Practices

Operational Risk & Control

Safeguard your business through the automation and tracking of a solid internal control framework.

Operational risk is the risk of loss which would result from failed or ineffective internal processes, people or systems. Often, these risks can be exposed by external events that disrupt business. These can include natural disasters (floods, hurricanes), infrastructure failures (power outages, damage to telecommunications lines), and political and social problems (riots, pandemic response).

While larger companies focus on enterprise risk management, which seeks to find the optimal balance between risk and reward, small and midsized organizations gain more value from operational risk management, which is more risk-averse and focuses on protecting the organization. Our Operational Risk and Control practice helps SMEs use technology to implement and manage an efficient and effective ORM framework.

Our five-step ORM process

Phase 1. Risk Identification

You can't control or mitigate a risk until it's been identified. Our methodology guides clients through the creation and periodic review of applicable risks, and documenting them in a categorized register.

Phase 2. Risk Assessment

This phase conducts a systematic review of each risk, allocating ratings for each based on their probability and impact. The output is a matrix, which combined with your determined risk appetite produces a prioritized list of known risks.

Phase 3. Risk Mitigation

Risk mitigation is handled one of four ways:

  • Transfer the risk to another organization, usually through outsourcing or by purchasing insurance. It's usually the case that transferring only mitigates the risk in part, for instance an insurance product will often include a copayment or policy excess, but the end result is still beneficial to the organization.
  • Avoid the risk, for example a policy prohibiting using a ladder to perform work above a certain height, or requiring certain chemicals to be stored securely offsite. Avoidance is not always possible, and of course even when it is, the organization will miss out any potential profits from the avoided activity.
  • Accept the risk. Depending on the organization's risk appetite, they might decide simply to accept the risk and proceed. This can be seen where companies self-insure things like the theft or loss of a laptop computer, accepting they will pay the full replacement cost rather than continually pay an insurance premium with a potentially high copayment.
  • Control the risk. Internal controls are the processes, checks and balances put in place to decrease the impact and/or probability of the risk occurring. E.g. encrypting the hard disks on a laptop control the risk of data loss in the even the laptop is stolen, system controls prevent accounting staff from approving their own purchase orders, and general controls around IT prevent untested and flawed code being promoted into production environments.

Phase 4. Control Implementation

Internal controls are designed specifically to mitigate the risk in question. Mitigation can be in the form of guaranteed avoidance (for example a fully automated preventive control, such as preventing IT security staff from altering the access rights on their own accounts to circumvent segregation of duties within a system) or the ability to detect an undesirable situation (e.g. periodic reports that highlight staff whose access to certain data needs to be removed). Controls should always be fully documented and include the following:

  • A process flow and narrative describing the area of risk relevant to the risk in question.
  • A detailed description of the control's objective and operation.
  • A comprehensive test plan, both to test the design effectiveness and operational effectiveness of the control.
  • Sample size calculations for testing purposes so that control test results are statistically valid.

We have specific and considerable experience in designing, testing and implementing internal control frameworks, and over the years have developed our own detailed control modeling language. This allows us to not only perform highly accurate work in this area, but also to benchmark performance across industries, divisions, regions and other dimensions. The combination of our modeling language and determination of sample sizes means we're able to optimize the cost and value of internal control work, something which many internal control frameworks struggle to do.

Phase 5. Control monitoring

Controls may be performed by people who make mistakes, or computer systems that become problematic and unreliable due to upgrades and other technical issues. For this reason, the internal control environment is prone to change over time and should be monitored periodically. Monitoring involves:

  • Testing controls for their design, performance and operational effectiveness, with exceptions being logged and raised with management with action plans to correct them.
  • Establishment of key risk indicators (KRIs) to provide early warnings relating to increasing risk exposure.

Our experience in building decision support systems aligns with our operational risk management experience so we can help our clients implement successful control monitoring solutions.

Schedule a free consultation

Did you know some MSPs charge high margins for a dated set of IT systems and processes? Get in touch today and we'll show you how a fresh approach can save you money.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Copyright © 2022 McLean Sterling USA Inc.