Report

Understanding Control Management Practices

Find out how the financial sector is managing control frameworks

Service

ORX Membership

Community

Risk Management Community

Risk programme

Management, practice & framework

Report - September 2017

This report helps you understand how operational risk teams at financial firms are managing their control frameworks and the nature of the related data they collect.

In the first half of 2017, we conducted a series of interviews and a detailed survey, working closely with 36 ORX member firms. The findings were written up into a report which is available to all ORX members.

The report presents the results of the interviews and survey. It includes an overview of current industry practices, proposes definitions, identifies common control data attributes and provides an indication of how an institution can assess its current stage of development.

Background

We’ve been approached by several members since early 2016 with requests to develop some research, and potentially a benchmark, in relation to controls. In particular to support their efforts for a ‘right-sized’ effective internal control environment.

Although specific business practices vary, there is substantial commonality between internal processes, associated risks and corresponding controls.

Why controls?

Controls help an organisation to operate effectively, comply with policies, produce dependable information and conform with regulation. But, they can be costly to implement, operate and monitor. They often drive inefficiency through duplication and unnecessary activity. Furthermore, existing industry research about what works well is limited.

Controls are a priority

Operational risk is changing. Managing operational risk effectively and efficiently is increasingly important. A consistent, enterprise-wide control environment is key to a balanced risk management framework.

Financial institutions are investing more to improve control management. They are also addressing specific risk areas like regulatory compliance and developing related technology.

There is pressure to improve

Pressure to enhance control frameworks is exposing the reality that the discipline of control management is not at an advanced stage of development. So far. investment has had a positive impact on culture and the development of over-arching frameworks.

However, the absence of sufficient external frameworks and guidance has led to practices and terminology evolving in isolation. This means that some areas – such as financial reporting – are more established than others. The less established areas include conduct, third party and data management.

The variation in definitions and approaches has also led to vast differences in the volume of controls considered key, ranging from 500 to 45,000 within this study. This makes it difficult to focus on the most important controls and stretches resources in both operating and monitoring them.

These factors combined are hampering the ability of board members to make positive statements about the overall effectiveness of their control environment.

The industry is moving in the same direction, but at different speeds

Operational risk as a whole is increasingly being seen as an umbrella function, promoting the harmonisation of frameworks, methodologies and systems. This is leading to a better understanding of the importance of controls at all levels and efforts to identify which controls are truly key. It's also improving the quality and accessibility of controls data

Control monitoring is a priority for most institutions and is widespread across the lines of defence. Firms are investing significant time and resource, with techniques advancing beyond sample testing to enable a more nuanced and efficient risk-based approach. Some institutions have invested more heavily and are, therefore, currently more advanced in control management.