Internal controls: control yourself

With the news that the fine handed out to Credit Suisse (£5.6 million) for
its deliberate mispricing of asset backed securities was more than the total
fines issued by the FSA during 2007 (£5.3 million), the issues of risk and
internal controls once again have come to the forefront of the business agenda.

Why is it so important to have internal controls in place?

Organisations are coming under increasing scrutiny from regulators, financial
investors and other stakeholders to prove they have appropriate frameworks for
managing risks in their business, especially in the financial services sector.

The effective management of business risk is increasingly becoming a measure
that distinguishes an organisation’s performance from that of its competitors
and is a key element in helping it achieve its business objectives.

Besides helping protect your organisation’s reputation, it will also help
reduce the likelihood that your business will be subject to fraud, tighten up
processes to improve financial and operational performance and safeguard your
organisation against unforeseen problems.

Despite the stresses and strains of market pressures, it is still essential
that the business understands its key risks and the strategies they have in
place for managing them.

Undertaking a risk assessment is not rocket science; but does require a
systematic approach. We would recommend the following approach:

  • Understanding: your business objectives and your appetite for risk.
  • Risk identification. What risks could prevent you achieving your objectives?
    What impact would they have and with what likelihood could they occur?
  • Management strategy. What controls do you have in place to manage the key
    risks and how effective they are.
  • Reporting. How you receive ongoing assessment of the effectiveness of your
    risk management approach.
  • Action planning. For weaknesses and gaps any improvement actions should be
    agreed, given a timeframe and assigned to business owners.

It is important that this is not a one-off exercise, but one that should be
reviewed on an ongoing basis. For most businesses this should be at least

While internal controls can’t guarantee that something won’t happen to your
business, they can reduce the likelihood of an incident occurring.

They can also minimise any damage caused to the organisation and its clients.

George Quigley is a partner and risk adviser within BDO
Stoy Hayward’s financial services group

Related reading