Organizations operate in a field of risk landmines. The daily headlines reveal companies that fail in risk, compliance, and internal controls. Business today is complex in its operations and corresponding internal control obligations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, and operational), impacting how business is conducted.
The dynamic and global nature of business is particularly challenging to an internal control program. As organizations expand operations, their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal and external risk in context of a changing business environment. What may seem insignificant in one area can have profound impact on others.
Risk and control is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing requirements and fluctuating risk exposure, yet fail to actively manage and understand the interrelationship of internal control data in the context of business and business change. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing internal controls as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined internal control practices that are monitored and adapted to the demands of a changing business and regulatory environment.
Today’s business entity must ensure internal controls are understood and managed company-wide; that internal controls are more than a list in a spreadsheet, but are part of the fabric of business operations and processes. A strong culture of control ensures transparency, accountability, and responsibility as part of its ethical environment. A strong internal control program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.
Traditional processes of managing internal control programs (e.g., shared drives, spreadsheets, emails, etc.), can be time-consuming, error-ridden, mundane, and most importantly lacking in providing transparent insight on the state of controls across the organization. Requirements and processes can change frequently as a result of new or emerging risks, making it increasingly difficult for organizations to identify control requirements, map them against organizational processes, and then report on the level of compliance across the enterprise.
The organization has to be able to see the individual area of control as well as the interconnectedness of risk and controls. A GRC professional’s most challenging task therefore, is developing a process or framework to understand how internal and external risks interrelate with controls and business processes in context of change, and how to evaluate organizational initiatives against these requirements.
The Bottom Line: Organizations cannot readily understand control from a series of lists or spreadsheets. They need intelligence and insight into the relationships between the hierarchical dimensions that describe an organization’s internal control and risk ecosystem that predict the full scope of potential impacts (direct and cascading) due to actual or exploratory change to risk and business strategy. Organizations need solutions that support simulation and scenario planning for strategic and tactical action plans in response to change.
Upcoming Workshops (no cost & CPEs) . . .
- Internal Control Management by Design, Houston, January 28
- Internal Control Management by Design, Atlanta, February 5
- Internal Control Management by Design, Chicago, February 7
Upcoming Webinars . . .
- Enabling the Second Line of Defence with Effective Policy Management & Oversight, January 23 @ 9:00 am – 10:00 am CST
- Engage the Front Lines Through Effective Policy Communication, January 24 @ 11:00 am – 12:00 pm CST