Working In Uncertainty
A simple introduction to risk management and internal control in organisations
by Matthew Leitch, first published 10 November 2004 (slightly expanded 7 March 2005 and 6 November 2006).
This complicated field of risk management and internal control needs a simple introduction. It needs an overview that puts everything in place and gets us thinking in the right direction.
But it's not so easy to write. This is a massive subject in which much of the established advice is not good advice. Regulations differ between countries and sectors. Techniques and concepts derived from different sciences and professions often contradict each other in fundamental ways.
Here's my view. It is a bit different and I hope it works for you as it does for me.
There are many, many definitions around for ‘risk management’ and ‘internal control’ and the one thing they have in common is that they are rather abstract. Some people say risk management is part of internal control, while others say internal control is part of risk management.
Over the years I have noticed that the meaning of both terms, in practice, has expanded so, today, there is no useful difference in meaning between ‘risk management’ and ‘internal control.’ The explanation below is just as true whichever terms you use.
More recently some have suggested using a new term, ‘uncertainty management’, to refer to the field. There are several excellent reasons for this and I increasingly write ‘uncertainty management’.
The main objective of risk/uncertainty management programmes is simply to improve the way uncertainty is managed.
Within that I find it helpful to focus on two sub-objectives: (a) open minds to the full range of things that may happen in future (i.e. to take off the mental blinkers we wear most of the time) and (b) help people cope with the complexity thus revealed and so act in accordance with their expanded view. All the techniques I recommend concentrate on these. Whether it's reminding an accounts clerk that bank statements and cash books can be wrong so a reconciliation is needed, or helping an executive director think widely about the future direction of a charity so that she will recognise the value of flexibility, the mind has to be open or risk management seems unnecessary.
Psychologists have shown that we tend to be overconfident in predictions and believe we have more control than is really the case. That agrees 100% with my observations. When we work together in organisations the tendency towards a blinkered view of the future is usually increased by various social pressures and management systems.
In practical terms
An ‘internal control’ or ‘uncertainty management’ system is not a gadget or computer system, so what in practical, concrete terms are we talking about? An internal controls improvement exercise involves changing the way work is done (and the things that are used to do that work) to deal with the uncertainties the work involves. The changes are connected so they work together so in that sense they make a system.
Here are some examples to show the wide range of work that can be improved in this way:
In other words, it's a makeover that institutionalises open mindedness about the future. When people talk about ‘embedding risk management’ this is exactly what they should have in mind.
In some areas there is already a strong tradition of internal control e.g. business continuity, software testing, credit management, and book-keeping. In other areas, mostly areas of management, there is a lot that can be done that hasn't been already, with huge scope for innovation and new ideas. I sometimes use the phrase ‘intelligent internal controls’ to refer to controls that involve managers and go beyond traditional checklists and sign offs. For example, scenario planning is an example of an intelligent control because it opens minds to the future and helps them deal with it.
The scope for improving intelligent controls is huge. The reason for this is the human tendency to ignore uncertainty, and view the future too narrowly. Going through life continually surprised does not stop us from thinking this way! These mental blinkers are institutionalised in many management processes.
[A practical difference between the phrases ‘risk management’ and ‘internal control’ is that when people talk about internal control they usually focus on dumb, traditional controls that are routinely recurring, whereas when they talk about risk management they more often think of intelligent controls that are generated as one-offs for a project or business plan. It makes sense to consider all types of control and to design a system that has a bedrock of recurring controls, including some that generate the one-off control actions needed for non-recurring circumstances.]
We would like to institutionalise an open minded attitude to the future, not a blinkered attitude.
We should think widely about the techniques that might make the organisation (or just our part of it) more effective at dealing with uncertainty, particularly in the areas where uncertainty makes a big difference.
Having developed ideas for improved ways of handling uncertainty in critical areas, we should institutionalise them with procedures, roles, systems, training, or whatever is appropriate to us. It is impossible to anticipate every future requirement and detail, so therefore many of the actions we institutionalise will be analysis/design/planning activities that generate further actions. Things done regularly, or whenever some trigger event happens, can often be written into normal procedures and systems, but things done once only, on a project perhaps, will need to be generated by something in our normal procedures.
We should keep on improving and adapting.
How to design internal control systems
Let's get one thing clear immediately: listing risks and writing controls against each one will not produce an internal control system worthy of the name. Creating something that works well takes knowledge, skill, creativity - and an approach that helps you use them.
The best way to design internal control systems is naturally. The methods described on this website are natural. They involve starting with one or more generic control schemes then modifying, combining, and detailing them to take account of the distinctive characteristics of the process, organisation, people, products, etc. This begins with high level design, sketching out roughly what has to be built, from which the work needed to design details and implement them can be seen. Detailed work follows.
Thinking about risk is part of this, but not the sole determinant of the control system.
I hope you agree that this sounds natural and obvious, but please be aware that the most commonly talked about method today is to list ‘risks’ and write controls next to them. That's fine if you're just trying to find what controls are there already, or as a rough and ready ‘to do’ list, but would you expect an architect to design a building by just making lists of the doors, windows, and walls? Of course not! Unless you can put the elements together into a meaningful structure or system it's hard to see what you're doing. How would you feel if a building had some rooms with no doorways at all, or if visitors through the main entrance had to pass through the kitchen before reaching other rooms?
Meeting requirements for audit, certification, accreditation, etc
Which would you rather focus on, managing uncertainty or auditing what you do? It's not a hard question but unfortunately most regulations about what organisations must do in this area concentrate on laying down specific requirements for evaluating rather than doing. Not surprisingly risk programmes in organisations tend to be designed to meet regulations and so emphasise evaluation and use a lot of audit techniques.
To avoid this trap I suggest thinking about what would be a sensible way for you to manage uncertainty and then thinking about the easiest way to meet evaluation requirements. An effective management approach will naturally include organised documentation and management information that gives continuous evidence of operation and effectiveness. With those in place a very efficient evaluation is possible.
If you have a well organised analysis of your areas of uncertainty and some powerful methods in place or under development most auditors will be smiling.
Controls design in audit
Thanks to section 404 of the Sarbanes-Oxley Act, many large companies around the world are now having to compare their internal controls against some kind of model system. The model most people are using is called the COSO internal control framework, but it is very high level and not adapted to any particular company. Also, it is narrowly focused on book-keeping.
Nevertheless, this is an exciting move for audit. Instead of looking at controls and asking ‘Do these look as if they work?’ (accepting any reasonable looking design) the auditors will, increasingly, look at controls and ask ‘Do these match the model our organisation has chosen?"
Audit work can be done much more quickly this way, and recommendations are easier to make and agree.
Examples of internal control/uncertainty management systems
An example based on a large organisation would be too long for this simple introduction, so here are two examples on a small scale. Although these examples are laid out as tables, with areas of uncertainty linked to improvement ideas, that is not the only way you can do it, and usually not the best for large scale design. Any design method that works counts as risk/uncertainty management.
A charity working to help women at risk from their partners might find that its important areas of uncertainty and ideas for improvement include:
A local builder may decide that his areas of uncertainty and ideas for improvement include:
The skills needed
The skills that make this work possible include knowledge of methods for managing uncertainty and knowledge of design and planning methods that work with controls on different scales and in different situations. If I had to pick one skill in particular that makes an impact it would be knowledge of uncertainty management methods. The more you know the more the impact can be. If you are excited by the opportunities to raise performance a lot of other things fall into place.
Where to read more
The main causes of blinkered thinking, and ways to counter it, are described in ‘Open and honest about risk and uncertainty’, which is based on a speech given at the 2004 Risk Management Congress in London. An earlier paper with wider scope and more detail is ‘Straight and crooked thinking about uncertainty."
There are many ways to manage uncertainty and it pays to get beyond the obvious sign offs and documentation. Many effective methods are described in ‘Designing intelligent internal control systems.’
More ideas on how to break down your areas of uncertainty and how to run a meeting to do it are given in ‘How to run a risk management meeting’, which is written for non-specialists. It gives a realistic description of what sort of behaviour to expect.
The place to start designing better ways to manage uncertainty is with existing methods. Interviewing to find out what is done requires the right types of question in an effective order (and I'm not talking about open vs closed questions!). The skills needed are described in ‘How to interview someone about risks and controls.’
Although it is sometimes easy to think of your uncertainty management system as a table of techniques listed against areas of uncertainty this is rarely the best design method. A method that works well, particularly for large scale financial processes is given in ‘Designing internal control systems’ and a similar approach applied to projects is described in ‘Rapid project risk management’. Another example of the design method in action is ‘Controls for e-business processes.’
The practical advantages of concentrating on management to cut down on audit are described in ‘A new focus for Turnbull compliance’ and more information about designing efficient evaluation methods is given in ‘Sarbanes-Oxley Act section 404 and 302: efficient compliance.’
Made in England
Words © 2004 Matthew Leitch. First published 10 November 2004.