About Sally
Sally is a CIPE-Certified Independent Compliance Assessor (CIPE-ICA), World Bank-IFC trained Corporate Governance and Board Evaluation Professional and a member of Institute of Directors (IOD) Nigeria. Sally worked as a Director, Risk and Control Assurance Business Unit of PricewaterhouseCoopers Nigeria and Manchester Office United Kingdon, driving the delivery of Corporate Governance , Risk Management, Internal Control, Compliance and Internal Audit Solutions. Sally holds BSc. Computer Science from University of Nigeria Nsukka (UNN), MSc Computer Science and Engineering from Enugu State University of Science and Technology (ESUT) and a number of professional certifications on Risk Management, governance and Assurance Solutions. Sally currently works with Platinum Edge Consulting Limited as an Executive Directors.
Sally writes the blog posts based on the knowledge, experience and competencies built from many risk management, governance and assurance projects delivered for clients in many jurisdictions, numerous professional trainings attended, networking and interactions with seasoned business leaders from different industries.
Introduction
Part of the roles and responsibilities of the executive management, boards and board committees is to let the business managers and assurance providers know the type of items they want to see in the reports they are being provided with to support them perform on their corporate mandates. One of the critical items top on their list of reports is the key risk exposures and controls performance. The key risks and controls reports enhance their insights on the big pictures, implications on their organisations and the effectiveness of the management responses in dealing with the root causes.
In addition. given that the risk management efforts at all levels (operations, management, governance and assurance levels) should be contributing to the achievement of the overall corporate goals and objectives, the business leaderships want to see how the risk management efforts are aligning with the corporate strategies, goals and objectives to strengthen their confidence and trust in making risk informed decisions and taking actions for the best interest of their organisations.
For many years now, descriptive, qualitative and quantitative Heat Maps or Matrices have been the most common templates for analyzing risks, determining risk sizes, control effectiveness and reporting of the risk and control movements or changes in directions.
Risk sizes could inherent or residual. The inherent risk size refers to the gross risk or risk severity and is largely driven by the interaction of many factors which primarily include probability of occurrence and potential impact. The residual risk size or net risk is determined primarily by the quality of controls designed and operating to mitigate the inherent risk sizes.
Current residual risk, target residual risk, current control effectiveness and target control effectives are further elements used to gauge risk and control directions and extent of deviations from the approved risk appetite and tolerance levels. Mitigating risks means to reduce the probability of risk occurrence or the potential risk impacts r both probability and impact.
Using descriptive or qualitative heat maps or matrices alone to analyse risks, controls and the status reporting may appear easier when compared to other methods such as 100 basis points. However, the general perception is that using descriptive, qualitative and quantitative heat maps or matrices to analyses risks, controls and the status reporting tend to present vague results, relative size interpretation problems and visibility issues of the big picture view at a glance. It may require checking through many pages of presentation slides or documents to get the explanation notes and big picture view which may be time wasting for the end users of the reports
Consequently, use of 100 Basis Points and other approaches to analyse risk sizes, control effectiveness and the status reporting add strengths and advantage. They make it possible to present the computed values in percentages and visibility of the big picture view at a glance. This is because percentages appear to have universal understanding and interpretation of the relative sizes with ease,
Presented below are some of the templates users may consider for adopting in their risk and control reporting efforts. The templates are focused on the Key Business Performance Measurement Indicators (KPIs) and possible impact of the risk management efforts.
These templates will be helpful to the following categories:
- New risk managers who are confused on how to report risks and controls to their senior bosses.
- Well experienced risk professionals seeking for different perspectives on how to improve their current risk and control reporting templates.
- Business leaders -management, board and regulators desiring greater insights on the key risk exposures and control performance disclosures in the organisations.
- Students of business management and governance who are keen to acquire knowledge, experience and skills beyond their standard school curricular to enhance successful career choice and growth opportunities.
- and others who may find the post beneficial.
The business leaders – executive management, boards and board committees will find them refreshing and helpful while they can serve as good starting points for the new managers. The well experienced ones can use them to benchmark with their current reporting templates to identify gaps and improvement opportunities to embed the lesson learnt to building an improved risk and control reporting template. to support the decision support systems.
I anticipate that attempts to use these templates will help to incite interesting questions, needs, , open discussions and genuine demands from different levels. These will eventually lead to re-engineering and positive transformation of the status quo with all the business functions mounting pressures for stronger and seamless internal collaborations, partnerships and synergy in delivering risk management and assurance engagements right from planning through execution, incident tracking and reporting to achieve more and move to greater levels. Hopefully, this will reinforce the organisation to give serious thoughts toward adopting “Combined Assurance Model”.
The templates are available for download in PowerPoint or pdf format. To get a copy please, contact Sally on the contact details provided towards the end of this post.
Thanks for adding value to me and others!
The templates are worth considering. Please share the link for download or a trial!
Thanks very much for the inspiring comment. I will chat with you privately on how to get the template across to you.
Thank you for sharing your wealth of knowledge.
How does one download the template?
Thank you very much Bennie for the comments and I wish you the best in your endeavors.