The Control Framework is a data structure that organises and categorises a firm’s internal controls. These being practices and procedures which minimise the risks set out in the Risk Register and ultimately create business value.
As regulators continue to emphasise the importance of strong governance, discussions about control frameworks and the building of a robust system of controls have become more prevalent. We believe there are 2 very important reasons why a business needs a working Control Framework, it:
- reduces costs through standardisation, streamlining and simplification; and
- avoiding significant control failures
The Control Framework provides an oversight to the relationships between the firm’s risks and the associated controls. Typically, it is administered by the Chief Risk Officer (CRO) or in small firms the responsibility is often delegated to one of the senior managers.
It is essential that the framework allows each control to be observed in one place, so that the relevant oversight body (usually the Risk or Audit Committee) can have a consolidated view of all the firm’s controls. Additionally, the Control Framework can then be more easily demonstrated to show how the risk exposure has been reduced to a level in keeping with the firm’s Risk Appetite Statement feeding into important documents like the firm’s Internal Capital Adequacy Assessment Process (ICAAP).
By forming a part of the Risk Register the Control Framework fulfils the reporting requirements of risk mitigation both internally and externally.
We recommend the ownership of each individual control is allocated to the head of the department in which the control lies, so that the control framework mirrors the corporate structure providing clear ownership and accountability.
However, in many of the cases we see, there is no clear ownership of the end-to-end control process. Often, governance and accountability models have not kept pace with changes in the wider business and controls have not been updated to reflect those changes. As a result, the Control Framework does not always fully address the actual business risk. In some cases, the testing methodology is not effective in identifying major control gaps, and the testing of controls is fragmented, with minimal learning from period to period and little development of better practices.
As a minimum we recommend that when documenting the individual controls are the following fields:
- Name – to allow quick identification
- Department – where the control sits
- Owner – who is its ultimate owner
- Status – is it fully working/inactive
- Associated risks – to report which controls affect which risks
Categorising controls within the existing corporate structure allows for easier dissemination of information by stakeholders and reporting recipients. As a consequence, because the controls are in familiar terms, the information contained within should clear.
Typically, there are as many controls as there are Underlying Risks (see Building a Risk Register Part 1) with multiple controls affecting each risk and multiple risks being affected by each control. Once the Control Framework has been created, we can then begin to quantify the effect each control has on the probability of a risk occurring and what the financial impact, or severity will be if it occurs, generally called the risk exposure.
The exposure of a risk can be reduced in one of two ways:
- by reducing the chance of its occurrence, or
- by reducing its severity if it occurs
As we have previously mentioned a risk can be controlled by many different controls. In order to value a control, it is necessary for the risk owners to allocated percentage weightings to all the various controls representing each risk. By ascertaining how much a set of controls reduces the financial severity of a risk and/or the effect that those controls have on the probability of a risk’s occurrence, it is possible to calculate the value of each control. Consequently, we can show which controls are the most valued within an organisation and therefore which ones should be prioritised when allocating scarce resources.
When making any change to business strategy, the control framework needs to articulate how it adds value by demonstrating tangible results such as cost savings. There are plenty of benefits to building a robust and resilient Control Framework. The Board and the various board committees gain transparency over the operating effectiveness of controls across the business. A strong framework also reduces costs and creates best practice that can be shared across different regions or business units. The Control Framework allows for future improvement, better understanding of the value of controls across the organisation and will support policies and procedures. An effective set of controls allows the business to be managed more effectively and to optimise its risk taking. Ultimately, this minimises surprises or instances where a control has failed causing irreparable damage.
The next piece in this 3 part series will advise on making full use of data and technology to administer the Risk Register and Control Framework.