Risk-focused controls and control environment

Organisations must have the necessary control environment to enable them to implement their corporate strategy and achieve their objectives. Link controls to risks. They provide the necessary organisational value and reasonable assurances that objectives can be achieved within an acceptable degree of residual risk and risk appetite.

Organisational risk appetite should determine the appropriate balance between risks and controls. This is integral to the decision-making process. Too many controls may limit the organisation from achieving its objectives and key performance indicators.

There are two common types of control environment:

1. Risk-focused control environment where there are systematic decision-making processes to prioritise control activities and deploy resources based on the level of risk.
2. Compliance-based control environment where potentially costly, complex, and inflexible layer-upon-layer of over-engineered controls are created and maintained to meet the needs of multiple stakeholders and regulatory requirements.

In a risk-focused control environment, the organisation’s key performance indicators and risk appetite threshold define the level of control environment that is required for implementing its corporate strategy.

Risk escalation

Risk escalation is an important management practice for knowing and understanding the key opportunities, uncertainties, and risks by people with the authority to manage them.

It is not appropriate for managing risks at the operational or lower level if they pose an extreme risk to the organisation and require allocation of substantial strategic risk treatment resources. Where a risk poses a very high threat to the organisation, especially when the residual risk is beyond pre-defined organisational risk appetite or tolerance threshold, inform the board immediately without exceptions.

Risk escalation should be a transparent and objective process of communicating vital information to the attention of higher management (or board) based on predefined and agreed risk escalation criteria and thresholds.

Risk aggregation

Risk aggregation is the combination of several risks into one risk to develop a more complete understanding of the overall risk that is directly related to the corporate strategy and strategic objectives.

For example, take a higher objective-focused risk profile view of a group of risks and compute its aggregated level of risk, which is the combination of consequence and likelihood, as a single-risk rating.

A risk profile is the organisation’s documented understanding of risk exposures. It effectively informs management about the appropriate allocation of resources for the control of identified risks.

Information from lower-level risk registers may be rolled up or aggregated upwards based on root causes, themes, or common elements. Connect them by way of risk aggregation mechanisms and organisational structures with the key purpose of developing a strategic or higher-level risk profile or risk rating that is linked to corporate strategy and objectives. The level of analysis becomes important.

Organisations may assess levels of exposure through risk aggregation across:

1. The entire organisation (enterprise-wide).
2. Product or service lines.
3. Customer or stakeholder groups.
4. Geographical locations.
5. Business units or departments.
6. Value chains and processes.

Issue management

Distinguish and manage risks and issues appropriately where:

1. Known unknown or risk is the effect of uncertainty on objectives and should it occur, may have an effect (positive or negative) on the achievement of objectives — e.g., a widespread pandemic may impact vaccine supply. Risk should be described as the combination of the likelihood of an event (or hazard or source of risk) and its consequence and should not be described as an event. A risk could also include opportunities, or a ‘positive’ risk.
2. Known known or issue is an event that has already occurred and is known, where it is not planned, requires management action, and have an impact upon the achievement of objectives — e.g., development of immunisation policy did not have a full engagement of all stakeholders.

Human capital management

Manage and support employees so that they can positively contribute to the overall effectiveness and efficiencies of the organisation.

There are 22 workforce practices that are foundations for better organisational performance:

1. Staffing – Establish a formal process by which committed work is matched to resources and qualified individuals are recruited, selected, and transitioned into assignments and jobs.
2. Communication and coordination – Establish timely communication and interaction throughout the organisation. Ensure that the workforce has the skills to share information and coordinate activities efficiently.
3. Work environment – Establish and maintain physical working conditions and to provide resources that allow individuals, teams, and workgroups to perform their tasks efficiently without unnecessary distractions.
4. Performance management – Establish objectives related to committed work against which team and individual performance can be measured, to discuss performance and progress against these objectives, and to continuously enhance or improve performance.
5. Training and development – Ensure that all individuals have the skills required to perform their assignments and are provided with relevant training and development opportunities.
6. Compensation – Provide all individuals with remuneration and benefits based on their contribution and value to the organisation.
7. Competency analysis – Identify the knowledge, skills, and process abilities required to perform the organisation’s business activities so that they may be developed and used as a basis for workforce practices.
8. Workforce planning – Coordinate workforce activities with current and future business needs at both the organisational and workgroup levels.
9. Competency development – Enhance constantly the capability of the workforce to perform its assigned tasks and responsibilities.
10. Career development – Ensure that individuals are provided opportunities to develop workforce competencies that enable them to achieve career objectives.
11. Competency-based practices – Ensure that all workforce practices are based in part on developing the competencies of the workforce.
12. Workgroup development – Organise work around competency-based process abilities.
13. Participatory culture – Enable the workforce’s full capability for making informed decisions that affect the performance of business activities and the achievement of objectives.
14. Competency integration – Improve the efficiency and agility of inter-dependent work by integrating the process abilities of different workforce competencies.
15. Empowered workgroups – Empower workgroups with the responsibility and authority to determine how to conduct their business activities most effectively to achieve business objectives.
16. Competency-based assets – Capture the knowledge, experience, and artefacts developed in performing competency-based processes for use in enhancing capability and performance.
17. Quantitative performance management – Predict and manage the capability of competency-based processes for achieving measurable performance objectives and outcomes.
18. Organisational capability management – Quantify and manage the capability of the workforce and of the critical competency-based processes it performs.
19. Mentoring – Transfer the lessons of greater experience in a workforce competency to improve the capability of other individuals or workgroups.
20. Continuous capability improvement – Provide a foundation for individuals and workgroups to continuously improve their capability for performing competency-based processes that are aligned with organisational strategy and outcome.
21. Organisational performance alignment – Enhance the alignment of performance results across individuals, workgroups, and team with organisational performance and business objectives.
22. Continuous workforce innovation – Identify and evaluate improved or innovative workforce practices and technologies and implement the most promising or effective ones throughout the organisation.

From a strategic perspective, it is about linking the workforce (human resources) and the HR function to strategic objectives to enable and improve performance and develop a positive culture that fosters innovation, flexibility, change, and competitive advantage.

Knowledge management

Knowledge management promotes an integrated approach to identifying, capturing, evaluating, retrieving, and sharing all an enterprise’s information assets. These assets may include databases, documents, policies, procedures, and previously uncaptured expertise and experience in individual employees.

Strategy formulation and execution is a constant learning and improvement process for the organisation. The quality of strategy and its execution depends on the quality of the organisation’s learning, improvement, and feedback mechanisms, and the quality and availability of information used for decision-making, adaptations, and experimentations.

Organisations should strategically use their information resources and knowledge assets by remembering and applying experience, lessons learned, and business intelligence, and putting all these into good use while formulating and executing the corporate strategy.

Assurance, audits, and independent evaluations

Assurance relates to the likelihood of achieving objectives and key performance indicators within an acceptable degree of residual risk, and risk appetite and tolerance thresholds. The level of assurance is reliant on the effectiveness and maturity of controls and the control environment.

Assurance is a term that usually describes the methods and processes employed by an assurance provider to evaluate an organisation’s public disclosures about its performance as well as underlying systems, data and processes against suitable criteria and standards to increase the credibility of public disclosure.

Internal audit

As part of the organisation’s independent assurance activities, the internal audit function must align its focus and activities to key strategic risks and controls and assist the organisation to achieve its objectives.

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” (Institute of Internal Auditors Research Foundation)

Internal audit should enable the organisation to achieve its objectives by evaluating and improving the effectiveness of the risk management, control, and governance processes. They should actively work with management to systematically review systems, processes, and operations, and identify how well risks, appetite for risks, and controls are managed strategically, including whether the right processes are in place and agreed procedures and controls are being adhered to.

Assurance mapping

Align all assurance activities to the corporate strategy and strategic risks through a comprehensive assurance mapping process that determines where key risks and controls lie within the organisation.

An organisation-wide assurance map of all assurances and reviews conducted by independent parties can effectively prioritise resources to close potential assurance, control, or performance gaps linked to key risks, controls, and strategic objectives.

Assurance mapping exercises can involve the mapping of assurance activities and coverage against one or more of the following: (Refer to an example of an assurance map below)

1. Corporate strategy.
2. Strategic objectives and key performance indicators.
3. Key strategic risks and controls.
4. Critical business functions, processes, and value chains.

Performance monitoring, review, and reporting

Performance reporting is important for understanding how effective and efficient the organisation is performing so it can:

1. Continuously and regularly evaluate and adapt its objectives and key performance indicators to achieve its corporate strategy.
2. Make timely and appropriate adjustments and improvements as necessary.
3. Drive organisational and individual learning and improve performance.

Performance reports may cover the following:

1. Progress towards the achievement of objectives.
2. Performance tracking against measures and agreed targets.
3. Financial performance and budget variances.
4. New and emerging risks and issues.
5. Level of opportunity and risk against risk appetite and tolerance thresholds.
6. The implementation progress of performance plans, risk treatments, and audit recommendations (internal and external).

Calendar of events

Develop a calendar of events as shown below.

Integrated reporting is vital for value creation (or preservation)

Organisations should have an integrated report generated from a fit-for-purpose integrated reporting system that concisely consolidates, aggregates, and communicates how their performance, corporate strategy, governance, risk, controls, and resource utilisation have resulted in the positive creation of value over the short-, medium-, and long-term.

An integrated reporting system should consolidate the common reporting elements and stakeholder requirements across the entire organisation. This should simplify the reports and reporting processes thereby consuming fewer resources and employees’ time. Reports generated or produced must create value for the recipient and contributes positively to decision-making.

Automation of performance reporting

Employees can spend significant amounts of time reporting status and giving updates. Without automated systems and simplified processes, paper-based reporting is ineffective in the long-term.

Improving information technology and management capacity and capability should help organisations integrate a growing body of more granular, useful performance information into management reports, thereby making it easier to organise information for analysis and decision-making and streamlined integrated reporting.

Data mining technologies and scenario-planning capabilities can make it easier for organisations to identify impending risks and issues and improve performance.

Performance management

Performance management is a cyclical process aimed at tracking and improving the intended performance of employees. This ensures alignment of individual employees’ activities and performance with the corporate strategy, strategic objectives, and key performance indicators. This includes personal development objectives and plans.

Link employees’ performance objectives, compensation, benefits, and rewards to corporate strategy and its successful performance.

Author

At the highest level, the CEO (or equivalent) is personally accountable to the board (or accountable officer) for the successful execution of the corporate strategy, measured by high-quality, long-term corporate key performance indicators. This is also closely linked to how executives are adequately compensated for performance improvement and acceptable risk-taking. The organisation’s strategic key performance indicators could also be the CEO’s personal performance indicators, where appropriate.

Likewise, business unit managers are personally accountable for the successful execution of the business unit strategies that have been cascaded from the corporate strategy.

Process managers or owners are personally accountable for processes, and project managers are personally accountable for the successful implementation of assigned projects.

These accountable persons (e.g., business unit managers, process managers, etc.) should positively add tangible value to the success of the CEO’s personal performance in executing the corporate strategy.

However, if there are portions of non-attributable business unit’s activities to a business unit manager, especially due to reporting lines or organisational structure, then the business unit’s performance scorecard is not also the business unit manager’s personal scorecard. Develop a separate business unit manager’s personal scorecard.

Compensation, benefits, and rewards

Apart from performance management, compensation, benefits, and rewards are an integral part of human resource management practices that help in rewarding and motivating employees and improving organisational effectiveness and performance.

Compensation is all forms of pay and benefits are indirect financial and non-financial payments arising from an employee’s employment with the organisation.

Organisations should make every effort to:

1. Link the achievement of strategic objectives to compensation, benefit, and reward strategies and systems.
2. Recognise and reward calculated and acceptable risk-taking as well as objective achievement.

When times are hard, it is equally hard to keep and motivate employees by routinely upping their pay. Studies suggest that for people with ‘good’ salaries, non-financial incentives work better (i.e., praise from executives, leadership attention, a chance to lead projects, etc.).

Change management

Managing change and transition are the essence of any strategy, where:

1. Change is situational (e.g., new boss, the new technology, the new building).
2. Transition is the psychological process people go through to come to terms with the new situation or change.

This implies that there will always be change and transition for everyone in the organisation when the corporate strategy is executed. With every change or transition, employees would want to know how change affects their day-to-day workflow, tasks, and responsibilities.

Change management addresses the human risks in strategy execution. It is about successfully transitioning individuals, teams, and the organisation to a desired future state as articulated by the corporate strategy.

Within the context of strategy execution, when employees think about their jobs differently by learning new competencies and demonstrating different behaviours and mindsets, the rate at which they adapt and perform the necessary change and transition will dramatically improve the likelihood of achieving the objectives.

Compliance management

Compliance is an outcome of an organisation meeting its obligations. This is where compliance must be aligned with the achievement of strategic objectives and the management of opportunities, uncertainties, and risks.

These are rules-of-the-game that organisations must follow and maximise to win the game and become more competitive. Therefore, organisations can effectively manage regulatory and compliance risks by:

1. Maximising any competitive advantages and opportunities that may arise.
2. Minimising any negative outcomes or reputational risk from non-compliance.

This is where organisations can transform compliance into a source of competitive advantage. New regulations can be an opportunity to claim industry leadership.

Compliance as a competitive advantage

All your competitors are in the same boat. But very few will be going to take advantage of the regulatory onslaught to become more competitive.

Author

Organisations can perform more effectively (i.e., create or capture more value or better manage opportunities, uncertainties, and risks) when they comply with applicable laws, search for innovative opportunities created by regulation and deregulation, and proactively anticipate future regulation. They can also reduce potential reputational risk to their organisation due to poor compliance.

All regulatory and compliance activities should be risk-based. This ensures that prioritised resources are devoted to those high-risk obligations and compliance that have the most impact on the achievement of strategic objectives.

Adopting a risk-based approach to managing regulatory and compliance should result in:

1. Improved outcomes with treatments and controls prioritised to deal with the most significant opportunities, uncertainties, risks (e.g., reputational risks) and issues.
2. Efficiency gains as resources are strategically prioritised and used where they will most likely improve compliance outcomes and organisational performance.
3. Reduced regulatory and compliance costs or increased opportunities.
4. Better support for compliance as processes are clear and cost-effective.
5. Opportunities, uncertainties, risks, and issues are being managed in a prioritised way.

Executives should work collaboratively with those responsible for compliance. Too many organisations put a band-aid on the obvious wound without making the necessary investments to fix the underlying compliance problem.

Quality management and continuous improvement

Quality management is the process of meeting the quality or requirements expected by stakeholders.

The quality of something can be determined by comparing a set of inherent characteristics with a set of requirements. When those inherent characteristics meet all requirements, high or excellent quality is achieved.

From the perspective of strategy execution and organisational performance, use quality management to:

1. Prioritise quality or improvement projects that are strategic, value-adding, and have the highest positive impact on the achievement of objectives and performance improvement.
2. Develop and improve the strategy execution plan, objectives, and key performance indicators.
3. Improve the quality of integrated reports and reporting systems and processes.
4. Improve the framework, process, and integrated management system for executing the strategy.
5. Ensure necessary compliance with the requirements of laws, industry and organisational standards and codes, principles of good governance and accepted community and ethical standards.
6. Streamline the number of key controls required, thereby improving the effectiveness of the controls and control environment.
7. Reduce waste and improve value.
8. Sustain organisational success and performance.

Other articles of interest