Taking control has long been a function of planning, design, ownership and culture. 30多年前, 马克德龙, 然后是一家国家银行的首席内部审计员, 说, “有控制意识的管理是无可替代的, 我们有一个.” This sentiment was echoed recently at a presentation to the 芝加哥联储年度风险会议 when the president of a well-known bank stated, “We expect and direct our teams to take risks every day—we make it our business to accept carefully defined and measured risk in order to profit from our deposit and credit businesses.”
Both of these leaders not only demonstrated understanding of the importance of a balanced approach to risk and controls, 他们的话强调了明确定义的风险偏好的基本性质. 纵观当今的商业格局, audit and risk management professionals emphasize the criticality of controls awareness and sensitivity, while governance has progressed from a predo最小值antly change-control focus to a more engaging approach for owners, 管家, 生产者和消费者. To strengthen controls within an organization, the following seven methods should be executed:
1. 将目光投向端到端景观.
Scoping governance is a daunting task best accomplished using management-defined risks to narrow the focus and establish priorities. 虽然小, 中型和大型企业在运营过程中都面临着类似的风险, 管理和执行职能, 这些差异通常是由行业而不是规模来定义的. Developing management controls and governance support requires a sustained set of activities that produce timely insights into intended business risks and those that occur beyond this threshold.
2. 构建环境.
一旦确定了风险偏好,就可以采用适当的措施.g.(关键风险指标),以及风险和控制的矩阵. This integrated approach allows for operational risks and controls to be parsed and addressed across manual processes, 外部服务和自动化系统, which is essential for change control over critical master and reference data as well as complex ERP and performance management systems.
3. 利用技术来启用流程.
As companies continue to move toward making their business processes more digital to remain competitive, 应不断评估内部控制,以确保它们能够跟上. 除了 to staying apprised of emerging risks such as new cybersecurity threats, 云计算和自动化工具, companies should employ technology to both test controls and enhance their performance.
Organizations that have been leveraging data analytics and governance risk and compliance (GRC) tools to evaluate full populations of data and monitor key risks are now looking to leverage these tools in all aspects of the audit cycle, 包括使用数据分析在风险事件发生之前进行预测. Leading-edge risk departments are also beginning to leverage automation tools to perform manual, 时间密集型任务,例如测试Sarbanes-Oxley (SOX)的遵从性.