Strengthening governance and risk management
There have been a number of high profile cases in recent years where organisations have suffered financial and reputation loss due to poor risk management. Senior managers seemed unaware of the risks involved until they came to light and did not have the internal governance processes in place to give early warning signals.
Banks and financial services companies have been particularly vulnerable. The LIBOR scandal involved a succession of high profile cases. It seems a long time since all senior banking staff had worked their way methodically up the organisation; holding a range of different managerial processes where they were exposed to day-to-day operational processes and the risks of not following them.
It’s not just in financial services, however, where internal governance processes are under stress leading to a higher degree of risk. A report by the OECD confirms that ‘the models of Corporate Governance employed in the US, UK and France are at least distressed, if not broken.’
The perception is that checks and balances at many levels in organisations have weakened. The risks are higher if Business processes are poorly defined and understood. This could mean that higher risk transactions aren’t carried out in an appropriate manner.
The situation has been caused by a number of factors:
- There has been a high pace of change in organisations.
- Internal structures and support teams have gradually been stripped away as the latest cost cutting initiatives have been introduced – this has left organisations with lower levels of experience and expertise.
- Internal audit is too often seen as an overhead that has a low esteem in the organisation. The function is not seen as a natural stepping stone for people moving up the organisation to spend time.
- Overall, there are greater demands on management and staff; particularly first line or departmental managers. Risks are often higher when managers and staff are under pressure.
Many organisations remain exposed. Risk areas are poorly defined and understood.
Here are some areas of importance in strengthening governance to reduce risk:
- Strategy for dealing with risk – there needs to be a clearly documented strategy for dealing with risk. The strategy needs to be reviewed on a regular basis. The Board of Directors should review the organisations system of internal controls at least once a year.
- Internal Audit - is there an internal function that audit risk areas in a structured manner? Does this function have sufficient authority within the organisation to deal with areas identified as high risk?
- Business processes – are risks aligned with Business processes? Are processes documented and have high risk areas been identified? Are there checks and balances in the processes to manage high risk areas?
- Balanced approach? – do the controls in place match the risks that are apparent? It is important not to over-engineer the controls in place so that they are excessive compared to the risks involved.
- People – do employees receive regular training in Business processes? Is there a high level of awareness of where risk is most evident in processes? Are the staff who do the work involved in defining processes and involved in identifying risk areas?
- Corrective action - is corrective action taken as a matter of course? Where high risk areas are identified and controls are seen as inadequate are they deal with quickly and effectively?
Having effective Business processes that are understood and audited on a regular basis can often mean the difference between effectively controlling risk or suffering financial or reputational loss. Senior management need to lead in these areas to ensure that the overall structures in place are fit for purpose.