How do you encourage your staff to embrace risk and controls? In this recording, David Tattam talks about how understanding the dynamics and balancing your control framework can help you change your organisation for the better.
This session was recorded at the 2019 SOPAC Annual Conference. To attend the SOPAC Conference in Brisbane in 2020, you can visit this page.
We've got a session on controls, and the word “controls” is probably one of the reasons we have a problem with controls, because as we know, risk management is the responsibility of everyone in an organisation, and engaging those front-line staff in doing risk management is a huge challenge.
One of the reasons it's a huge challenge, I believe, is often the branding we risk managers have over “controls.” If you say to someone, “I want you to implement a new control in your business,” and they're a front-line marketing manager or a salesperson, I don't know about you, but the common response is a grunt or a growl, and saying, “Oh, if I have to, but it's going to stop me selling,” or something like that. So we have a brand problem.
With that said, I think what's really important is to appreciate that controls are probably the most important thing we have in managing risk in our businesses. The number one thing. So what I want to do is just spend 40 minutes with you, looking back at what I call the basics, and look at the fundamentals of what controls are all about, and then finishing off with the focus of auditing your control framework. I'm going talk about it from the perspective of have we forgotten the basics?
In terms of the basics, I have to thank APRA and the Commonwealth Bank of Australia for the learnings they gave us in the prudential report on the CBA back in April, which as many of you will know was really a report on financial services in Australia. It was pretty generic across the whole of the industry. There were a couple of things, if you haven't read the report, that really jumped out.
The first one was this controls summary. Across the top it highlights the key risk areas within the bank. In the line below it, it mentions the percentage of key controls for inherently high and very high risks that were rated marginal and unsatisfactory in the most recent controls assurance testing. Which, if you put the other way round, were not effective.
The percentages there. Security, 20 percent. Resilience, 22. One in five key controls weren't working effectively. Now before we think too negatively about the Commonwealth Bank, I would like you first, rhetorically, to ask yourselves, what does it look like in your organisation? 'As we say, we don't shoot arrows from a greenhouse or a glass house. I would argue that that is a representation of pretty much where we stand in most financial services companies in Australia, and perhaps also non-financial services.
Have we forgotten the basics?
Now, given a key control is one that you are heavily relying on to manage the risk in your business, that's quite disconcerting. My view is that we should not sleep until that line across the top for each one of you is zero. This is a key control, and if you think otherwise, and you think there's a percentage of margin for error with key controls, I want you to think about getting on a plane to the UK. I just got off one on Friday night actually.
As you get on, you look left into the cockpit, and there's a couple of people sitting on stools, they're called the pilots, and they're having a bit of a chat. There's a few little red warning lights going on the cockpit, and you say, “What are you doing?” They say, “We're just about to take off, strap in.” And you say, “Well, there's a few little red flickery lights on the cockpit,” and they say, “Oh, it doesn't matter. 80 percent are working okay.”
What are you going to do? I know what I'm doing. I'm heading for the exit immediately. I'd expect 100 percent of all key controls to be working, and let's be honest, 100 percent of non-key controls. I never understand why fellow passengers get upset, while we wait on the tarmac, when they say there's a delay because there's a warning light coming up on the cockpit. I don't want to move. I don't want to go up. Right? So this is what we should be looking for in every one of our organisations, and I don't think we're there yet.
That APR report went on to say one of the problems we have is the excessive level of manual controls. As we know, humans are fallible, and the more manual controls we have, the less effective they are as a general rule.
Improving your control framework
The report commented that over 80 percent of controls within the CBA are manual. It went on to highlight that the global standard that they used, or the regulator used, was it should be under 60 percent. Right? Now that's obviously one of our big issues, the level of automation of our controls, and the two, I believe, go quite strongly hand in hand.
With that as the opening volley, we have to ask the question, why? Over the years, I've asked many of our clients' staff, who do controls and operate controls, I've often asked them a few questions, a survey. And the survey says, I just verbally do this, “Why do you do that control?” These are the most common answers.
1. The first one is, “What control?” They don't actually know what they do is a control, which is not a good start.
2. The second one, “I've always done it.”
3. Thirdly, “I was told to do it.”
4. Fourthly, “It's in my procedures manual.”
5. And lastly, “I do it so I don't get in trouble.”
Now, all of those are slightly worrying, because not one of them address the objectives of a control. The purpose of the control.
Now without getting into heavy frameworks, one of the most important things you can do is to change that within your business. To identify who owns the control, who operates the control, and make sure that every control operator and owner can articulate the objective of the control. Why do they do it? And it should say something like, “Why do you do that control?” “Because in our business, we have the following risks.” Right? And “This risk, in order to be managed, requires the following procedure around it.” Control.
As you can see, when we do that, that reduces the likelihood of the risk event occurring, so that the outcome on the customer, I'm taking that as one example, is positive rather than negative. Now you've got the linkage between the control and the outcome of what we are trying to do, and already you've dramatically improved your control framework.
Now when we think about controls, controls are going back to basics, but the basics are often what's missing in our risk management and our control management within a business.
Building up your defence
Many of you will be comfortable, I hope, with the three lines of defence model. If you're not, there's one minute on three lines of defence. The way I think “three lines of defence” is as follows.
What are we defending against? We're defending against risk. And what are we protecting? We're protecting the organisation's objectives. Those of you are familiar with the ISO 31000 risk management standard would know that risk is the effect of uncertainty on objectives, so our whole focus of risk management and controls management should be on the objectives of the organisation.
One of my objectives at lunchtime today might be to go for a walk. Why? I want to feel good for the rest of the afternoon. One of the things that could stop me feeling good for the rest of the afternoon could be that it might rain. Now, rain represents all the risks that you face, whether it be cyber risk, fraud risk, human error risk, whatever it might be. These are the inherent risks in your environment that could affect the achievement of your objectives.
Now if I was to go outside of this centre at lunchtime and it looked like it might rain, what might I do? I could pray, I guess, but I might do something more practical, which might be something along those lines, which is put up an umbrella. That's what we should be doing in our business. And the umbrella is our internal control framework, which is exactly what we're talking about today. And I would put to you, it's the most important thing you've got to protect you when you go out at lunchtime. That is known as the first line of defence, because it's the first point that the risk hits. This is our internal control framework.
Now if the umbrella leaks, you haven't got very good controls. Do we give up and get wet? No, not within business anyway. We should have the second line of defence, which is risk management, or enterprise risk management. Enterprise risk management should not be a second umbrella catching the drips from the first umbrella. It should be there to review and challenge the owners of the first umbrella to make sure that first umbrella, i.e. the internal control framework, is effective, efficient, as much as it can be. They are there to review and challenge.
If they don't do a very good job, do we get wet? Not in the three lines of defence. Not yet, anyway. We have a third line, which is internal audit. Internal audit are there to provide independent assurance that the other two lines are working effectively. Now if they don't do a very good job, sorry guys, you're gonna be sitting in a puddle all afternoon, because we failed in the achievement of our objectives.
Those of you that do not have a mature three lines of defence, often internal audit is doing the role of line two, and going and checking directly into the business in terms of their controls. When you have a mature enterprise risk framework, I'd be expecting internal audit to firstly be auditing the second line of defence, to see how well they are reviewing and challenging the first line. If you do not have an effective or a developed ERM framewor, then audit normally have to go straight into the umbrella (the business) and check it directly.
As you can see there, the most important part of that is the internal control framework, which is what we're going to be talking about today. So for the rest of the session, I will talk about five things.
1. Understanding the risks and controls in your business, what I call getting intimate with your controls and the risks that they are addressing.
2. Defining the best risk treatment methods to use.
3. Understanding the effect of controls on risk.
4. Monitoring control effectiveness, often called controls assurance.
5. And lastly, providing risk assurance through effective reporting.
And we will then finish off on what I would suggest is the focus of internal audit around this whole process.
Let's start off thinking about understanding controls.
The ISO 31000 standard says control is a measure that is modifying risk. As much as that might be true, I don't find it overly engaging with the staff at the front line, because they won't know what you're talking about, I'll be honest. Standards are good for people that understand risk. I'm not sure they're great at communicating it. We maybe need to use a more basic language, which we're going to do in a minute. But fundamentally, controls are something that modifies the level of risk.
If we take that to the next logical level, if risk is the effect of uncertainty on objectives, controls must be modifying the effect of uncertainty on objectives. If we take that to its natural conclusion, then controls are a key tool for managing that risk, i.e. managing the effect of uncertainty on objectives, and the wider level of risk management is the management of the effect of uncertainty on objectives.
Although we, Protecht, pride ourselves in risk management, I actually don't like the name risk management, and nor do a lot of people in the front line, because as soon as you say “risk management” to a salesperson, miraculously their phone suddenly rings and they've suddenly got an emergency meeting they have to attend!. We're not getting great engagement because of the word risk.
I'd put to you that risk management is the wrong name for what we do, because the most important word up there is the word objectives. I would put to you that managing the effect of uncertainty on objectives is actually “outcome management.”
The world changes if you start doing this:
- “Good morning, it's Dave here.”
- “Where are you from?”
- “Risk management.”
- “What do you want?”
- “A meeting with you.”
- “Oh, my diary's really busy for a couple of months.”
- “Good morning, it's Dave here from outcome management.”
- “What do you do?”
- “I'm here to help you "nail" your objectives.” I bet I'd get a seat at the table straight away.
So the first thing I want all of you to do is start to think, how can we re-brand using words, simple words, to get greater engagement with our front-line staff? And the first one I would put to you is, wherever you hear the word risk management, say in your head, “Outcome management. Your face will tend to go from a grimace to a smile.
The second thing that's important is, whenever you use the word risk in a sentence, you should also use the word outcome. Because if you do not talk about risk and outcome in the same sentence, you're not going engage the front line, and you are only looking at half of the relationship, because risk has a partner called reward. If you talk about one on their own, it's not going to end up in a good marriage, a sustainable marriage.
Achieving your objectives with efficiency
In terms, then, of suggesting how outcome management might look, I'm going to use a simple analogy. Our objective here is to get to the end of that road safely and efficiently. That's our objective. Now the potholes represent risk, because they create uncertainty that we might not be able to achieve our objective. We decide how we're gonna attempt to get to the end of that road safely.
1. We'll suggest alternative number one is just to "floor" the accelerator" when the flag drops. “Don't worry about those potholes, we'll be okay.”
In Australia we have a wonderful saying for this called “She'll be right.” This is where you highlight risk to the business and they simply look the other way, because they're so trasfixed on reward, they don't really care about risk. These are the "she'll-be-right" brigade.
The problem with that is, they might get seven or eight successful trips to the end of the road, pure luck. But the law of probability says that before long, that's what's going to happen. It's all over.
We call that boom-bust management. Boom-boom-boom-boom-boom-bust, and it's all over. And this is because we are paying 99% percent attention to reward, and not much attention to risk. That is not sustainable.
2. Method number two is: We are so paranoid about those potholes, i.e. risk, we don't even want to attempt to get to the other end of the road, so we put a clamp on the wheel and don't even attempt it. This is called avoidance. We give up and go home. This is the opposite to the first example. We're paying 100 percent attention on risk and nothing on reward, so we're never going to get success, because we're not even attempting to do anything to achieve our outcomes. This is avoidance, excessive focus on risk.
3. The third one. We want to get to the end of the road, but we're so scared about the holes, but we don't want to give up, so we spend a fortune on massive wheels and tires. Now the problem with this, it makes the car go about five kilometers and hour, so by the time you get there it's like two hours later, everybody's already left, and you're bankrupt. This is the same, it's an overemphasis on risk, not enough on reward. This is to invest too heavily on a cumbersome control framework.
On a recent course, I had a professional mountaineer in the group, and he said, “This is absolutely true. When I go and climb a mountain, I've got to go and have a look at all the rock faces. I've got to go and put a thing called "Cams" into the rock to attach the safety rope to, so when they fall they don't fall far.” And he said, “In an ideal world, I'd have one of those every meter so I didn't have to fall more than a meter if I fell.” He said, “If I do that, though, the backpack weighs 150 kilos, so I can't even move. So it stops me remotely achieving my objective.” And he said, “It's a balancing act between getting the weight right and having enough cams (controls) to be able to get to the top and be safe. And it's a constant balancing act.”
4. What's the solution? I would put to you, to smartly manoeuvre around the holes. Quick left, quick right, 25 kilometres an hour, brake, through that hole, over this one. And you're smartly making risk reward decisions as you go up that road. I would put to you, that is going to be success, because you're going to sustainably get to the end of that road over and over and over again.
Some of you are going to be saying “Yes, but it's going to take longer than the first person who just "floored" it.” Yes, it will. It's called the investment you make in controls and risk management. And yes, there is an investment. There's some dollars, there's some time. We want to make that as effective and efficient as possible, but there is an investment. It takes a little bit of time.
But I'd put to you, is that extra piece of time worth it to enable you to get over to the end of that road over and over and over again, or would you rather just risk it? Have seven great trips, and then the eighth one, you are finished?
This highlights the number one focus of risk management and controls management, and that is sustainable reward. Sustainable reward, which means we get the reward over and over and over and over again. We do not boom-boom-boom-bust.
Now this highlights the importance of controls. Controls should not weigh the business down excessively, but they should be there to get the balance right between the weight of the backpack and the risk between the gaps, between the cams and how far you fall.
With that said then, we need to drill down and understand risk. Because if controls are there to modify risk, we can never understand, manage, audit controls without understanding risk. So in order to do a quick lesson on risk, I want to introduce you to Jenny. Here she is, she's seven years old, and she's trying to achieve something. And most of us, especially parents, will understand that she's got a fair degree of risk.
"We can never understand, manage, audit controls without understanding risk".
When we try and understand the risk of Jenny, we need to go through a logical process, and it's this. Risk is the effect of uncertainly on objectives. All risk management and controls management you ever do must always start with objectives. So let's ask Jenny what her objectives are, she has three of them. She probably weights number one more than two more than three, but there's her three objectives.
In order to understand the risks that could stop her achieving her objectives, we first have to understand her operating model, because it's the risks that could stop the operating model being successfully completed, which will end up impacting the achievement of her objectives.
Her operating model are the key things she has to do in order to achieve those objectives. I'd put to you, they are these. They are three steps she has to successfully complete. Now in your business, that's your critical processes. Your operating model.
Once we've got her critical processes, we can now ask the question, what risks exist that could stop one or more of those processes being successfully completed, which means she will not achieve her objective? I'm sure most people in the room will go to the obvious one, which is what I've done, and that's called falling risk, the risk of falling.
Falling is an event. It's the point at which she loses control. At this stage, we don't know why she might fall, so I've made up five reasons. You can probably think of more. And here they are.
1. She's seven years old so human error.
2. It rained last night and created a wet slipper hazard.
3. Slippery rock because of moss in it.
4. Manufacturer defect in ladder lock
5. Inadequate process given to her by mum and dad
At this stage we've got four components working back from objectives. Objectives, critical process, risk, events, and root causes. What I'm going to do is put those together in a picture, and the picture goes like this:
We're going to start in the middle with the point at which she loses control, which we as a firm call the main event. In most risk registers, this is the risk short name. So in Jenny's risk register, I'd expect to see a risk called “falling risk” or “fall risk.”
Once we've got the event, we then can trace back to root cause by asking why. Those of you that have done Six Sigma will remember the five whys, and pretty much five whys gets you to the root cause. And the root cause occurs when the answer to “But why?” is just “It is.” It just is, or it's outside of Jenny's influence. I won't dwell on this, but here we go.
The green things are the root causes. We've then got the root causes tracing through the main event. Now we need to link that to outcomes, the impact on outcomes are impacts. So I'm now going to ask, “But what next?” until the answer is an impact on one or more of her objectives. Remember her three objectives. Here we go.
On the right they're in red, we've got the impacts of the risk, which are always connected to the objectives. She had three objectives, and all of them could be compromised by that event. If we put an outline around that, there's no surprise what you get. You get the bow tie. If you, by the way, have not done risk bow tie analysis, you need to, and if you want to know more come and talk to me and Protecht because I'm a passionate bow tie person. It's one of the great ways to be able to illustrate and get risk knowledge down to the coalface so that people understand exactly what risk is.
Treating risk in a better way
Once we've done that, we can then think about, how can we better treat that risk? I know a lot of textbooks say there's four methods of treatment but we at Protecht think there are seven. Here they are.
1. Number one is to accept the risk. You'd automatically do that if it was within your risk appetite.
2. If the risk is not within your risk appetite, the next best thing is to process re-engineer, which would be perhaps to change the method that she's trying to attempt to having fun. Maybe it's playing the iPad instead.
3. If you're not happy with that, then you improve controls, which we're going to talk a lot about in a second.
4. Outside of that, you then transfer the impact to someone else. You can only really do that financially through insurance and so on.
5. If you're still not happy, you've then got a choice of either accepting the risk formally outside of appetite, and someone with the right authority accepts responsibility and accepts that risk formally.
6. Failing that, there's only one last thing to do, and that's avoid. Take Jenny away from the park and go and do something else. Tell her she's not allowed to climb on the rock.
They're the ones that we're most familiar with, but there's another one you should remember, and that is the other way round, which is to:
7. decrease controls. Take a bit of weight out of the backpack, because you are over-controlling the business and the cost-benefit is not worth it.
I used to be an external auditor with Pricewaterhouse, and I think in the seven years I was there in the late 80s, early 90s, I never ever recommended a client to remove controls. I would now. It's one of the most common things we do, because we're here to make an efficient control framework that balances risk and reward, not one that weighs the business down just in order that we manage risk to a minimum level.
Now of those, we've got three of them that involve controls and that's the focus for the rest of the session, because we're talking about controls.
Now controls. The ISO standard says they are measures that modify risk. We need to be a bit more specific than that.
We need to think about how do we measure risk, and what are the key characteristics of risk?
The key characteristics of risk that most people recognise is the likelihood of the risk event occurring and the impact if the risk event does occur. Some of you'll be familiar with the standard "five by five" plotting a dot where likelihood and impact are assessed and so on. We can therefore modify the definition to say that a control is something that you do that is aimed at reducing either the likelihood and/or of the impact of the risk.
Let's go back to Jenny and see what controls she has in place. She has five, there they are there. What we're going to do now is link those controls to the right place in the bow tie. Let's go. Hope these make sense.
Now that is a fully blown residual risk bow tie. Without the controls it's an inherent risk bow tie, and after the controls it is a residual risk bow tie. We as a firm don't believe you can do any decent kind of risk management or controls management until you've done that, because this really illustrates what the control actually does to the risk, because controls do different things.
On the board there, we have three types of controls. Now I know people talk about these in different language, but this is the language we're going to use.
1. Controls that operate near the left hand side of the bow tie are called preventive controls. They are barriers, system access controls, a cage around a dangerous machine. These are preventative.
2. The next type are detective controls. Detective controls are focused on picking up early warning indicators that the risk is developing, and acting so it doesn't go any further. Smoke detectors, heat detectors, temperature gauge in your car, reconciliations, exception reporting, and the like. Now, if the detective control detects prior to the main event, we call it early detective. And if it's after it's late detective. That's an important distinction, as we're going to see in a minute, as to what it does to the risk.
3. And the final one are reactive controls, or as in COSO, they refer to it as corrective controls. These kick in once the incident has occurred, such as first aid and so on.
In my previous example, non-slip shoes would have been preventative controls. Inspections and cleanup are detective, and first aid is reactive.
We're now starting to get an understanding of what controls are all about, and we've got toa now start thinking what controls do we focus in on?
We as a firm believe there are three levels of control, minor, medium, and key, or words to that effect. Our belief is that key controls are non-negotiable. You would never consider running the business without them being there. Medium controls, we call them negotiable but important. And minor controls, I don't know, call them what you like, who cares?
Why am I being flippant about those? Because they're noise. They get in the way, and we believe only the mediums and the keys should be recorded in the risk register, and that's where our focus should be placed in any controls work we do. Get those right, and the majority of your risk will be managed.
A good example of this is, if you're driving your car home tonight and I say, “Would you negotiate with me to drive your car home tonight without the brakes working?” Do I see any nods? Okay, non-negotiable. Your brakes are a key control.
Would any of you negotiate with me to drive your car home tonight without the driver airbag working properly? Any nods, maybe? Some of you are going, “No way.” Key control for you. I've seen a couple of nods. For you it's not a key control, because you're negotiating with me. Now you would probably say in an 80 kilometre an hour head-on accident, a driver airbag would be important. So this is a negotiable-but-important, a medium control.
Would any of you consider driving your car home tonight without the indicator light working on the windscreen washer bottle for the water level? Who cares? That would be a minor control. So in your methodology you need to be able to differentiate, and the main reason is that most methodologies, we expect to see that key controls have to have mandatory controls assurance being done on them, and the other ones then are discretionary.
Once we've done that, we can then understand, what is the effect a control has on a risk? Which is what we're going to do now. And it goes like this.
How controls modify risks
When we go back to the bow tie, we can think about understanding how a control modifies risk. It either reduces the likelihood and/or the impact of the risk. Most controls only do one or the other. Very few do both. Example. If we go back to our risk, which is here, there's the bow tie. We are generally assessing the likelihood and the impact of the middle of the bow tie, the event. With Jenny it's the likelihood of her falling and the impact if she were to fall.
As you can imagine, up to the point the main event occurs, the event has not happened, so all the left hand side is all about likelihood. Once it has occurred, it's all about impact. As a result, if we now address this, any control that's on the left hand side of the bow tie, prima facie it reduces likelihood. And every control on the right hand side, prima facie it reduces impact. Preventive controls reduce likelihood. Early detective likelihood, late detective impact, and reactive impact.
Now one of the things you should be considering is, what is an optimal set of controls over your risks? That old cliché, “Prevention is better than cure”? Not a truer word was said in risk management. Now, prevention are the likelihood reducers. The cure are reactive impact reducers. It therefore says you should maximise your preventive controls, followed by your early detective, followed by your late detective, and only if you really have to, reactive.
A lot of new organisations that we go into, we look at them and they openly admit they are reactive firefighters, which means most of their work is done down on the right hand side of the bow tie, not the left. There is the wonderful statement in the APRA report on the CBA, which says along the lines of,
“The bank generally recognises risk only when the event has occurred. It needs to focus on the root causes of its risks, and put in more preventative, strategic risk management solutions.”
I'll leave it there, but that basically says everything I've just said much more eloquently from the banking regulator.
Once we've done that and we understand the way that controls impact risk, we need to think about how we're going to assess the effectiveness of our controls. When we assess the effectiveness of a control, we should do three things. Number one, identify the objectives of the control. This is critically important that every control operator and owner in your business can articulate this within 10 seconds. If they can't, you have a weakness. I'm going to put to you that 95 percent of all control owners can't articulate this. I'm being a bit hard here. Why? Survey says, “Why do you do that control?” “What control?” “We did it last year.” “I was told to.” This has got anything to do with the objective of the control.
Now what I would expect, in methodologies we see, there are two approaches to articulating objectives. The first one is a blank piece of paper approach, which is the one I love. Why? Because it gets people thinking. I'll just give you an example. The objectives of a smoke detector system at your place of abode, just think about it:
1. I would put to you, it is to detect a little bit of smoke from anywhere in your place of abode immediately, 24/7/365.
2. Objective number two, to alert all people in that place of abode, 24/7/365, immediately.
3. Three, to investigate source of smoke. If it can be extinguished, extinguish. If not, run like hell. I'm sorry, evacuate safely to a place outside of safety.
The obviously is therefore to detect, alert, and react to.
If we were doing a reconciliation, it is to identify information from two different sources that should be the same, identify the one that's wrong, and correct it or words to that effect. Now that is blank piece of paper approach to control objectives. I would put to you that every single control operator should be able to do that, and not only that, it should be recorded in your risk management systems internally, under say a controls library where you've got a heading, “controls objective.” And generalising, we are woefully bad at this. This is the first step.
The second approach is standardised control objectives. My only problem with standardised control objectives is, they stop you thinking. I'm an ex external auditor, and the most common one I see is CAVR. Some of you might remember that one. Completeness, accuracy, validity, and restricted access. Now I don't mind that when I'm an external auditor looking at financial information, but I struggle with that trying to apply it to a smoke detector. I'll leave it up to you which you do, but I would much prefer you used a blank piece of paper approach to get your staff thinking, and maybe with a few prompts, such as CAVR as a help, but not as the main focus.
The second thing we then do is design effectiveness, and we ask the question, how well is this control designed in order to be able to meet the objective? If I'm looking at a smoke detector system, what am I going to look at? I'm going to look at how it's powered. Battery, mains, battery and mains. I'll let you decide which is best. Where are the smoke detectors located? What type of smoke detector do you have? If none of you know what I'm talking about, please research it after this session, because maybe your life might depend on it.
There are there types of smoke detector, photoelectric and ionisation, and they are quite different, and if you don't what you've got at home, find out tonight and go and do some research, because you're supposed to have both types. That's a little takeaway for you, getting a bit detailed. But this is about really understanding the design effectiveness of a control.
Once you've done that and you've assessed the design effectiveness, if it is effective, or I should say if it's not effective, then you go forward to the operating effectiveness. How well it is actually operating? Now if I ask you, you don't have to answer back, it's a big group. How do currently test your smoke detector system at home? Don't have to put your hands up. A lot of people in this room will say they don't. No they don't, I'm with auditors here, we're probably okay, but if you don't, shame on you. This is a key control at your house.
Another massive group will say that now and again they press the test button. Think about what the test button tests. It tests that the test button works. Think about it. That's not the purpose of a smoke detector. It's there to detect smoke. Yes, please make smoke. Don't press the test button. They should be banned, by the way, on smoke detectors, test buttons. They give false assurance that you're doing a good controls test.
So we make smoke. We have people at different areas of the house. Can they hear it? We do it two and a half hours after our children have gone to sleep. I could keep going. And this is a proper test. If you're not doing that at home and you're auditors, shame on you, and go home tonight and get a really good test going, and then be able to put your hand on your heart and say, “I have reasonable assurance that my key control is working effectively.”
Once we've done that, we then have got a combination of the objective, the design, and the operating effectiveness. We generally combine those together. Now our standard methodology is this. We assess design and operating use red-amber-green. Some of our clients go, they don't want a middle one, and they just go “effective” and “not effective.” I quite like that really, but we generally go three. And then we combine them at the bottom to then give us an overarching view of whether the control is effective, ineffective, or satisfactory or marginal. Now I'm sure that's a similar framework to what you guys use.
In relation to this, we then end up with some kind of controls test. I'm talking to the converted here, you're auditors, you're doing this testing. But what is really key here is, in a mature risk management organisation, everything I've just done, should be being done by line one, the business. It shouldn't be done by audit on the business, it should be done by the business itself. It should also not be done by risk management.
The business owns the risk. They own the risk management. When I go out, I'm the one that's responsible for whether my umbrella works or not. I don't call someone else in to check my umbrella, I check it myself. So the key is, all of what we've just spoken about needs to be being done by the business itself. Line two is there to review and challenge what they're doing, and line three is to give your assurance that those two lines are working effectively.
Now, what we've just addressed is commonly what we see as controls assurance, controls testing. I'm not going to spend too much on it, but we're also moving more now to more dynamic controls monitoring. What this is all about is an enterprise risk management framework, you will be collecting lots of information about controls from different sources, such as key control indicators, KCIs, Incidents, analysing which controls failed, Compliance, attestations of controls, who has done it, who has not, Risk control self-assessment. There's a whole bunch of information we collect. Now if we could group that together and give that evidence against a control, we have a more dynamic continuous controls monitoring and assurance, rather than a periodic once a year test, which I would put to you is a lot more powerful.
Once we've done all that, we've then got hopefully a pretty established, effective controls assurance program within the front line, and I would argue then, audit is about making sure that program works effectively, not you going in and doing the tests of the controls yourself, because that loses ownership of the control by the front line. A lot of front-line people think audit is a control. It's extremely worrying, and they will rely on audit to be testing their controls. It's not what should be being done. Ownership at front line is key.
So what would we suggest you might look at when you audit the controls environment? Here's some ideas for you.
1. Number one, what is the quality of the control testing being done in the business? Or should ask, is any being done? That's the starting point. So that's your first thing, that I think is the most important thing we auditors should be doing.
2. Number two, are controls owned, and is there a specific accountability and responsibility for those controls? Are those controls understood? Do a survey and ask your control owners, why do they do that control? And “survey says.” You'll be able to tell an awful lot about the understanding of controls in the business.
3. Are the controls linked to risks, processes, and outcomes? Or is there a disconnect between the control and the outcome? What is the balance between manual and automated, preventive, detective, reactive, and do you have an optimal set of controls? What is the overall attitude perception of controls, the culture? Are they seen as annoying hoops and “hurdles I have to jump through, which stop me doing my day job,” or are they seen as a very important enabler in the business?
I often ask people, why does a Formula One car have very expensive brakes? Carbon fiber, Kevlar etc,. which costs a lot of money. And most people go, “Oh, to allow the car to stop quickly. To protect the driver.” All of these are kind of valid, but that's not the reason. The reason a Formula One car has very expensive brakes, which are controls, is to enable the car to go faster.
Think about it. What's the objective of a Formula One car? To win the race. Critical process, last one to brake into a bend, first one to accelerate out the other side. Which is why they have such expensive brakes. Now I would put to you that those brakes are an enabler, to enable the Formula One car to achieve its objective.
Here's a takeaway for you. We should stop using the word controls. They should be called "enablers". Now when you walk into a business and go, “I want to add another control to your business,”, say instead, “I want to add another enabler into your business,” I think you're going to get a different reaction. The truth about controls is that they enable the business to go faster.
Working with dynamic monitoring
How serious is control testing? What is the quality of controls reporting, and who receives what? Which brings me to my last point. It's thinking about controls reporting.
On the board here, a little bit small, I apologise, over on the left we've got the control type. Next column, the control count. How many do we have in the business? The number of processes that we've got connected to those controls. The automation rate, manual versus automated. The connected risks. Type of controls. That gives you a balance between preventive, detective, reactive, by risk type. Attestation rate, people answering, “Do I have the control? Yes or no?” Control testing results. And now we're starting to gain intelligence linked back to that control.
Taking that to one stage further is then linking that control to the risk. This is a concept we have at Protecht called risk in motion, which is basically linking all the information we have about a particular risk.
We take the fifth risk, it's called cyber risk. It's connected to the most recent risk assessment, Controls testing results. You can see here, we've got quite a lot of exceptions, the reds. We've got key control indicators in red, we've got actions that are outstanding, we've got incidents that are occurring, we've got internal audit findings, and most importantly, we have control test fails.
Now if we look at that, and I want to drill down a bit further into that, we can then link that to a more integrated view of that risk. The bit that I'm interested in today is that bit there, which is all the controls testing that's been done over the controls relating to that risk. We've then brought that together with key control indicators, the number of incidents that have occurred, and we've now started to get a more dynamic view of risk within our business.
That is what we're trying to aim for, certainly at Protecht, and that is to move away from a static view of risk management to a more dynamic, fluid view of risk. At the end of the day, if I got into an aircraft to London, and I said what risk management do they do, and they said, “Oh, we gave the plane a service eight months ago.” “Anything since?” “No mate, she'll be right.” I'm not getting on that plane. I expect continuous monitoring by the pilot from the cockpit, continuously understanding the risk in that plane so they're able to act quickly. We should be doing the same within our business.
So finally, to wind up, if you want more information about what we've talked about, there's our website, couple of things I would put to you. We do a one day controls assurance course that I think is coming up this year publicly, and also we do a lot of blogs. And I've got a blog that I did a number of months back called “How do get more intimate with your controls,” which does cover a lot of the information that we've spoken about here.
Other than that, I've got a big thank you for giving up your 50 minutes, and if anybody does have any questions, please fire away. Other than that, I appreciate your time, and if you want to chat more, we do have a little stand out there with myself and some colleagues. I'll be here for the rest of the day, I'm more than happy to take more one on one questions. Thank you.
Ready to take Internal Audit to the next level? Book a demonstration of our system today.
You can also send us an email to firstname.lastname@example.org.