Most organisations manage risk as part of their normal business activities, with risk management so integrated into normal business operations as to be invisible. But the new London Stock Exchange’s combined code requires visibility. Maintaining risk registers to prove that you have a risk identification process in place only partially meets this need. Ultimately, your entire process should be visible, from inherent risk identification through to residual risk acceptance.
Control self assessment (CSA), sometimes known as control risk self assessment, can provide this visibility. However, its effectiveness depends on a number of organisational attributes. Unless these are in place, CSA will be not only ineffective but positively misleading.
Are you ready?
In order for CSA to be effective, your organisation must:
You can use some rough and ready measures to assess whether your organisation is ready for CSA, based on the X and Y schools of management theory. The X school of management believes that its staff cannot be trusted, are inherently lazy and will use every opportunity to take advantage of failings in the organisation to feather their own nests. The only way to counter this is to have rigid reporting structures, detailed procedures, overt monitoring for compliance and severe punishment for transgressors. Theory Y organisations trust their staff, believe them to be inherently honest, know they will do their best for the organisation and do everything possible to improve it. If they make a mistake they will own up to it, knowing that they will not be punished but be expected to devise a way of preventing it in the future.
You can only use CSA with confidence if your organisation operates in the Y management style. How can you tell if it does?
Empirically, I have found that the Delphic poll approach (if you ask enough people a question the majority will give the correct answer even though they are unable to explain why) provides a pretty good guide. My method involves getting together a cross section of people and asking them to plot where they think their company is on the horizontal line in Figure 1. If most place themselves to the right of centre, their company is usually ready for CSA and can start preparing to introduce it.
Taking risk seriously
CSA will only add value if your organisation is serious about managing risk and has a process in place to identify and prioritise it at the inherent level (see Figure 2 for an overview). Key corporate inherent risks are identified at main board level and passed down to the lower levels with the question, “what are you doing to manage these?”. The answer goes back up the line to provide comfort to the board.
At the lower operational level, each function operates its own risk management process. It refers any significant residual risks upwards with the statement, “We have managed this as much as we can, but cannot do any more about it unless we have more money or resources. It’s your decision, - either live with it, or give us the resource.”
The communication mechanism is usually in the form of risk registers - but these often tell only part of the story. What is needed is a solution showing:
The CSA process can provide each of these requirements in a form that is easily understood and capable of independent verification.
Risk choices
Most organisations try to manage their inherent risks by risk reduction. They have four choices when assessing each risk. Is it to be tolerated, terminated, transferred, or treated?
A risk may be tolerated where it is impossible to do anything about it, or where it is so insignificant that the cost of managing it exceeds its potential impact.
Occasionally a risk may be terminated. For example, the risk of suffering a large loss in e-commerce may be terminated by withdrawing from, or not entering, the e-commerce arena.
A risk can sometimes be transferred elsewhere, such as by outsourcing a process to a third party or insuring against the risk’s crystallisation.
More often than not however, the organisation will try to treat the risk by putting in an appropriate control mechanism.
Whatever decision you take, it needs to be documented. In the case of termination, transfer, or treatment, you also need to record the process used to achieve the move from inherent to residual risk. This is where CSA can provide the full picture, from inherent risk identification to residual risk acceptance. Figure 3 shows a typical risk register, where the risk of not complying with the Copyright, Designs & Patents Act has been identified as rating red at the inherent level and green at the residual level. Evidence of the move from red to green is shown as ‘Software Licensing CSA Pack’. What is this pack and how is it created?
How CSA works
CSA uses a workshop-based approach, leading to the recording of each significant inherent risk, the decision as to what to do about the risk and how that decision is implemented. It also provides for recording improvement actions where necessary.
Figure 4 illustrates the main outcome from a workshop dealing with the subject of software licensing. The resulting CSA pack documents the four major risks faced by the organisation in this area (only one of these is shown here) and suggests a minimum control set to manage those risks. Local management decide whether the controls are operating and then score themselves accordingly. They also have the opportunity to suggest alternative controls and remedial action. The complete pack provides the evidence to support the assertion in the risk register that the risk of not being in compliance with the Copyright, Designs & Patents Act has been mitigated.
CSA has advantages over traditional risk management measures. It tends to identify all major and many minor concerns. It fits the new flatter, organisational structures and empowerment of staff. The people involved become committed to the solution, and it encourages team responsibility, often across functional boundaries. More importantly, it identifies where to allocate resources for maximum control impact to allow effective risk management at minimum cost. It also provides a permanent record of the decision process in moving from inherent to residual risk.
Senior management gain too. A documented process proves their commitment to risk management, and shows that they are focusing on the major risks areas. They can also use it to re-assess situations where there is a change in risk profile.
A completed CSA pack provides all the key elements required by Turnbull and the LSE for risk management. It identifies and documents inherent risks, records related decisions and mitigation steps, assesses their effectiveness and records any necessary remedial action, with time scales to allow for subsequent follow up. The downside is that it is not for everyone, as it relies on having a suitable management culture.
John Mitchell is managing director of LHS Business Control, Tel: 01707 851454, e-mail: john@lhscontrol.com
