“The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” (COSO Principle 7 – Identify & Analyze Risks to the Achievement of Objectives http://www.coso.org/IC.htm) is the second of four principles relating to the Risk Assessment component of internal control. “Across the entity” includes entity-level and process-level, internal and external, occurring with the action of employees, partners, vendors, or other parties that directly or indirectly impact the achievement of the organization’s objectives. The risk responses are acceptance, avoidance (e.g., exiting the activities), reduction (e.g., take action to reduce the likelihood, impact or both) or sharing (e.g., insurance, joint ventures, hedging, outsourcing). Identified risks are assessed as to their inherent risk to the organization, appropriate risk responses are developed/implemented, and the risk is then re-assessed considering these responses (residual risk) to keep risk within the organization’s risk tolerance.
By its nature, the risk assessment process requires expertise, judgment, estimation and, as we’ve all come to understand, time. As with all activities of successful organizations, adequate cost/benefit is essential. So what are the costs? The cost of the actions management chooses to take to manage risk are the risk response costs. The cost of inadequate risk response are the fines, penalties, misappropriated assets, inventory shrink/spoilage/obsolescence, warranty costs, reputational damage and, in a larger sense, the variance (positive or negative) from the business plan/budget that management established to achieve the chosen objectives. Certainly adequate controls to satisfy principle seven involve the planned risk responses (and associated cost) which should keep the inadequate risk response costs to a minimum. Quantifying these costs provides a good analytic to assess performance relative to principle seven. Consistent or shrinking inadequate risk response costs relative to revenues is a positive indicator; inconsistent/fluctuating costs could indicate a flawed risk assessment process.
To identify and quantify the cost of risk response, it is helpful to conceptually go back to when the organization was very small. The owner made the sales calls, knew all the vendors, approved all the invoices, interviewed all the employees and signed all the checks. The businesses used small outside accounting, legal, recruiting, marketing, etc. firms to manage the operational, financial and compliance risks. We can all agree that the risk response costs are a large share of the costs of these outside professionals. As the business grows the owner hires accountants, human resource personnel, legal staff, security staff, auditors and other support personnel to at first augment and then reduce the overall need for the outside professionals. As these support functions take on the responsibilities previously performed by outsiders, the cost of these functions (payroll, taxes, training, recruiting, IT applications, etc.) are the costs of risk response. Essentially, all costs not directly associated with making/delivering the product/service to generate revenue must be evaluated and in most cases accumulated as a cost of risk response. For the functions mentioned above, these costs are rather easy to tabulate. However, when assessing a function like product design, how much of their activities are established by the organization to mitigate the risk of obsolescence or warranty expenses (risk response cost) versus activities targeted at planned new sources of revenue? The answer to this will vary by industry and by organization within an industry.
Inherent in business decisions to expand, co-source, or outsource a business function is the adequacy of the resulting risk response in light of the incremental or reduced cost of this decision. Similarly, decisions to replace or upgrade existing IT systems used by support functions (e.g., HR, G/L) with more capable in-house or “cloud” applications involves consideration of the introduction of new risks and the reduction of existing risks in light of the cost/savings anticipated. Financial professionals accumulate these costs and must “call out” necessary risk response activities/cost that are not included. Financial/compliance professionals that include the “risks to the achievement of its (organizational) objectives” in analysis of both company performance and the cost/benefit analysis of anticipated business plans are truly leveraging compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/