First, you need to define who are the key stakeholders in the organization both at the senior management and operating management levels. Once you have identified the key players, meetings should be conducted to brainstorm:
These brainstorming discussions should be conducted using a control self assessment format, where the discussions are open and candid dialogue of both downside and upside risks.
From these meetings, you can begin to summarize the top 7 to 10 key business risks for the organization and begin developing a risk matrix that would include:
As an example, a key strategy may be to attract and retain new customers as you enter a new market. What are some of the major risks with this strategy? One risk could be an ineffective marketing program that does not resonate with new customers. Once all the risks have been identified, you need to begin linking the key controls your organization has in place to mitigate these risks. In this example, controls could include processes the organization has in place to track advertising effectiveness including post advertising event analysis, market basket analysis and tracking of coupon redemption rates. Also, you should define what monitoring processes you have in place to ensure the controls are operating as intended. This could include trending analysis of performance over a stated period of time. A major benefit of this exercise is the ability to perform a gap analysis to identify where controls are ineffective or may need enhanced to mitigate a stated risk.
This risk matrix can serve many purposes in managing corporate risk but one that has worked very well in our organization is in engaging the Audit Committee in discussing risks. To enhance corporate governance and to keep the process vibrant, we require a different business owner to attend each Audit Committee meeting to discuss risks for their areas and what controls they have in place to mitigate these risks. These discussions include probability of occurrence, likelihood and financial impact. This process keeps the discussion of enterprise risks front and center at every Audit Committee meeting. It also makes the business owner think about risks for their business area and helps to imbed risk management into the day to day decision-making processes.
As you would expect, the risk matrix will need to be updated on a regular basis. Depending on the nature and type of business, it would not be unusual for this to be an annual process.
Internal Audit should be considered by management to be a valued partner and resource to enhance corporate governance. Internal Auditors have the ability to play a greater role than just testing SOX controls and compliance. As an example, Internal Audit should play a major role in completing the above Enterprise-wide Risk Assessment. Internal Audit can serve as an agent of change by getting involved in the key drivers/strategic initiatives of the organization and by identifying emerging risks.
Active involvement from the Internal Audit group can help an organization identify risks and establish the necessary controls to effectively mitigate those risks. They can also assess these controls in conjunction with management to ensure they are functioning as designed. Lastly, Internal Audit can perform a gap analysis to identify where controls do not exist to mitigate select risks.
To ensure Internal Audit has a good understanding of the major risks facing a organization and that auditing is performing risk-based reviews that support an organization‘s key strategic initiatives, the following should be completed on an annual basis:
Performing this assessment will help to ensure that Internal Audit is focused on the most important risks, is linked to the business and is completing audits that have an impact in the success of the organization.
In addition to completing an Enterprise-wide Risk Assessment, it is important to have additional processes and programs in place to combat fraud risk by increasing the level of fraud awareness within the organization.
As a start, consider completing a Fraud Risk Assessment. Similar to an Enterprise-wide Risk Assessment, this can be accomplished through conducting brainstorming sessions with management to discuss potential fraud schemes and scenarios. A Fraud Risk Matrix should be developed which includes the owner of each process, a list of possible fraud schemes and scenarios impacting the process, and a detailed account of all controls in place to prevent or detect fraudulent activity.
Once the Fraud Risk Matrix is developed, reviews can be performed of select processes to evaluate the effectiveness of the stated controls to mitigate the fraud risks. This matrix provides you the ability to perform a gap analysis to identify areas where additional anti-fraud control enhancements should be implemented.
Completing a Fraud Risk Assessment will increase the overall level of fraud awareness throughout the enterprise. As a by-product of this exercise, implementing fraud awareness and training programs can help to keep the message fresh and alive in your organization. As with any informational campaign, there are many ways to get the message out. Some of the more common methods are administering fraud and ethics training to your employees, conducting awareness and ethics presentations in departments within the organization, and creating a “Red Flags” of fraud poster and distributing it throughout the organization.
One can never do enough to increase employee and vendor awareness of the ethics hotline. Required as part of SOX, this open line of communication to confidentially report situations of potential wrongdoing or unethical behavior cannot be overly promoted. All organizations should develop programs to increase awareness of the hotline and its purpose, including posting hotline numbers on internal and external websites; conducting awareness meetings with employees; and developing graphics communicating its purpose and when it should be used. In addition, you must ensure you communicate your no-retaliation policy and promote this in all your hotline awareness communications.
On a semi-annual basis, you should consider requesting that the Chief Audit Executive provide the Audit Committee with a summary of all hotline calls including their final disposition. This not only gives the Audit Committee an idea of the nature of the calls received but the assurance that the caller concerns were addressed.
Establishing an investigative protocol and guidelines to ensure that reported issues and concerns are reviewed with a high degree of consistency throughout the organization is extremely important. The guidelines should define which department(s) will perform the investigation, the standards to follow in completing and documenting the work performed, and the communication process for advising relevant parties concerning the investigation and the results of the investigation.
In summary, taking the following steps will help to create good corporate governance and maintain a strong ethical climate within your organization:
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here