We have worked with many organisations, supporting them with their risk and control environment. There is still a huge mix of quality and granularity. So what is the right level to have your risks, controls and key risk indicators (KRI’s)?
The answer is…it really depends but there are some general principles we like to recommend:
- There should be no “set number” of risks, controls and KRI’s. For example, you don’t need to identify 10, 20 or 50 risks – it’s however many risks there are. And even then, you should add some proportionality to it. Focus on the ones that matter and need managing.
- Keep things manageable. If you don’t, the information won’t get used or updated. We once worked with an organisation who had a separate tool specifically to capture key risk inidicators – every function in the business updated their KRI’s on a monthly basis. What was this information used for? Nothing. It didn’t get reported or referred to. A small, high quality, relevant set of risks, controls and KRI’s are much more valuable than hundreds that either don’t get used or updated.
- It shouldn’t be a quarterly process. Often the “risk and control self assessment” (RSCA) process is performed quarterly. Huge effort is expended in updating the risks, controls and management actions every quarter. Controls should be embedded as part of any process and assessed when required. This is seen most dynamically in operations functions. It shouldn’t be a tick box exercise and if risk is truly embedded, managed and used, the RCSA process should naturally just happen. Read our previous paper and insight on Controls and an effective control framework.
- What you are assessing will often dictate the level. Some recommend you use the risk categorisation model to identify all of your risks – that’s the model to help you identify the different risk types – they can go down to quite a granular level of detail. I’m personally not a huge fan of this method as it can lead to you having a lot of risks. If you are in the business, you can use processes or your functional objectives to identify your risks – this takes into account proportionality; your risks can be related to your high risk processes for example. At the highest level, you would assess the risks of achieving your strategy and business plan. Each level of the organisation can inform the other – for example, different functions may all identify a key person risk – because every function has identified this risk and if they’ve assessed it over a certain level, a key person risk may be warranted at the highest level, so the Board or Exec can understand and monitor it…and take action. The same can work the other way. The Exec may identify that data protection is a significant risk and can threaten the achievement of the business plan; and they therefore want each function to have some actions and controls which are managed at that level. It should work both ways.
The key is risk information needs to add value to the business – if risk information is used, helps with decision making, helps with making improvements to processes, controls and the business, then it is at the right level.
At Simplify Consulting, we are passionate about keeping things simple. The concepts of risk should be understood and accessible to everyone. If you need help with improving your risk framework and ensuring risk information adds value to your organisation, then get in touch today.
Kate Monserrate – Director