The execution of a Business Risk & Control function is based on three main components:
· A solid analysis of the Business Risk & Control environment
· An Implementation Framework: Assessing risks, determining rules and establish proper controls
· Transparency and support in the control process
The core components, the Implementation Framework, has to be designed, executed and reviewed in a continuous process. The sections below described the processes as such:
Design: In the design phase a model is constructed that optimizes the compliances to rules and guidelines through the identification, evaluation and mitigation of risks and defining appropriate control procedures and responsibilities. Unfortunately the definition of this implementation model is an iterative process as the overall model can be influenced from every area (risks, rules, controls). Sometimes rules are determined without specific market-relevant risks, often risks occur without an originating policy and often also controls are required without underlying risks or policy structures.
The overall design process should develop a set of controls that can be implemented and verified from independent individuals in certain predetermined frequencies. Furthermore the iterations facilitate the simplification and reduction of controls.
Execution: The execution process requires the control responsible to either document the control execution as such or to independently verify such an execution. The implementation and verification follows a predetermined pattern of steps and frequencies which are designed during the design phase.
Review: The review phase attempts to reevaluate the three original dimensions of the Risk & Control management model.
o Are all risks assessed ?
o Are all risks properly evaluated ?
o Are all risks assigned to the appropriate people ?
o Which risks could be grouped or managed differently ?
o Are all rules useful or do some not result into any risks or controls ?
o Are all rules addressed?
o Which rules are addressed with what kind of and how many controls ?
o Are the controls efficient ?
o Are the controls effective ?
o Can controls be merged or stopped ?
o Which controls are the most effective ?
o Which controls are often overdue ?
As many organizations do not engage into the review process and the entire Business Risk & Control ecosystem collapses due to inefficiencies and inappropriate structures. The missing managerial oversight and tool / process support starting from the design process as well as execution and review puts the ecosystem under strain of frustration or sarcasm of the immense paperwork and potentially unnecessary processes.
The Business Risk & Control Management Solution from digital-media-lab allows managing the entire framework: design, execution and review. Based on the latest industry standards the model of risks, rules and controls can be calibrated, the implementation documented and review conducted.
For feedback or questions on this topic or our solutions, please contact us.