Here’s Why Merely Implementing Internal Controls Procedures Isn’t Enough
Steven Minsky | April 5, 2016
Risk Management’s 3 Basic Steps
In order to be effective, risk management must involve three phases:
- Risk identification & assessment
- Mitigation design & implementation
- Active monitoring of mitigation activities
If an organization misses any of these steps or does not directly link them to one another, it is not fully managing risk. Here’s what can happen if a step isn’t fully executed:
- Improper risk identification often results from identifying a risk’s symptom instead of its root cause. When this happens, controls don’t neutralize the root cause (even if they are designed well), leaving the organization vulnerable. If the management does not reach out to supervisors on the front lines, the individuals who can take effective action may not be apprised.
- Mitigation activities can be ineffective either because they’re directed at a symptom (see #1) or simply because they’re not designed well. In either case, threats aren’t neutralized and the organization remains at risk. When risks are identified by one department but aren’t communicated to those who need this information, unnecessary collateral damage results.
- If internal controls procedures exist but are not used or updated, the organization is vulnerable not just to existing risks, but to an increased chance of negligence charges. If mitigation activities are not linked to risk, how is it possible to monitor the control? When controls are not linked to a root cause, people responsible for the control, or the business policy, monitoring does not meet compliance requirements. This leaves the enterprise open to class action suits for negligence.
Below, we’ll explore how Nordion Inc., a global health science company, missed phase three and paid the consequences:
Even though Nordion self-reported to and cooperated fully with the SEC, it was still forced to pay $375,000 in penalties.
This would have been avoided if the organization had adhered to its own internal controls procedures.
Internal Controls Procedures Could Have Shielded Company from Embezzlement Scheme
Between 2004 and 2011, one of Nordion’s employees reportedly “arranged improper payments” from the company to bribe Russian authorities, according to the Risk & Compliance Journal. Although Nordion was never complicit, the fact that it didn’t discover the scheme made it liable.
Here’s an important detail: The employee in question was very thorough in his deception. He kept the plan secret “by preparing multiple drafts of documents and by misrepresenting how the agent would use the funds received from Nordion, the SEC alleged.”
Even though Nordion didn’t know about the scheme, it could have better prepared itself for such scenarios. Specifically, the company could have trained its employees on its adapted operational procedures for branches in more corruption-prone regions. Additionally, the company “didn’t do any due diligence on the agent or follow its internal controls procedures in place at the time.” Perhaps, if Nordion had been using a policy and procedure software, their procedures could have been more effective.
On the bright side, the company earned no profit from the embezzlement scheme, and once the situation came to light, fired the employee and cooperated fully with the investigation. For this reason, the company avoided more severe penalties. Those good-faith actions, however, still didn’t save it from the initial $375,000 penalty.
An ERM solution would have prevented Nordion from making any headlines. Risk-based, enterprise-wide systems support all three phases of risk management. In this case, the company had performed phases one and two by merely having internal controls procedures in place. The slipup was letting the process go slack – not devoting a constant resource flow toward maintaining and monitoring those procedures.
LogicManager provides robust risk monitoring capabilities designed specifically to provide insights into how effective controls are (or, in this case, if they’re even being performed). Certain parties can also be made accountable for specific components of the controls. Customizable surveys, tasks, and emails can all be automated to recur at particular intervals, making internal controls easy to plan and prioritize.