4.6 Risk Management and Internal Controls
What is risk?
Risk is the chance of things going wrong. As individuals, our experience of risk is an unavoidable fact of life and it does not matter how carefully we try and plan things and whatever precautions we take, the likelihood is that every now and again things will still go wrong. The situation is very similar for organisations, except the stakes are often higher and so the cost of things going wrong can often be far greater.
Public bodies are required to provide an Annual Statement of Assurance on Internal Controls in order to comply with best practice as recommended by the Turnbull Committee Report. As part of that process, Directors are required to review, at least annually, the effectiveness of all controls, including financial, operational and compliance controls. Organisations need to show that they have established and maintained effective and ongoing procedures for identifying, evaluating and managing business risks.
What risks does your organisation face?
Every public body is responsible for identifying its own list of risks. The following list sets out (for illustrative purposes) a list of potential risks that may be faced by a public body:
- Poor strategic planning process with failure to determine and communicate an appropriate and focused strategy;
- Loss of Ministerial confidence;
- Change in Government funding policy results in a drop in real income;
- Unanticipated fluctuation in demand for services;
- Impact of new legislation resulting in the need to do new things, or do things in a different way ( e.g. Working Time Directive);
- Failure to attract, develop and retain high quality staff;
- Failure to adhere to employment legislation and standards of good practice with resultant damage to reputation;
- Inability to expand and change to meet new challenges;
- Failure to exercise budgetary control;
- Failure to identify future liabilities and needs: for example, staff costs rising ahead of funding, a pensions deficit etc.;
- Failure to meet liabilities;
- Significant costs incurred not included in financial plans;
- Failure to comply with statutory requirements leading to prosecution
- for example, the Data Protection Act and related legislation;
- Failure to actively manage positive and negative publicity and/or failure to maximise benefits from positive publicity;
- Failure to effectively manage health and safety, with consequent risk or damage to staff;
- Potential litigation, including possible punitive damages leading to damage to reputation and/or jeopardising future income;
- Press criticism arising from perceived corporate governance weakness or non-compliance;
- Loss of movable assets;
- Major IT disaster - loss of information or use of central hardware; and
- Failure to provide accurate and complete operational management information.
It is because of the regular experience of things going wrong that it is crucial to take steps to identify and manage risks, minimise the risk of adverse consequences and prepare contingency plans.
Why is risk assessment and risk management important to organisations?
Organisations have a set of aims and objectives and the responsibility for achieving these rests with management. Furthermore, the environment within which organisations work is constantly changing and so these aims and objectives are constantly being refined and redefined; this only adds to the uncertainty and to the risk that organisations are already subjected to.
In order to achieve its objectives, senior management in the organisation must identify the risks associated with not achieving these objectives and establish risk ownership - i.e. allocate the assessment and management of risk to a specific manager. This manager then has the responsibility for matching controls to these risks in order to minimise or avoid these risks altogether. He/she is also charged with the responsibility of implementing these controls, and monitoring their effectiveness and continued relevance.
What is the role of the Board in risk management?
The Board should ensure that there is a system in place for continuous risk management in the public body which extends from the front line services through to the Board. This involves having a framework of prudent and effective controls in place to enable risks to be assessed and managed. The Board itself should regularly review key business risks affecting the organisation.