Summary

The executive team of a company in the finance sector asked us to help them review their risks that related to legal and compliance matters. Their aim was to simplify their current controls where it was cost-effective to do so. The review built on the considerable risk management work that had been undertaken already across the business.

The overall process followed the steps in the international standard ISO 31000 Risk management – Principles and guidelines. The process was also compatible with the requirements of AS 3806 Compliance programs, and it supported many of the guidelines for structural, operational and maintenance elements outlined in that standard.

We facilitated a compliance workshop for the company. The effectiveness of the current controls and compliance procedures was discussed, and the output from the workshop was integrated into a simplified management process with fewer and more effective controls.

Background

A control is anything in place that modifies risk. In a business in the finance sector, the controls are usually processes, procedures and systems that alter the likelihood of an event or change its consequences if it does arise.

Many businesses take steps to implement controls as they see the need to do so and these tend to accumulate over time. When something goes wrong, or there is an adverse incident of some kind, managers often react by creating new controls that they believe will reduce the chance or impact of another such event in the future. In many cases the new controls are introduced in isolation from and in addition to the existing controls.

In this way the number of controls grows, some controls are superseded without anyone noticing and few if any people have a full understanding of the complete set of controls in place. There might be little co-ordination or integration of the growing accumulation of controls, so the demands they place on the organisation may be out of proportion to the benefits they deliver. New entrants to the business only learn about the controls that seem most important for day-to-day operations, and they may never find out about critical controls until an incident arises and it is too late.

In addition, there are things that people in an organisation think are controls that have no significant effect on the risks they are intended (or alleged) to modify; in other words, they are not controls. Organisations clutter themselves with all kinds of procedures, communications, reporting requirements and so on that absorb effort and 'gum up the works’ but are not necessarily beneficial in any way, let alone in controlling risk.

Our client had many controls in place, and there was a strong feeling that they were not all effective and some were not even necessary at all. The motivation for the work outlined in this case was a drive to improve the efficiency of business operations by simplifying the controls, without increasing the company’s level of risk associated with compliance matters.

It is worth pausing for a moment to consider what we mean by ‘simplify’ and ‘simplification’, which were the terms our client wanted to use. The ideas behind these terms had several aspects.

• Some controls were unnecessarily complicated. Processes with fewer steps, or involving fewer people, could be just as effective at lower cost.
• Some controls replicated others, so that checks were done several times. Some of the duplicated controls could be eliminated without losing effectiveness.
• Some controls were initiated to deal with risks that were no longer relevant to the business, or that related to superseded products. These controls could be eliminated.
• As well as simplifying the controls themselves, there was a desire to make the processes for monitoring and assuring them more cost-effective, whether that assurance was by means of self-assessment or a more formal audit mechanism. Despite the emphasis on simplifying the controls, in practice the thought processes in the workshop were more concerned with optimisation, to develop the most cost-effective set of controls for the business.

Establishing the context

Existing risk registers

Establishing the context began with a review of earlier risk assessments, the risk registers from which we combined in an aggregated risk register. Prior to the workshop, we reviewed the aggregated register. We extracted risks from it to form a shorter register of risks that fell within the three key elements:

• Legal and compliance matters
• Fraud
• Image and reputation.

We developed a detailed structure and a timetable for the workshop from this reduced list.

Criteria

The risk analysis process, by which the consequences of risks and the likelihood of experiencing those consequences are described, was based on that already used across the company, with minor but important modifications. Consequences were rated on five-point descriptive scales, in terms of the potential effect on the company’s success criteria:

• Financial
• Safety
• Public image and reputation
• Legal and regulatory
• Business performance
• Environment and community
• Employees.

The normal set of risk criteria was expanded slightly, to accommodate the specific legal and compliance focus of the assessment, while remaining compatible with the existing company procedures. The public image and reputation scale and the legal and regulatory scale were the ones used most often in the workshop (Table 1).

Risk assessment

Risk identification

The participants in the assessment workshop were relevant operational and compliance managers. They reviewed the risk register we had developed before the workshop.

• Risks and controls were examined, and the words used to describe them were clarified where necessary.
• Risks not relevant to the legal and compliance focus of the workshop were set aside.
• As they were identified, additional risks with legal or compliance implications were included and the most important controls the company had in place were noted.

Risk analysis and evaluation

For each existing risk, the participants reviewed the potential consequences that would be felt if the event were to occur, given the current controls in place in the business, and the likelihood of those consequences arising. For new risks, consequence and likelihood ratings were created.

Where a risk had several impacts on different criteria, the consequence rating was set using the criterion against which the highest impact would occur. This generated a conservative view of the overall impact.

Likelihoods were rated in terms of the annual frequency of occurrence on a five-point descriptive scale. The consequence and likelihood ratings were used to determine initial risk priorities.

An agreed level of risk was assessed on a three-point scale: Major, Medium, Minor. As a guide:

• Major risks involved events with serious consequences that were likely to arise, even with the controls in place. According to the company’s guidelines, they required detailed management planning.
• Medium risks involved events that might have serious consequences or that might be likely to arise, but not necessarily both. They should receive some management attention, but this may be delegated.
• Minor risks tended to involve infrequent, low consequence events. They are often managed by routine procedures.

There were 34 risks identified. The numbers of risks for each element are shown in Table 2.

Of the 34 risks, two had agreed priorities of Major (Table 3). Effective management of the Major risks was important if the business was to capture its opportunities and avoid potential problems or unpleasant surprises.

Assessment of controls

Potential exposures were assessed using a simple scale of High, Medium and Low. Potential exposure for a risk was defined as the potential level of consequences for the business if all the relevant controls failed to work as intended.

An initial guide to control actions and monitoring of controls was based on the relative levels of the agreed risk rating and the potential exposure, according to Table 4. The code letters in the table have the meanings set out in the list below the table.

A. Risks classified as major or high on both risk rating and potential exposure. The risk rating indicates the consequences are likely to arise and to be potentially serious, even with the controls in place, and the potential exposure confirms the high consequences if the controls were to fail. These risks require more detailed analysis to determine whether treatment actions might be beneficial, either to introduce new controls or to make existing controls more effective.

B. Risks with high potential exposure, but only medium or minor on the risk rating scale after taking the controls into account. These risks have potentially serious consequences if the controls were to fail. Management attention should be directed to monitoring the controls to ensure they remain effective, and improving them where appropriate.

C. Risks classified as medium on both scales. The risk rating indicates the consequences may be serious, or be likely to arise, but not necessarily both, given the controls. These risks require some planning and management attention.

D. Risks with medium potential exposure, but with only minor agreed priority after taking controls into account. Management attention should be focused on monitoring the controls. There may be scope for simplifying the controls.

E. These risks are minor or low on both scales. They can usually be managed using routine procedures. The existing controls should be reviewed to determine whether simplifications could be made.

F. These combinations are not possible (unless the controls that have been implemented actually make matters worse!).

The risk levels and potential exposures were compared for each risk, to determine whether additional actions were warranted. In particular:

• Risks in categories A and B, rated Major or Medium with High potential exposure, were examined closely to determine whether the controls could be improved;
• Risks in categories D and E, rated Minor and with Medium or Low potential exposure, were examined closely to determine whether existing controls could be simplified cost-effectively, or whether the frequency of monitoring and assurance could be reduced.

Lessons

A number of conclusions can be drawn about controls. Some emerge from this case study, while some are more general.

At a basic level, the effort devoted to controls, and the frequency with which they are monitored, should be linked to the significance of the risks they are intended to protect against. Where the potential exposure for a risk is high, good controls are usually needed and frequent monitoring is recommended. Where the potential exposure is low, it may be possible to simplify the controls cost-effectively and they may not need to be monitored as frequently. The effort devoted to monitoring the controls should be related to the materiality of the risks to which they each apply.

This simple materiality-based determination of effort is complicated in practice by the multiple linkages between risks and controls – one control can influence many risks, and each risk may be influenced by more than one control. The portfolio of all the risks and controls must be considered together when making plans and allocating effort. It may be useful to develop a matrix representation of risks and controls, to show the main interactions and assist in evaluating the overall costs and benefits of the controls and of changes to the controls (Figure 1).

Wherever possible, monitoring should be continuous, with routine sign-offs of the main checking procedures and reporting for compliance purposes linked to exceptions. (Daily reconciliation processes are an example.) The compliance task then becomes part of ‘business as usual’, rather than an additional burden on busy staff, and this is particularly important for controls relating to risks where the potential exposures are low.

Conclusion

The company was able to eliminate unproductive activities that had crept into its day-to-day operations over a long period of time as various challenges stimulated concern about risks. This exercise brought the control assurance activity of the company into line with its current situation. It created an efficient integrated compliance framework that was easier to understand and communicate to company personnel so that they could engage with it effectively. The investment of a small amount of effort in the review yielded savings and greater confidence that the company would maintain its compliance obligations and it provided a template for reviewing the situation as the need arose in future.