By regularly analyzing risk, business owners and executives can better understand and manage the likelihood and potential impact of fraud. In general, there are two types of business risk: inherent and residual. Inherent risk is what exists before management takes steps to mitigate the organization’s exposure. Residual risk is what remains after management has implemented internal controls to reduce and manage threats.
Because no program of internal controls can possibly eliminate all threats, residual risk is always a reality. But there are ways to mitigate it.
4 Types of Internal Controls
Internal controls generally fall under one of the following categories:
- Detective. This type is designed to detect fraud already occurring. For example, you might generate a report that lists checks issued twice for the same invoice.
- Preventive. This control should deter unwanted activities. You might require your accounting department to reconcile purchase orders to invoices before issuing a payment.
- Directive. This type specifies actions to be taken to reach a desired outcome. For instance, your policy might call for blocking payment to a vendor that isn’t in your vendor master file.
- Corrective. This last form intends to correct risky activity uncovered by accident or by an existing control. So you might establish new policies and procedures to replace those that have been ineffective.
The bottom line: Internal controls exist to mitigate risk. Deploying them reduces inherent risk, but typically leaves an organization with some residual risk. You might say that residual risk equals inherent risk minus the impact of internal controls on inherent risk.
Dealing With the Problem
A risk assessment can help your business evaluate residual risk. Experts generally use a risk matrix, a visual tool to depict the likelihood and severity of risk, to identify threats requiring further examination.
Another option for dealing with residual risk is to transfer it to a third party, such as an insurer. As an example, your organization might buy an errors and omissions insurance policy to mitigate the risk of unintentional mistakes that could possibly have been prevented with more robust controls.
Sometimes, however, the cost to deploy additional controls or shift residual risk outweighs the benefit. Although it may be possible to reduce residual risk, installing additional controls may be too costly or add unnecessary administrative red tape that inconveniences employees and customers. In those cases, many businesses decide to allow residual risk to remain.
Contingency and Monitoring Plans
If you decide to leave residual risk, develop a contingency plan to help reduce potential damage. Suppose your business reconciles its bank accounts monthly, rather than daily or weekly. In this case, the residual risk is that you might not discover fraud until several weeks after it has occurred. A contingency plan could help by providing step-by-step policies (such as notify your bank immediately) to remediate any fraud.
It’s also smart to regularly review and monitor residual risk levels. To return to the previous example, if your organization performs reconciliations every month and then decides to increase the number of bank accounts it uses, residual risk may rise to unacceptable levels. At that point, you might want to start conducting reconciliations on a weekly or daily basis. Staying current with industry best practices and compliance standards can further help keep residual risk in check.