Skip to content

Auditing your Control Framework - SOPAC 2019

How do you encourage your staff to embrace risk and controls? In this recording, David Tattam talks about how understanding the dynamics and balancing your control framework can help you change your organisation for the better.

This session was recorded at the 2019 SOPAC Annual Conference. 

Video Transcription:

Good morning.

We've got a session on controls, and the word “controls” is probably one of the reasons we have a problem with controls, because as we know, risk management is the responsibility of everyone in an organisation, and engaging those front-line staff in doing risk management is a huge challenge.

One of the reasons it's a huge challenge, I believe, is often the branding we risk managers have over  “controls.” If you say to someone, “I want you to implement a new control in your business,” and they're a front-line marketing manager or a salesperson, I don't know about you, but the common response is a grunt or a growl, and saying, “Oh, if I have to, but it's going to stop me selling,” or something like that. So we have a brand problem.

With that said, I think what's really important is to appreciate that controls are probably the most important thing we have in managing risk in our businesses. The number one thing. So what I want to do is just spend 40 minutes with you, looking back at what I call the basics, and look at the fundamentals of what controls are all about, and then finishing off with the focus of auditing your control framework. I'm going talk about it from the perspective of have we forgotten the basics?

In terms of the basics, I have to thank APRA and the Commonwealth Bank of Australia for the learnings they gave us in the prudential report on the CBA back in April, which as many of you will know was really a report on financial services in Australia. It was pretty generic across the whole of the industry. There were a couple of things, if you haven't read the report, that really jumped out.

Slide2

The first one was this controls summary. Across the top, it highlights the key risk areas within the bank. In  the line below it, it mentions the percentage of key controls for inherently high and very high risks that were rated marginal and unsatisfactory in the most recent controls assurance testing. Which, if you put the other way round, were not effective.

The percentages there. Security, 20 percent. Resilience, 22. One in five key controls weren't working effectively. Now before we think too negatively about the Commonwealth Bank, I would like you first, rhetorically, to ask yourselves, what does it look like in your organisation? 'As we say, we don't shoot arrows from a greenhouse or a glass house. I would argue that that is a representation of pretty much where we stand in most financial services companies in Australia, and perhaps also non-financial services.

Have we forgotten the basics?

Now, given a key control is one that you are heavily relying on to manage the risk in your business, that's quite disconcerting. My view is that we should not sleep until that line across the top for each one of you is zero. This is a key control, and if you think otherwise, and you think there's a percentage of margin for error with key controls, I want you to think about getting on a plane to the UK. I just got off one on Friday night actually.

As you get on, you look left into the cockpit, and there's a couple of people sitting on stools, they're called the pilots, and they're having a bit of a chat. There's a few little red warning lights going on the cockpit, and you say, “What are you doing?” They say, “We're just about to take off, strap in.” And you say, “Well, there's a few little red flickery lights on the cockpit,” and they say, “Oh, it doesn't matter. 80 percent are working okay.”

What are you going to do? I know what I'm doing. I'm heading for the exit immediately. I'd expect 100 percent of all key controls to be working, and let's be honest, 100 percent of non-key controls. I never understand why fellow passengers get upset, while we wait on the tarmac, when they say there's a delay because there's a warning light coming up on the cockpit. I don't want to move. I don't want to go up. Right? So this is what we should be looking for in every one of our organisations, and I don't think we're there yet.

That APR report went on to say one of the problems we have is the excessive level of manual controls. As we know, humans are fallible, and the more manual controls we have, the less effective they are as a general rule. 

Improving your control framework

The report commented that over 80 percent of controls within the CBA are manual. It went on to highlight that the global standard that they used, or the regulator used, was it should be under 60 percent. Right? Now that's obviously one of our big issues, the level of automation of our controls, and the two, I believe, go quite strongly hand in hand.

With that as the opening volley, we have to ask the question, why? Over the years, I've asked many of our clients' staff, who do controls and operate controls, I've often asked them a few questions, a survey. And the survey says, I just verbally do this, “Why do you do that control?” These are the most common answers.

1. The first one is, “What control?” They don't actually know what they do is a control, which is not a good start.
2. The second one, “I've always done it.”
3. Thirdly, “I was told to do it.
4. Fourthly, “It's in my procedures manual.”
5. And lastly, “I do it so I don't get in trouble.”

Now, all of those are slightly worrying, because not one of them address the objectives of a control. The purpose of the control.

Now without getting into heavy frameworks, one of the most important things you can do is to change that within your business. To identify who owns the control, who operates the control, and make sure that every control operator and owner can articulate the objective of the control. Why do they do it? And it should say something like, “Why do you do that control?” “Because in our business, we have the following risks.” Right? And “This risk, in order to be managed, requires the following procedure around it.” Control.

As you can see, when we do that, that reduces the likelihood of the risk event occurring, so that the outcome on the customer, I'm taking that as one example, is positive rather than negative. Now you've got the linkage between the control and the outcome of what we are trying to do, and already you've dramatically improved your control framework.

Now when we think about controls, controls are going back to basics, but the basics are often what's missing in our risk management and our control management within a business.

Building up your defence

Many of you will be comfortable, I hope, with the three lines of defence model. If you're not, there's one minute on three lines of defence. The way I think “three lines of defence” is as follows.

Slide4

What are we defending against? We're defending against risk. And what are we protecting? We're protecting the organisation's objectives. Those of you are familiar with the ISO 31000 risk management standard would know that risk is the effect of uncertainty on objectives, so our whole focus of risk management and controls management should be on the objectives of the organisation.

One of my objectives at lunchtime today might be to go for a walk. Why? I want to feel good for the rest of the afternoon. One of the things that could stop me feeling good for the rest of the afternoon could be that it might rain. Now, rain represents all the risks that you face, whether it be cyber risk, fraud risk, human error risk, whatever it might be. These are the inherent risks in your environment that could affect the achievement of your objectives.

Now if I was to go outside of this centre at lunchtime and it looked like it might rain, what might I do? I could pray, I guess, but I might do something more practical, which might be something along those lines, which is put up an umbrella. That's what we should be doing in our business. And the umbrella is our internal control framework, which is exactly what we're talking about today. And I would put to you, it's the most important thing you've got to protect you when you go out at lunchtime.  That is known as the first line of defence, because it's the first point that the risk hits. This is our internal control framework.

Now if the umbrella leaks, you haven't got very good controls. Do we give up and get wet? No, not within business anyway. We should have the second line of defence, which is risk management, or enterprise risk management. Enterprise risk management should not be a second umbrella catching the drips from the first umbrella. It should be there to review and challenge the owners of the first umbrella to make sure that first umbrella, i.e. the internal control framework, is effective, efficient, as much as it can be. They are there to review and challenge.

If they don't do a very good job, do we get wet? Not in the three lines of defence. Not yet, anyway. We have a third line, which is internal audit. Internal audit are there to provide independent assurance that the other two lines are working effectively. Now if they don't do a very good job, sorry guys, you're gonna be sitting in a puddle all afternoon, because we failed in the achievement of our objectives.

Those of you that do not have a mature three lines of defence, often internal audit is doing the role of line two, and going and checking directly into the business in terms of their controls. When you have a mature enterprise risk framework, I'd be expecting internal audit to firstly be auditing the second line of defence, to see how well they are reviewing and challenging the first line. If you do not have an effective or a developed ERM framework, then audit normally have to go straight into the umbrella (the business) and check it directly.

As you can see there, the most important part of that is the internal control framework, which is what we're going to be talking about today. So for the rest of the session, I will talk about five things.

1. Understanding the risks and controls in your business, what I call getting intimate with your controls and the risks that they are addressing.
2. Defining the best risk treatment methods to use.
3. Understanding the effect of controls on risk.
4. Monitoring control effectiveness, often called controls assurance.
5. And lastly, providing risk assurance through effective reporting.

And we will then finish off on what I would suggest is the focus of internal audit around this whole process.

Let's start off thinking about understanding controls.

Slide6

The ISO 31000 standard says control is a measure that is modifying risk. As much as that might be true, I don't find it overly engaging with the staff at the front line, because they won't know what you're talking about, I'll be honest. Standards are good for people that understand risk. I'm not sure they're great at communicating it. We maybe need to use a more basic language, which we're going to do in a minute. But fundamentally, controls are something that modifies the level of risk.

If we take that to the next logical level, if risk is the effect of uncertainty on objectives, controls must be modifying the effect of uncertainty on objectives. If we take that to its natural conclusion, then controls are a key tool for managing that risk, i.e. managing the effect of uncertainty on objectives, and the wider level of risk management is the management of the effect of uncertainty on objectives.

Although we, Protecht, pride ourselves in risk management, I actually don't like the name risk management, and nor do a lot of people in the front line, because as soon as you say “risk management” to a salesperson, miraculously their phone suddenly rings and they've suddenly got an emergency meeting they have to attend!. We're not getting great engagement because of the word risk.

I'd put to you that risk management is the wrong name for what we do, because the most important word up there is the word objectives. I would put to you that managing the effect of uncertainty on objectives is actually “outcome management.”

The world changes if you start doing this:

- “Good morning, it's Dave here.”
- “Where are you from?”
- “Risk management.”
- “What do you want?”
- “A meeting with you.”
- “Oh, my diary's really busy for a couple of months.”

or:

      - “Good morning, it's Dave here from outcome management.”
      - “What do you do?”  
      - “I'm here to help you "nail" your objectives.” I bet I'd get a seat at the table straight away.

So the first thing I want all of you to do is start to think, how can we re-brand using words, simple words, to get greater engagement with our front-line staff? And the first one I would put to you is, wherever you hear the word risk management, say in your head, “Outcome management. Your face will tend to go from a grimace to a smile.

 

The second thing that's important is, whenever you use the word risk in a sentence, you should also use the word outcome. Because if you do not talk about risk and outcome in the same sentence, you're not going engage the front line, and you are only looking at half of the relationship, because risk has a partner called reward. If you talk about one on their own, it's not going to end up in a good marriage, a sustainable marriage.

Achieving your objectives with efficiency

In terms, then, of suggesting how outcome management might look, I'm going to use a simple analogy. Our objective here is to get to the end of that road safely and efficiently. That's our objective. Now the potholes represent risk, because they create uncertainty that we might not be able to achieve our objective. We decide how we're gonna attempt to get to the end of that road safely.

1. We'll suggest alternative number one is just to "floor" the accelerator" when the flag drops. “Don't worry about those potholes, we'll be okay.”

In Australia we have a wonderful saying for this called “She'll be right.” This is where you highlight risk to the business and they simply look the other way, because they're so transfixed on reward, they don't really care about risk. These are the "she'll-be-right" brigade.

The problem with that is, they might get seven or eight successful trips to the end of the road, pure luck. But the law of probability says that before long, that's what's going to happen. It's all over.Slide9

We call that boom-bust management. Boom-boom-boom-boom-boom-bust, and it's all over. And this is because we are paying 99% percent attention to reward, and not much attention to risk. That is not sustainable.

2. Method number two is: We are so paranoid about those potholes, i.e. risk, we don't even want to attempt to get to the other end of the road, so we put a clamp on the wheel and don't even attempt it. This is called avoidance. We give up and go home. This is the opposite to the first example. We're paying 100 percent attention on risk and nothing on reward, so we're never going to get success, because we're not even attempting to do anything to achieve our outcomes. This is avoidance, excessive focus on risk.Slide10

3. The third one. We want to get to the end of the road, but we're so scared about the holes, but we don't want to give up, so we spend a fortune on massive wheels and tires. Now the problem with this, it makes the car go about five kilometers and hour, so by the time you get there it's like two hours later, everybody's already left, and you're bankrupt. This is the same, it's an overemphasis on risk, not enough on reward. This is to invest too heavily on a cumbersome control framework.

Slide11

On a recent course, I had a professional mountaineer in the group, and he said, “This is absolutely true. When I go and climb a mountain, I've got to go and have a look at all the rock faces. I've got to go and put a thing called "Cams" into the rock to attach the safety rope to, so when they fall they don't fall far.” And he said, “In an ideal world, I'd have one of those every meter so I didn't have to fall more than a meter if I fell.” He said, “If I do that, though, the backpack weighs 150 kilos, so I can't even move. So it stops me remotely achieving my objective.” And he said, “It's a balancing act between getting the weight right and having enough cams (controls) to be able to get to the top and be safe. And it's a constant balancing act.” 

4. What's the solution? I would put to you, to smartly manoeuvre around the holes. Quick left, quick right, 25 kilometres an hour, brake, through that hole, over this one. And you're smartly making risk reward decisions as you go up that road. I would put to you, that is going to be success, because you're going to sustainably get to the end of that road over and over and over again.

Slide12

Some of you are going to be saying “Yes, but it's going to take longer than the first person who just "floored" it.” Yes, it will. It's called the investment you make in controls and risk management. And yes, there is an investment. There's some dollars, there's some time. We want to make that as effective and efficient as possible, but there is an investment. It takes a little bit of time.

But I'd put to you, is that extra piece of time worth it to enable you to get over to the end of that road over and over and over again, or would you rather just risk it? Have seven great trips, and then the eighth one, you are finished?

This highlights the number one focus of risk management and controls management, and that is sustainable reward. Sustainable reward, which means we get the reward over and over and over and over again. We do not boom-boom-boom-bust.

Now this highlights the importance of controls. Controls should not weigh the business down excessively, but they should be there to get the balance right between the weight of the backpack and the risk between the gaps, between the cams and how far you fall.

With that said then, we need to drill down and understand risk. Because if controls are there to modify risk, we can never understand, manage, audit controls without understanding risk. So in order to do a quick lesson on risk, I want to introduce you to Jenny. Here she is, she's seven years old, and she's trying to achieve something. And most of us, especially parents, will understand that she's got a fair degree of risk.

"We can never understand, manage,
audit controls without understanding risk".

 

When we try and understand the risk of Jenny, we need to go through a logical process, and it's this. Risk is the effect of uncertainly on objectives. All risk management and controls management you ever do must always start with objectives. So let's ask Jenny what her objectives are, she has three of them. She probably weights number one more than two more than three, but there's her three objectives.

Slide14

In order to understand the risks that could stop her achieving her objectives, we first have to understand her operating model, because it's the risks that could stop the operating model being successfully completed, which will end up impacting the achievement of her objectives.

Her operating model are the key things she has to do in order to achieve those objectives. I'd put to you, they are these. They are three steps she has to successfully complete. Now in your business, that's your critical processes. Your operating model.

Once we've got her critical processes, we can now ask the question, what risks exist that could stop one or more of those processes being successfully completed, which means she will not achieve her objective? I'm sure most people in the room will go to the obvious one, which is what I've done, and that's called falling risk, the risk of falling.

Falling is an event. It's the point at which she loses control. At this stage, we don't know why she might fall, so I've made up five reasons. You can probably think of more. And here they are.

1. She's seven years old so human error.
2. It rained last night and created a wet slipper hazard.
3. Slippery rock because of moss in it.
4. Manufacturer defect in ladder lock 
5. Inadequate process given to her by mum and dad

At this stage we've got four components working back from objectives. Objectives, critical process, risk, events, and root causes. What I'm going to do is put those together in a picture, and the picture goes like this:

Slide18

We're going to start in the middle with the point at which she loses control, which we as a firm call the main event. In most risk registers, this is the risk short name. So in Jenny's risk register, I'd expect to see a risk called “falling risk” or “fall risk.”

Once we've got the event, we then can trace back to root cause by asking why. Those of you that have done Six Sigma will remember the five whys, and pretty much five whys gets you to the root cause. And the root cause occurs when the answer to “But why?” is just “It is.” It just is, or it's outside of Jenny's influence. I won't dwell on this, but here we go.

The green things are the root causes. We've then got the root causes tracing through the main event. Now we need to link that to outcomes, the impact on outcomes are impacts. So I'm now going to ask, “But what next?” until the answer is an impact on one or more of her objectives. Remember her three objectives. Here we go.

On the right they're in red, we've got the impacts of the risk, which are always connected to the objectives. She had three objectives, and all of them could be compromised by that event. If we put an outline around that, there's no surprise what you get. You get the bow tie. If you, by the way, have not done risk bow tie analysis, you need to, and if you want to know more come and talk to me and Protecht because I'm a passionate bow tie person. It's one of the great ways to be able to illustrate and get risk knowledge down to the coalface so that people understand exactly what risk is.

Treating risk in a better way

Once we've done that, we can then think about, how can we better treat that risk? I know a lot of textbooks say there's four methods of treatment but we at Protecht think there are seven. Here they are.

1. Number one is to accept the risk. You'd automatically do that if it was within your risk appetite.
2. If the risk is not within your risk appetite, the next best thing is to process re-engineer, which would be perhaps to change the method that she's trying to attempt to having fun. Maybe it's playing the iPad instead. 
3. If you're not happy with that, then you improve controls, which we're going to talk a lot about in a second.
4. Outside of that, you then transfer the impact to someone else. You can only really do that financially through insurance and so on.
5. If you're still not happy, you've then got a choice of either accepting the risk formally outside of appetite, and someone with the right authority accepts responsibility and accepts that risk formally.
6. Failing that, there's only one last thing to do, and that's avoid. Take Jenny away from the park and go and do something else. Tell her she's not allowed to climb on the rock.

They're the ones that we're most familiar with, but there's another one you should remember, and that is the other way round, which is to:

7.  decrease controls. Take a bit of weight out of the backpack, because you are over-controlling the business and the cost-benefit is not worth it.

I used to be an external auditor with Pricewaterhouse, and I think in the seven years I was there in the late 80s, early 90s, I never ever recommended a client to remove controls. I would now. It's one of the most common things we do, because we're here to make an efficient control framework that balances risk and reward, not one that weighs the business down just in order that we manage risk to a minimum level.

Now of those, we've got three of them that involve controls and that's the focus for the rest of the session, because we're talking about controls.

Now controls. The ISO standard says they are measures that modify risk. We need to be a bit more specific than that.

We need to think about how do we measure risk,
and what are the key characteristics of risk?

 

The key characteristics of risk that most people recognise is the likelihood of the risk event occurring and the impact if the risk event does occur. Some of you'll be familiar with the standard "five by five" plotting a dot where likelihood and impact are assessed and so on. We can therefore modify the definition to say that a control is something that you do that is aimed at reducing either the likelihood and/or of the impact of the risk.

Let's go back to Jenny and see what controls she has in place. She has five, there they are there. What we're going to do now is link those controls to the right place in the bow tie. Let's go. Hope these make sense.

Now that is a fully blown residual risk bow tie. Without the controls it's an inherent risk bow tie, and after the controls it is a residual risk bow tie. We as a firm don't believe you can do any decent kind of risk management or controls management until you've done that, because this really illustrates what the control actually does to the risk, because controls do different things.

Slide23

On the board there, we have three types of controls. Now I know people talk about these in different language, but this is the language we're going to use.

1. Controls that operate near the left hand side of the bow tie are called preventive controls. They are barriers, system access controls, a cage around a dangerous machine. These are preventative.

2. The next type are detective controls. Detective controls are focused on picking up early warning indicators that the risk is developing, and acting so it doesn't go any further. Smoke detectors, heat detectors, temperature gauge in your car, reconciliations, exception reporting, and the like. Now, if the detective control detects prior to the main event, we call it early detective. And if it's after it's late detective. That's an important distinction, as we're going to see in a minute, as to what it does to the risk.

3. And the final one are reactive controls, or as in COSO, they refer to it as corrective controls. These kick in once the incident has occurred, such as first aid and so on.

In my previous example, non-slip shoes would have been preventative controls. Inspections and cleanup are detective, and first aid is reactive.

We're now starting to get an understanding of what controls are all about, and we've got toa now start thinking what controls do we focus in on?

We as a firm believe there are three levels of control, minor, medium, and key, or words to that effect. Our belief is that key controls are non-negotiable. You would never consider running the business without them being there. Medium controls, we call them negotiable but important. And minor controls, I don't know, call them what you like, who cares?

Why am I being flippant about those? Because they're noise. They get in the way, and we believe only the mediums and the keys should be recorded in the ris

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.