big-on-budget Enterprise risk management in an environment of budget constraints and cost-cutting can be challenging. Yet, it is essential for organizations to properly manage risks, as a wrong move could put one out of business.
In separate e-mail interviews with ZDNet Asia, Irving Low, head of internal audit, risk and compliance services at KPMG in Singapore, and Benjamin Chiang, partner at Ernst & Young Solutions, offered five cost-effective tips to keep problems such as fraud or poor business ethics out of an organization's way, or at least, to manage or mitigate the impact in a satisfactory manner.
1. Tap on existing control features to improve IT controls
According to Chiang, the current climate of headcount reductions may result in employees being assigned multiple roles and responsibilities. To prevent internal controls from deteriorating over time due to the lack of segregation of incompatible duties, organizations should better leverage the control features available in their existing application systems.
"Controls such as segregation of duties (SOD) is an important and integral part of a company's internal controls," said Chiang. "However, it presents a unique challenge as it requires close alignment of business and IT stakeholders to assess, mitigate and reduce the risk. There is also no prescribed leading practice or method for removing conflicts. Every scenario is unique depending on the complexity of the environment."
On the other hand, a "well-designed, risk-based SOD initiative" can offer real business value by "enhancing controls while improving, streamlining and efficiently redesigning key business and IT processes", he added.
2. Promote risk management and reward desired behavior
Risk management should be integrated into existing job training wherever possible, and using appropriate technology to develop, deliver and measure education and awareness, said Low. To further stretch the training dollar, companies can avail self-service resources.
Performance appraisals and rewards can also be aligned with the organization's desired risk-taking behavior. "This includes a clearly defined promotion process, criteria and incentives that consider the individual's support for and achievement of governance and risk objectives, " added Low.
3. Augment existing systems to report and monitor tasks
Existing risk or ERP (enterprise resource planning) systems should be enhanced to provide continuous monitoring capabilities as well as provide timely alerts when events fall out of your risk appetite, noted Low. "This involves embedding key controls into normal operations to achieve a single view of risks, thereby sharing the costs of managing risks across the organization, while increasing the effectiveness and quality of risk data."
Chiang added companies need to recognize that continuous control monitoring and auditing is not a one-off initiative but "a constant learning, evolving and refining process". Besides the option of expensive turnkey tools, there are also inexpensive general purpose analytics software that are easy to use and allow users to develop custom analytics very cost-effectively.
4. Timely communication with stakeholders
Timely and honest communication to investors and customers can instill confidence, and at the same time, it allows the organization to operate according to strategy, said Low. This can ultimately increase the organization's competitive advantage and give rise to wider access to capital and funding.
5. Constant reviews
Organizations, said Chiang, need to consistently review their portfolio of capital projects, which involves assessing how each project relates to their short-term and long-term strategic direction. With such an understanding, the timing of projects could be adjusted to coincide with projected economic movements.
In addition, companies should also monitor risks associated with their suppliers, to prevent, for example, the risk of business disruption due to missed production schedule. Supplier performance should be evaluated over time against key financial and operational variables and benchmarks, he said.
Low also noted that relationships between different types of risks should be defined or mapped out, as the current economic crisis has demonstrated that a "systemic failure can result in multiple risk events occurring concurrently, due to their interconnectivity".