by Dar Vanden Boogart

In the article, Governance Practices - Setting the Tone, we discussed strategies to strengthen the internal control culture within an organization.  In this article, we’ll discuss strategies to find the right balance in controlling risk.

Understanding the Risks
Selecting a risk management strategy cannot be effective unless an organization understands the risk it is trying to control. Typically, strategies fall into four categories: avoidance, transfer, retention, or reduction.

With the avoidance strategy, management determines that the risk associated with an activity cannot be lowered to an acceptable level or the opportunity associated with the activity is not sufficient for the potential risk. Avoidance can be a permanent or temporary strategy. Engaging in activities is sometimes postponed because an organization lacks the technology or skill set to implement an activity, or in the case of emerging technology or services, management prefers to let the market become “seasoned” instead of leading the market.

The transfer strategy is typically used to transfer all or part of the risk to another party. Purchasing insurance is a common example of the transfer strategy. The insurance deductibles and limits chosen define how much risk the organization is willing to assume. When determining the activities to insure and the respective limits, an organization needs to understand the conditions of coverage contained in the insurance policy or rider. For example, wire transfer coverage often requires “call backs” to be made or written agreements to be in place for certain types and dollar amounts of transactions. It may also preclude coverage for instructions accepted via certain methods. Any condition of coverage should be fully communicated to employees involved in managing the activity as it may impact operational or internal control design decisions.

The retention strategy is typically used for those risks that are of low consequences, the organization understands some risks are a cost of doing business and if the risk is low enough, it doesn’t warrant the time or money involved to protect against.

In risk reduction, an organization takes action to reduce either the probability or consequence of the risk. This is the core concept of the internal control environment. Control activities are most effective when viewed as an integral part of, rather than an addition to, daily activities.  In general, it is easier to maintain effective controls when employees understand the reasons behind control policies and procedures rather than just being instructed on the mechanics of a task.

In looking at risk management strategies, it’s helpful to remember that sometimes one strategy is not sufficient to control risk. In those instances, a combination of strategies can be used to manage risk more effectively.

Understanding What Went Wrong
When things go wrong, it is important for an organization to analyze the facts to determine if an unanticipated risk occurred that needs to be addressed, a change in strategy is warranted, or if there was a breakdown in existing control. Only then can management determine the appropriate response.

Consider Changes in the Industry or Systems
The financial services industry has undergone significant changes in recent years. Computer systems and processes have become more sophisticated and complex. It is not uncommon to find that risk management strategies have not kept pace with these changes. A frequent response to a question about why things are done a certain way is “We’ve always done it that way.” While this response might be valid in some situations, it may be an indication that the internal control system has not kept pace with changes.

Maintaining an appropriate internal control environment does require effort and resources, but it does not have to be as labor intensive as it used to be. In the next article, we will look at ways to take advantage of computer application controls