The Treasury

Global Navigation

Personal tools


Making Use of the CIPFA TICK Scores: Guidance for Departments

6  Do internal controls respond to risk?

Controls should always be designed, implemented, and applied as a response to specific risks and their causes and consequences.

Controls are a means to an end—the effective management of risks, enabling the department to achieve its objectives. Before designing, implementing, applying, or assessing a control, the first question should be what risk or combination of risks the control is supposed to modify.

Departments should mandate that all strategic and operational decision making is supported by risk management and the subsequent implementation of appropriate controls. All important deviations from the intended outcome need to be assessed.

Departments should be aware that various risks can create an aggregated effect of uncertainty on the achievement of their objectives. Therefore, risks should be assessed and controls designedtaking common causes and synergies into account, including escalation and domino consequences.

Appropriate controls should be put in place to modify risk so that the level becomes acceptable. Important considerations for adequate selection, implementation, and operation of controls include:

  • the characteristics (causes, consequences, and their likelihoods) of the corresponding risks
  • the department's limits for risk taking
  • the various types of controls, for example, managerial or transactional controls, preventive or detective controls, and manual or automated controls
  • the suitability of the mix of controls, taking into account the department's size, structure, and culture
  • the costs compared with the benefits of more or different controls, and
  • the continuous changes that can make existing controls ineffective or obsolete and drive the need for periodic assessment of controls.

Departments should also consider the need to remain agile, avoid over-control, and not become overly bureaucratic. Internal control should enable, not hinder, the achievement of organisational objectives.

Depending on the type and level of risk and based on, among other things, the internal control considerations mentioned above, organisations can decide:

  • to avoid a certain risk by not starting or terminating the activity that gives rise to the risk
  • to take on additional risk in pursuit of higher reward by engaging in riskier activities or lowering the level of internal control
  • to control a risk by removing the source, changing the likelihood, or changing the nature, magnitude, or duration of the consequences
  • to share a risk by insuring against the risk, which is also considered a control, or
  • to accept a risk by doing nothing apart from monitoring the changes in risk.

These decisions should be made explicitly and consciously.

Controls should be cost-effective in a broad sense—the overall benefits, taking into account economic, environmental, and social considerations, regulation, and the department's limits for risk taking, should be larger than the costs, and the greater the difference, the more cost-effective the control. The consequence of this principle is that internal control can, therefore, only provide reasonable assurance that an organisation meets its control objectives. It should be recognised, though, that some risks, albeit relatively small from a monetary perspective, can nevertheless have very significant consequences if they materialise, warranting a greater degree of control than a purely quantitative approach might suggest. For example, the payment of even a small bribe can cause very serious reputational damage to any department.

The balance between risks and related controls is continually changing in a dynamic environment and controls should be continually re-evaluated and re-optimised. Risk reassessment and adjustment of internal controls should be carried out on a continuous cycle. For each business cycle, when management revisits strategy the related risk and control policies also need to be reassessed. Changes in risk-taking strategy lead to changes in the amount of risk taken on or the level of controls applied. Additionally, external developments may affect risk, which, in turn, may necessitate changes in internal controls.

The effort to design, plan, execute, and monitor internal control must be properly balanced with the effort to plan, execute, and monitor the organisational business plan. With too little attention on internal control, business objectives will not be achieved. On the other hand, overly stringent control requirements can paralyse the organisation: internal control becomes a goal in itself.

Suggested Response

Leadership that is concerned about the CIPFA TICK survey assessment of this principle have a number of avenues they can explore:

  • What is the context the department is working in? Can we clarify the objectives? the stakeholders? their level of importance? What is the department's risk appetite? Is this consistent across the entire department or does it vary within and between projects or programmes?
  • How does the department identify the risks it faces? What is the ‘risk' in this context? What is the risk identification method? Are any ‘known unknowns' or ‘unknown unknowns' overlooked?
  • How does the department assess its risks? What criteria have been employed to reach this conclusion?
  • Which risks need the most attention? What are the chosen methods of risk management (eg, accept, minimise, mitigate or share)?
  • How does the department manage its risks? How are specific risk management approaches implemented? What does the plan include?
  • How does the department know its risk management process is working? Can this be used to feed back into the risk management framework and improve it?
  • How does the department keep the key people informed about the risks and their management? Has this been legitimised including others, ie, stakeholders? Has the department planned carefully and listened to stakeholder concerns?
Page top