Professional Documents
Culture Documents
Home Articles Expert Commentary Seven Frontiers of Internal Control and Risk Management
INTERNAL CONTROLS
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 1/7
1/30/24, 1:27 PM Seven Frontiers of Internal Control and Risk Management
ON THIS PAGE
As we enter 2006, I thought it would be a good time to look ahead at how things in the
world of internal control and corporate risk management might develop over the next
several years.
Here are my "seven frontiers" of internal control and risk management.
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 2/7
1/30/24, 1:27 PM Seven Frontiers of Internal Control and Risk Management
Why doesn't the internal controls movement have a thriving tradition of controls design?
Simply, it is because the controls movement has been led by auditors, and auditors do
not design. Indeed the few experiments in internal controls design have usually
produced disappointing results, very slowly, because they applied audit techniques to
design problems. However, as quality and internal control gradually swap ideas, and as
more and more money is spent on controls, people are beginning to spend more of that
money on people whose job is to design and implement better controls.
Another driver is the deluge of "remediation" produced by projects to comply with
section 404 of the Sarbanes-Oxley Act 2002. Some companies and their auditors have
listed thousands of control remediation actions, and too many of these have been poorly
thought out. I predict a backlash that includes putting competent people in charge of
controls improvement.
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 3/7
1/30/24, 1:27 PM Seven Frontiers of Internal Control and Risk Management
3. Better Quantification
It's ironic that internal controls thinking, despite being a movement led by the big audit
firms (of accountants), has paid almost no attention to quantifying risks or the benefits
of controls in a credible, mathematically competent, and data-supported way. Most
assessments don't get past "high-medium-low." This is a huge contrast to the quality
movement, with its vast array of statistical process control techniques and its emphasis
on measurement and on results.
However, as organizations spend more and more on internal controls, they reach a point
where intuition is no longer enough and reassurances that the work is worthwhile need
to be backed up with facts. Again, operational risk management in banks may be the
leading edge of a trend toward better data gathering and quantification. Many banks
have done a lot of work to measure operational risk. Some have also begun to look for
statistically important relationships between potential drivers of operational risk and the
events that result. Gradually, intuition is giving way to a more scientific approach.
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 4/7
1/30/24, 1:27 PM Seven Frontiers of Internal Control and Risk Management
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 5/7
1/30/24, 1:27 PM Seven Frontiers of Internal Control and Risk Management
achieved. Robert S. Kaplan and David P. Norton, the original "balanced scorecard" gurus,
call this a "strategy map."
One way of building a risk model would be to derive it directly from one of these causal
models. There would be a "risk" for the future values of each variable in the model, and
another "risk" for each connection between variables, representing our uncertainty about
the structure and parameters of the model itself. This solves our problems with
understanding the causal links between risks and of estimating impact in some way.
Think about it: How can you work out the impact of something without analyzing how
one thing leads to another? Isn't it odd that companies that have not modeled how their
actions lead to results, nevertheless expect risk managers to work out how failures
could damage those results.
Summary
Imagine the effect of making progress on all seven frontiers of risk management and
internal control. Imagine systematic implementation of hard-hitting risk management
controls, with measured benefits, profound behavior change leading to wiser
management at all levels, techniques that are both simple and effective, and the
satisfying feeling of having efficient controls carefully designed and implemented in
good time.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily
held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 6/7
1/30/24, 1:27 PM Seven Frontiers of Internal Control and Risk Management
not purport to provide legal, accounting, or other professional advice or opinion. If such advice is
needed, consult with your attorney, accountant, or other qualified adviser.
Your Trusted Source for risk management and insurance information, education,
and training
Contact Us
IRMI Headquarters 12222 Merit Drive, Suite 1600, Dallas, TX 75251 (800) 827-4242
© 2000-2024 International Risk Management Institute, Inc (IRMI). All Rights Reserved.
https://www.irmi.com/articles/expert-commentary/seven-frontiers-of-internal-control-and-risk-management 7/7