Is it better to sell a prevention or a cure? From a marketing standpoint, there is likely more money to be made selling cures. People would rather not attend to the many risks in their lives that may not materialize — after all, where does one begin? — but once a contingency does manifest itself, the same people are willing to pay great sums for cures.
The world of a finance professional is different. Some of our core functions include thinking, planning, and communicating about risk. We do not have the luxury of taking a “wait and see” approach toward managing risk. We have to be proactive about foreseeing risks and planning accordingly. We think in terms of broad categories, such as regulatory and legal compliance risks, IT-related risks, political risks, market risks, credit risks, and more.
Finance professionals measure the extent of our organizations’ exposure to risks and help guide senior management in assessing the best way to effectively expose our organizations to risk and at the same time manage risks. After all, if an organization is not taking risks, it might as well shut down because it cannot grow or produce a return on investment.
Part of an auditor’s evaluation of an organization is in terms of internal controls, how they are documented, how they are communicated, how employees are trained in them, and so forth. Controls are designed to prevent fraud and material misstatements of financial results, as well as to ensure effectiveness in carrying out management’s objectives.
Here are three types of controls to consider in your organization:
- Preventive — Some of the best controls prevent fraud, theft, misstatements, or ineffective organizational functioning. For example, we saw in a previous post the effectiveness of segregation of duties to prevent fraud. Preventive controls can be as simple as locks and access codes to sensitive areas of a building or passwords for confidential information.
- Detective — A security camera is a good example of a detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
- Corrective — Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.
Think in terms of preventing, detecting, and correcting risks of fraud, theft, ineffectiveness, and breakdown. The world is full of risks, and problems tend to strike suddenly and unexpectedly. Cures are great, but if you rely on finding a solution once a risk has already materialized, you might find that your lack of planning has made the risk unmanageable.