In Your Face

In Your Face
Thought provoking opinions on topical issues.

Wednesday, January 15, 2003

Risk Management


There are those in the world who would have you believe you can live your life, and operate your business, without risk. Palpable nonsense in my opinion; risk is an implicit part of life. The issue is how we handle it.

I present below a high level overview of the key components to an effective risk management system.

I will begin with a couple of simple definitions:

 Profit is the reward for risk.

 Risk is an event/occurrence that hinders the achievement of the business objectives.

Companies exist to make profits, and as such will always be exposed to risk.

Companies are exposed each day to many changes (organisational, commercial, political, technological, etc.). The speed of those changes is reducing reaction time, and increasing the types and complexity of risks. Within such an environment risk assessment is essential for an effective and efficient management process. Risk assessment helps management to focus on the issues that really matter.

The Risk Assessment

Risk assessments should be primarily a management exercise. The fact that a company is constantly facing changing risks, requires that management makes use of a proactive approach to assess those risks; as well as developing an effective, and efficient, process to reduce risks to an acceptable level. This proactive approach should address the following areas:

 Determine the risk appetite of the company - This is the responsibility of the Board, who must set the risk parameters (high, medium or low) that they are prepared for the company to operate within.

 Clear risk identification - Managers should analyse the company’s external environment, and internal processes, in order to ensure that all potential business risks and their sources are identified. The question management should be constantly asking itself is “what could go wrong?”.

 Risk assessment - Management should categorise risks on the basis of their significance (magnitude of the loss or missed opportunity), and the probability of occurrence (eg likelihood of the risk event occurring say within the next two years). When making the assessment management should take into account factors such as the size/value of transaction streams, and the financial impact on the organisation of the risk.

 Definition of critical areas - Critical areas are those areas which are of major importance for the specific business eg sales, R&D, production; coupled with the outcome of the risk assessment. Namely a high magnitude risk in the sales department, coupled with a high probability of occurrence, would mean that the sales area would be deemed a critical area. Having identified the critical areas the management now have a risk map of their organisation.

 Control of the (critical) areas - Management should review the adequacy of controls by means of a self assessment control checklist. Controls, eg hedging of foreign currency transactions, being the means by which the organisation achieves its objectives. Where control gaps are identified, necessary steps (corrective actions) should be taken to implement compensating controls that reduce the residual risks to acceptable levels. Care should be taken when implementing compensating controls; as excess controls waste scarce resources. However, it may be the case that controls will not mitigate the risk to an acceptable level; in which case alternative measures such as insurance, outsourcing or closing the activity should be considered.

 Continuous self assessment of the process - Management should review the entire process on a regular basis, to make sure that the model applied to identify risks and the business controls in place are adequate. Where necessary, management should take corrective actions in order to guarantee the quality of the entire process.

The Role of Internal Audit

I am a great believer in the maxim “what gets measured gets done”. Internal audit has a vital role to play in reviewing, and giving an opinion on, the effectiveness of the risk management process. Specifically, it should:

 Verify if a business risk assessment process is in place and up to date

 Verify the quality of the business risk assessment process in place

 Verify the quality of business controls and control self assessment

 Stimulate corrective actions

 Track the trend of improvement and deterioration


Risk management is not a one off exercise, but part of an ongoing process. As circumstances change so do the risks faced by organisations; it is essential that management keep there risk map “up to speed”.

Tuesday, January 14, 2003

Contingency Planning

Given the current world-wide tensions, and risks of terrorist attacks, I feel that it is appropriate to address the issue of contingency (disaster) planning.

This is one area often overlooked by organisations. However, it is an area which they can ill afford to neglect. A major disaster such as a fire, bomb attack or flood can threaten the ongoing activities and profitability of the organisation; either directly by destroying or incapacitating an office or factory, or by disrupting the activities of key suppliers of eg IT, telecom or raw materials.

Adequate contingency planning should ensure that the organisation can continue to function and be able to process orders and transactions etc, in the event of a disaster outside of its control; eg a fire destroying the mainframe or a bomb destroying a key piece of infrastructure.

Key features of effective contingency planning include the following:

 Ensure that members of the organisation know what procedures to follow in the event of a disaster, ie there should be a written contingency plan, copies of which are distributed to all members of personnel.

 There should be of a list of off site telephone numbers from where to obtain instructions as to what to do.

 There should be a team of managers assigned the task of managing the disaster.

 Accommodation should be available, eg spare offices or a hotel off site, where telephones and computer cables etc can be installed in a relatively short period of time.

 Spare capacity on an off site computer should be available; either using the mainframe of another unit within the same organisation, or a third party machine on which the right to access is purchased by an annual fee.

 There should, at least once a year, be a practice disaster to ensure that the plans do operate as expected. The results of the dry runs should be analysed and any improvements arising from them be implemented, and communicated, to the employees as soon as possible.

I have put together a “high level” checklist below which provides a good starting point for organisations wishing to review the effectiveness of their contingency planning. Areas which are found wanting should be addressed.

1. Have all assets that are essential to the continuation of the business been identified; eg staff, equipment, intellectual property, materials and telecommunications?

2. Have the potential costs and impact of not having a business continuity plan been identified eg lost business, legal implications, credibility?

3. Is there a disaster team (membership to include HRM, building facility manager, building security manager, communication manager, key user management representatives)?

4. Is there a list of personnel authorised to declare a disaster?

5. Are there procedures in place to mobilise the disaster team?

6. Does each member of the team have primary and secondary contact numbers?

7. Does each member of the team know his/her duties?

8. What are the notification procedures for communicating to members of staff during a disaster?

9. Does every member of staff have procedural documentation for what to do in a disaster?

10. Is there a list of contact numbers for members of staff to use in the event of disaster?

11. Is there an alternative site to use in the event of non accessibility to normal site caused through eg fire, power failure etc?

12. Does this alternative site have adequate facilities for IT, telecommunications etc?

13. Do personnel have maps/directions to the alternative site?

14. Is there insurance cover for both loss of income and costs of business resumption?

15. Is there suitable power back up, eg on site generator, in the event of a power failure?

16. Are all IT back up procedures re software and hardware adequate in the event of fire, power failure etc? Bear in mind power failure may occur, when no one is on site to shut down the systems.

17. Are all key back up documents, tapes, discs etc stored offsite in fireproof waterproof containers?

18. Is there a procedure, and person responsible, for communicating to the press etc during the disaster?

19. In the event that the normal business site cannot be used during the disaster is there adequate security to prevent unauthorised access?

20. Have compliance certificates been obtained from third parties eg banks, utilities, landlords, warehouses and suppliers?

21. Are there documented procures that detail how to obtain emergency funds in the event of disaster, eg collapse of the local banking system?

Do you know what to do in the event of a disaster? Should you work for an organisation where there are gaps in the contingency plans, then draw their attention to this checklist.

Monday, January 06, 2003

Attributes of a World Class Internal Audit Department

In my roles as Head of Internal Audit and International Forensic Co-ordinator, in both Philips and De Beers, I have had many years of experience setting up and running audit departments. Based on this experience I have put together my personal “top ten” list of attributes that make up a world class internal audit department.

1. Independent – an internal audit department that is not independent, or seen to be independent, is no use to man nor beast. Independence is functionally achieved through establishing a clear, direct reporting line to the audit committee (which itself should be comprised of independent non executive directors). Additionally, independence is maintained by ensuring that reports are fair and objective (not bending to the wills of dominant CEO’s) by senior review within the department; and ensuring that audit assignments are rotated so that members of the department do not become too close to the operational management of specific business units.

2. Approachable – contrary to popular belief the internal audit department is not the Gestapo. The department should report on business operations, risks and controls in an independent, fair and objective manner. Additionally, it should be the source of best practice advice; management should feel that they can raise an issue with the members of the department and obtain constructive, informed advice on that issue.

3. Communicative – the primary role of the department is to report on the adequacy of the business controls and effectiveness of the risk management process. Therefore by definition the reports need to be clear, concise and relevant. In order to garner information for the preparation of the report auditors need to interview people at various levels within the organisation. Additionally, where a situation arises that requires the attention of the Board this should be communicated in an effective and prompt manner. Members of the department therefore need high level communication skills, both written, oral and “soft”.

4. Deadline orientated– businesses are deadline orientated and so, by definition, should be the internal audit department. Reports need to be issued on a timely basis; a report that takes six months to clear is of no use, as the events on which it has been based have moved on. At the commencement of a review the deadline for publication of the report (after clearing the draft for errors with management) should be clearly stated, and accepted by auditor and “client”.

5. Appropriate mix of skill sets– internal audit departments should be staffed by people with skill sets, and experience, appropriate to the business. This would include people with IT, management, commercial and technical experience. Additionally, the department should have an appropriate cross section of career auditors and fast track trainees (who stay no more than two years in the department before moving on to line management).

6. Technically up to date – the members of the department should be up to date with technical and other issues relevant to the business, eg corporate governance. This can be maintained by internal/external training courses, and regular meetings with other bodies such as the external auditors.

7. High ethical principles– should the members of the audit department be regarded (rightly or wrongly) by other members of the organisation as being anything other than beyond reproach, then their ability to carry out their role effectively has been nullified. To ensure that ethical standards are maintained the company’s code of conduct should be strictly adhered to, and the acceptance of gifts from management/staff within the organisation being audited forbidden.

8. Flexibility – members of the department must be prepared to travel, and work in a variety of situations; such as international assignments, frauds, special management requests and due diligences.

9. Audit charter– this is an essential requirement as this document enshrines the mission, independence, reporting lines, right of access to documents/people and modus operandi of the department. The charter must be signed by the senior members of the board, to show their commitment to an independent function, and distributed to all senior management.

10. Commercially literate– members of the internal audit department must be commercially literate; understanding the general nature of business eg, marketing, logistics, cash flow etc. Additionally, they should have a specific understanding of the nature of the business which they are reviewing eg; risks, competition, results, market, suppliers, business plan etc. This will ensure that the review will be tailored to the needs of the organisation.

It goes without saying that the audit department should possess the basic operational attributes such as budgeting, planning and recording its work.