Business needs a scorecard
Mr. Vidyarthi an innovative consultant had recently visited one of the biggest business conglomerates with his new idea to increase returns on the risk monitoring activities of the corporation. He had envisaged that even the smartest people in the profession will find it difficult to digest the idea due to effect of the dominant designs on their mindsets. So the meeting was more of an experiment for Mr. Vidyarthi. He wanted to test the minds of the business leaders at the meeting. One cannot think out of the box until he or she comes out of his or her comfort zones. In another words, you cannot escape the power of the dominant designs. Only the rocket science can make you pass the gravity.
Mr. Vidyarthi during his presentation to the business leaders of the business conglomerate revealed how faulty is the existing risk analysis process used in the industry whereby the monitoring activities to be carried out are prioritized on the basis of the net risk.
A risk perceived is given a risk score on the basis of various risk criteria which is then adjusted with the comfort level achieved due to perceived effectiveness of the mitigating controls. The net risk is indeed the inherent limitations of the controls. Therefore the net risk score is an incorrect criterion to priorities the monitoring activities that are mainly to test existence of the controls. Secondly, effectiveness of controls is not tested and challenged scientifically; hence the net risk so calculated is also questionable.
The business leaders were not ready to get their mind challenged and it was apparent soon. Mr. Participator, one of the business leaders present at the meeting, who first accepted a premise when asked, denied the acceptance when a flaw was shown in it subsequently.
A sharp question was then raised by Mr. Encourager, another business leader while looking at the diagram depicting gross risk, control effectiveness and net risk in the presentation of Mr. Vidyarthi. Can you define the Gross Risk? If you could come out with a method to measure the gross risk then it would be a great idea. The question was clearly out of the context. Mr. Vidyarthi was now clear that the question was from a preconceived mind than an open mind.
The point was when nobody can define a gross risk, then how anyone can be sure of effectiveness of the processes and controls? It depends on ones professional judgment and previous experiences about those risks and controls. You know more about a risk and its mitigating controls when you consider different view points which perceive risks differently. So risk assessment cannot be a static process but has to be a dynamic one. Each assertion needs to be tested again and again. Each assertion needs to be subdivided further into smaller assertions.
When Mr. Vidyarthi started talking about a new score keeping method which could reduce the monitoring cost i.e. the cost associated with monitoring the non-compliance of the established controls and procedures, Mr. Participator said that if the auditor perform sampling and finds out non-compliance issues then instead of checking all the risk sources he may just tell the risk owner to look at all of them and make the corrections. This creates required deterrence. Thus we are just using a different variant of your idea.
Mr. Vidyarthi was now very clear that Mr. Participator's mind set had been that of the fault finder but regular conflicts with his auditees in past have made him now a person just focusing on effectiveness of processes and controls and a little negligent to emphasize on finding the existence of the controls or the non-compliance. However, monitoring non-compliance has always been on the top of the list of the items that consumed his budget. He was of the view that any kind of scorecard connected with KPI of the auditees is not an effective method as it creates lot of negativity among the auditees. Therefore ensuring effective processes and control is better than finding non-compliance and scoring the non-compliant risk owners on that basis. There was an obvious flaw in the argument as effectiveness assertion is not connected with existence assertion. Which controls do you check for its existence, the less effective ones or more effective ones?
Mr. Vidyarthi during his presentation to the business leaders of the business conglomerate revealed how faulty is the existing risk analysis process used in the industry whereby the monitoring activities to be carried out are prioritized on the basis of the net risk.
A risk perceived is given a risk score on the basis of various risk criteria which is then adjusted with the comfort level achieved due to perceived effectiveness of the mitigating controls. The net risk is indeed the inherent limitations of the controls. Therefore the net risk score is an incorrect criterion to priorities the monitoring activities that are mainly to test existence of the controls. Secondly, effectiveness of controls is not tested and challenged scientifically; hence the net risk so calculated is also questionable.
The business leaders were not ready to get their mind challenged and it was apparent soon. Mr. Participator, one of the business leaders present at the meeting, who first accepted a premise when asked, denied the acceptance when a flaw was shown in it subsequently.
A sharp question was then raised by Mr. Encourager, another business leader while looking at the diagram depicting gross risk, control effectiveness and net risk in the presentation of Mr. Vidyarthi. Can you define the Gross Risk? If you could come out with a method to measure the gross risk then it would be a great idea. The question was clearly out of the context. Mr. Vidyarthi was now clear that the question was from a preconceived mind than an open mind.
The point was when nobody can define a gross risk, then how anyone can be sure of effectiveness of the processes and controls? It depends on ones professional judgment and previous experiences about those risks and controls. You know more about a risk and its mitigating controls when you consider different view points which perceive risks differently. So risk assessment cannot be a static process but has to be a dynamic one. Each assertion needs to be tested again and again. Each assertion needs to be subdivided further into smaller assertions.
When Mr. Vidyarthi started talking about a new score keeping method which could reduce the monitoring cost i.e. the cost associated with monitoring the non-compliance of the established controls and procedures, Mr. Participator said that if the auditor perform sampling and finds out non-compliance issues then instead of checking all the risk sources he may just tell the risk owner to look at all of them and make the corrections. This creates required deterrence. Thus we are just using a different variant of your idea.
Mr. Vidyarthi was now very clear that Mr. Participator's mind set had been that of the fault finder but regular conflicts with his auditees in past have made him now a person just focusing on effectiveness of processes and controls and a little negligent to emphasize on finding the existence of the controls or the non-compliance. However, monitoring non-compliance has always been on the top of the list of the items that consumed his budget. He was of the view that any kind of scorecard connected with KPI of the auditees is not an effective method as it creates lot of negativity among the auditees. Therefore ensuring effective processes and control is better than finding non-compliance and scoring the non-compliant risk owners on that basis. There was an obvious flaw in the argument as effectiveness assertion is not connected with existence assertion. Which controls do you check for its existence, the less effective ones or more effective ones?
Balance sheet, P&L or NASDAQ or BSE sensex all are kinds of scorecard. Scorecard is way of life. Education systems, government legislation, businesses, economics all use some or other kind of scorecards. Risk scoring is also a scorecard. Performance appraisal using a balanced scorecard is very common. Scorecard is a scientific method to evaluate people, businesses and economy of a country. If we don' t use scorecards then we are just using our instincts and intuition to make our decisions. Mr. Participator's logic was full of flaws. The item was definitely debatable but again was out of the context. It was like putting the fingers in the ears to reject the idea outright.
Mr. Vidyarthi was actually talking about an innovative score keeping method which makes the risk owners or auditees to remain compliant proactively. So, corrective measures are taken even before the audit is carried out to detect any non-compliance. The method discussed was about leveraging the risk taking and decision making ability of the risk owners to foster compliance. The method was about reducing the cost of monitoring while keeping the deterrence at the same level.
Mr. Vidyarthi realized that the business leaders present at the meeting were all well mannered but lacked the ability to zero down from their previous knowledge, perceptions and As Is position. One has to empty up ones' fully occupied mind and stomach before something new can go inside it. The new idea was a big risk for them to invest in. It was soon the end of the meeting with a positive promise to further brainstorm the idea internally by the business leaders.
However, Mr. Vidyarthi was grateful for the valuable time provided by the business leaders for his experimentation.
posted by Narayan Mantri at
5:41 AM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home