The conceptual path that characterizes this approach to risk management is strictly related to the existence of an indissoluble connection between risks and controls. Most current control systems recognize the risk as part of the corporate governance that has to be:
- continuous, integrating control in the decision-making processes;
- pervasive, spreading the risk management at all decisional levels;
- formalized, through the use of clear and shared methodologies;
- structured, through the adoption of suitable organizational solutions.
The control system traditionally represents a reactive approach in response to adverse events, fragmented in different areas and occasional frequencies. From a standard dimension, generally limited to financial risks or internal audit, it has to evolve towards a proactive continuous process, results-oriented and with widespread responsibility. The challenge for management is to determine a sustainable amount of uncertainty to create value in relation to the resources assigned, facing a costs and benefits trade-off where the marginal cost of control is not greater than the benefit obtained.
The main components of the control system can be summarized as follows:
- control environment: it is the base of the whole system of controls as it determines the sensitivity level of management and staff on the execution of processes. The adoption and dissemination of codes of ethics and values, policies and management style, the definition of a clear organizational structure and responsibilities (including specific bodies of internal control), the development of professional skills of human resources are the elements that constitute this environment;
- control activities: it is the operational component of the control system, configured as a set of initiatives and procedures to be executed, both on process and interfaces, to reduce business risks to a reasonable level, ensuring the achievement of the targets;
- information and communication: a structured information system at all levels enables the control on processes, recomposing flows managed by different subsystems and applications that need to be integrated. Adequate information, synthetic and timely, must be provided to allow the execution of activities, taking responsibilities and ensuring monitoring;
- monitoring: it is the continuous supervision and periodic evaluation of the performances of the control system. The scope and techniques of monitoring depend on the results of the risk assessment and on the effectiveness of the procedures in order to ensure that the controls are in place to efficiently reduce the risks.
- 1042 reads
