• First Reference
  • About us
  • Contact us
  • 24th Annual Ontario Employment Law Conference 📣
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Which comes first, risk or control?

By Norman D. Marks, CPA, CRMA | 3 Minutes Read March 9, 2020

Which comes first, risk or control?

risk management

I think the relationship between risk (what might happen to affect the achievement of objectives) and internal control (what you do to ensure things are done the way you want) is not very well understood.

Here’s my attempt to explain it.

  1. You have controls to ensure that risks (the effect on objectives of potential events, situations, actions, or decisions) are at desired levels. (Note that I said ‘desired’ instead of ‘acceptable’. There’s an important difference.) So you can’t know whether you have the right controls or that the system of internal control is effective if you don’t have a reliable understanding of the more significant risks to objectives today and for the manageable future. You may have a lot of controls that are working just the way you want. But are they the controls you need when the future is shifting and the risks have changed?

    Conclusion: any assessment of the system of internal control is predicated on an assessment of the systems around the identification and management of risk (again, what might happen).

  2. You cannot have effective management of risk if you don’t have effective controls around their identification, treatment, and so on. The processes around identifying, assessing, and acting on risks (what might happen) include a number of critical controls. For example, if you rely on analytics to identify emerging risks, you have controls over the development and use of the analytics. If you rely on workshops to debate and assess the potential effects of likely events, you have controls over workshop attendance, conduct, and actions taken. If you have a potential for bad debt, you rely on controls over credit approval.

    You fool yourself if you believe risk is at desired levels if you have not assessed and obtained confidence in related internal controls.

    Conclusion: any assessment of the effectiveness of risk management depends on the assessment of related controls.

Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.

What you can do is provide an overall assessment of the system of internal controls as it relates to the more significant risks that were addressed by completed audit engagements.

Can you assess risk management without considering related internal controls? I don’t think so.

What you can do is provide an overall assessment using a risk maturity model (such as I describe in World-Class Risk Management) or indicate that your assessment is subject to the system of internal control being effective.

In World-Class Risk Management, I describe a number of risks to the effective management of risk. For example, the wrong people might be assessing a risk, or individuals might be influenced by their cognitive bias when assessing and acting in response to a risk. If there aren’t effective internal controls to address those risks to the management of risk, how can you assert that risk management is effective?

I strongly encourage both management and risk and audit practitioners to assess both their systems of internal control and of risk management (including, especially, the quality of decision-making) formally, every year.

Boards should demand such assessments, both from executive management and the CAE and CRO.

But, such assessments should recognize their interplay and mutual inter-dependence.

I welcome your thoughts.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • The risk is assessed as high. So what? - March 15, 2023
  • Putting cyber risk into business perspective - February 15, 2023
  • Twitter and risk - January 18, 2023

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Information Technology / internal control, objectives, risk, risk management

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy