly to changes in its risk profile, failure to innovate; poor reputation or brand management;
whether arising from changes within the business or in its and a lack of employee motivation and poor performance.
external environment; and should include procedures for
Care should be taken to avoid merely selecting risks from a
immediately reporting significant control failings or weak- generic matrix. The risks need to be specific to the relevant
nesses to appropriate levels of management. sector and the individual circumstances of the organisation.
It is particularly useful to relate them to the likely obstacles to
The Benefits of Managing Risk Effectively
achieving the critical success factors associated with the
What, then, are the potential benefits of effective risk man-
achievement of the organisation’s objectives.
agement and internal control? Boards of directors (and their
124
Useful questions to ask include: • Do the directors wish to accept this risk?
• How is change affecting the risks we face and the risks we • What is the control strategy to avoid or mitigate the gross
have chosen to take (this is because change areas are often risk?
the biggest areas of risk for an entity)?
• Who is accountable for managing the risk and maintain-
• What would we be reluctant to see reported in the press? ing and monitoring the controls?
• What problems or near misses have already happened to • What is the residual risk, that is the risk remaining after the
us or our competitors in recent years? application of the control processes?
• What are the major regulatory and legal risks to which the • Accepting the risk.
business is exposed?
• Transferring the risk (eg passing it to another party by
• What risks arise from the organisation’s processes? changing contractual terms).
125