Under the new Corporate Governance Code Provision 29, Boards should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.

The board should provide in the annual report:

• A description of how the board has monitored and reviewed the effectiveness of the framework;

• a declaration of effectiveness of the material controls as at the balance sheet date; and

• a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues

Yesterday, I spent a whole day with other risk practitioners from different sectors listening to the challenges that many organizations are battling with to bring their Internal Control Framework to a place where it is fit for purpose i.e. adding real value to the organization rather than it being just a tick box exercise. Many thanks to Michael Rasmussen (The father of GRC) and Paul Cadwallader (CoreStream) for delivering this very insightful session.

With the new update to the Code now requiring that organizations take a more holistic approach to control effectiveness, beyond the scope of SOX and financial controls, understandably there is nervousness amongst people in terms of how we fulfill these requirements.

Some of the key challenges identified at the session included the following:

• Operational controls are lagging in addressing the reporting requirements of the UK Corporate Governance Code
• Disconnect internal control strategies between regions/geographies
• Rolling out a control framework across the entire group
• The breadth of controls needed to keep up-to-date
• Culture and engagement in controls
• Integrating controls into the business
• Insufficient company cultural buy-in
• Addressing silos of controls
• No mapping of controls to risks and objectives
• Providing evidence of controls
• Engaging and educating key stakeholders on controls
• Getting the business to understand the importance of risk and controls
• Integrated assurance and mapping of controls
• An enterprise view of risk requires an enterprise view of controls
• Relative detachment of risk owners from risk management process

So before I look at how we should tackle these challenges, for my readers out there, let’s start by defining what is an Internal Control Framework (ICF)

What is an effective Internal Control Framework (ICF)

An effective Internal Control Framework (ICF) is essential for organizations of all sizes and industries. It serves as a set of guidelines and procedures designed to manage risks, ensure compliance, and safeguard assets.

Why do we need an Internal Control Framework (ICF)?

Benefits of an Effective ICF:

1. Risk Mitigation: One of the primary benefits of an ICF is the mitigation of operational, financial, and compliance risks. It helps identify potential risks and establishes controls to minimize their impact, protecting the organization from unexpected events. IT WILL HELP INCREASE CERTAINTY THAT YOU WILL DELIVER YOUR OBJECTIVES
2. Improved Efficiency: An ICF streamlines processes, reducing inefficiencies and redundancies. It ensures that tasks are performed consistently and according to established standards, leading to improved operational efficiency. IT WILL HELP GET THINGS DONE PROMPTLY WITH GREATER EFFICIENCY
3. Enhanced Financial Reporting: With a robust ICF in place, organizations can produce accurate and reliable financial statements, which are crucial for stakeholders, investors, and regulatory bodies. INCREASE STAKEHOLDER CONFIDENCE
4. Compliance Assurance: Regulatory compliance is becoming increasingly complex. An ICF helps organizations stay compliant with ever-changing laws and regulations, reducing the risk of legal issues and fines.
5. Fraud Prevention: Effective internal controls can deter and detect fraudulent activities within the organization, safeguarding assets and reputation.

So, how do we implement an ICF Successfully?

1. Define Objectives: Clearly outline the goals and objectives of the ICF, aligning them with the organization’s mission and values. THIS IS CRUCIAL!
2. Identify Risks: Conduct a thorough risk assessment to identify potential vulnerabilities and threats to the organization’s operations and financial health.
3. Design Controls: Develop control procedures and policies that address identified risks. These controls should be specific, measurable, and realistic.
4. Implementation: Roll out the ICF across the organization, ensuring that employees are trained and aware of their responsibilities regarding internal controls.
5. Monitoring and Review: Continuously monitor and evaluate the effectiveness of controls. Make necessary adjustments to adapt to changes in the organization’s environment.

How do we address some of the key Challenges?

1. Communication: Effective communication and training can address resistance to change by highlighting the benefits and importance of the ICF.
2. Resource Allocation: Allocate resources strategically by conducting a cost-benefit analysis, ensuring that the benefits of the ICF outweigh the costs.
3. Expertise and Technology: Employ experts or utilize specialized software to navigate complex regulations efficiently.
4. Leadership Commitment: Leadership should lead by example, demonstrating their commitment to the ICF to inspire employees.

Any Quick Wins and Recommendations?

1. Start Small: Begin with a pilot program to test the ICF’s effectiveness in a specific area before rolling it out organization-wide.
2. Utilize Technology: Leverage automation and software solutions to streamline processes and improve control efficiency.
3. Periodic Assessments: Conduct regular internal audits and assessments to identify areas for improvement and adaptation.
4. Continuous Learning: Stay informed about industry best practices and emerging risks to keep the ICF relevant and effective.

Final Thoughts

An effective Internal Control Framework is an invaluable asset for organizations, offering numerous benefits such as risk mitigation, improved efficiency, and compliance assurance. While implementing an ICF can be challenging, addressing these challenges through communication, resource allocation, expertise, and leadership commitment can lead to quick wins and long-term success in managing and reducing risks within the organization.

IT DOESN’T HAVE TO BE A TICK BOX EXERCISE!

Contact me at Arischio Consulting for an informal chat on how we can help you build a fit for purpose ICF