Taking control has long been a function of planning, design, ownership and culture. More than 30 years ago, Mark DeLong, then chief internal auditor at a national bank, said, “There is no substitute for a controls-conscious management, and we have one.” This sentiment was echoed recently at a presentation to the Chicago Federal Reserve’s Annual Risk Conference when the president of a well-known bank stated, “We expect and direct our teams to take risks every day—we make it our business to accept carefully defined and measured risk in order to profit from our deposit and credit businesses.”
Both of these leaders not only demonstrated understanding of the importance of a balanced approach to risk and controls, their words underscore the foundational nature of a well-defined risk appetite. Across today’s business landscape, audit and risk management professionals emphasize the criticality of controls awareness and sensitivity, while governance has progressed from a predominantly change-control focus to a more engaging approach for owners, stewards, producers and consumers. To strengthen controls within an organization, the following seven methods should be executed:
1. Set sights on the end-to-end landscape.
Scoping governance is a daunting task best accomplished using management-defined risks to narrow the focus and establish priorities. While small, midsized and large businesses all face comparable risks across their operational, management and executive functions, the differences are often defined by industry rather than size. Developing management controls and governance support requires a sustained set of activities that produce timely insights into intended business risks and those that occur beyond this threshold.
2. Architect the environment.
Once the risk appetite is defined, appropriate measures can be applied (e.g., key risk indicators), and matrices for risk and controls can be developed. This integrated approach allows for operational risks and controls to be parsed and addressed across manual processes, external services and automated systems, which is essential for change control over critical master and reference data as well as complex ERP and performance management systems.
3. Leverage technology to enable processes.
As companies continue to move toward making their business processes more digital to remain competitive, internal controls should be constantly evaluated to ensure they are keeping up. In addition to staying apprised of emerging risks such as new cybersecurity threats, cloud computing and automation tools, companies should employ technology to both test controls and enhance their performance.
Organizations that have been leveraging data analytics and governance risk and compliance (GRC) tools to evaluate full populations of data and monitor key risks are now looking to leverage these tools in all aspects of the audit cycle, including using data analytics to predict risk events before they occur. Leading-edge risk departments are also beginning to leverage automation tools to perform manual, time-intensive tasks such as testing for Sarbanes-Oxley (SOX) compliance.