The problem with control self-assessment
I've done a lot of work in developing metrics for control self-assessment and designing benchmarking protocols so it's not unusual that I find myself in conversations about such things. Truly. I was talking recently with a friend about control effectiveness self-assessment in risk management. My view (and his) was that they are fine if you do them regularly (e.g.: monthly or quarterly) as part of your internal reporting.
But they introduce their own level of risk if they go to outside organizations that rely on them. Particularly for large organizations reporting to the Board or parent companies. This includes especially perhaps, government departments reporting to their Minister or to Government.
My friend related a comment that a Chief Risk Officer had told him regarding a self-assessment sent outside an organization. "Omission is a form of risk reduction."
Risk in this instance presumably refers to the reputation of the organization. I suggested the main risk being managed was probably personal career risk. To the detriment of the organization.
My view is that honesty is the best policy. It's critical in fact, for the organization. And your long-term credibility. At least for those of us who care about such things. You won’t manage what you don't know. And your organization won’t put resources into what seems to be well. It's great if things are going well. Report that honestly, too and take the credit where it is due.
But too many organizations wallpaper over the cracks. Until it all comes unstuck, and then they restructure, review, or reorganize.
It reminded me of the story of the three envelopes. A business classic for dysfunctional management, particularly so in large organizations.
It starts with an incoming manager replacing a recently fired outgoing manager. On his way out, the outgoing manager hands the new manager three envelopes and remarks, "when things get tough, open these one at a time."
About three months go by, and things start to get rough. The manager opens his drawer, where he keeps the three envelopes, and opens envelope number 1. It reads: "Blame your predecessor." So he does, and it works like a charm.
Another three months pass and things are growing difficult again, so the manager figures to try #2. It reads, "reorganize." Again, his predecessor's advice works like magic.
Finally, about nine months into the new job, things are getting really sticky. The manager figures it worked before; why not try again. So he opens the envelope drawer one last time and opens #3. It reads..."prepare three envelopes."
You can view the restructuring of Arthur Andersen into Accenture as an extreme example of three envelopes, with managers taking their quarterly bonuses and 'damn the torpedoes'. But mainly it was caused by ethical failures and much like Enron, involved deliberately deceptive or illegal practices.
Then again, you can read any number of cases where it actually does work, and shareholders or more typically taxpayers have been the insurer of last resort. Bailing out organizations that practice 'omission is a form of risk reduction is almost a national sport in some parts of the world.
I'm working on an article on control self-assessment and a practical course on control effectiveness. If you subscribe I'll let you know as soon as it comes out.