“Risk comes from not knowing what you are doing.”– Warren Buffet
A risk management framework is an ongoing process of recognizing, evaluating, and managing risks in an organization. A control self-assessment is a crucial part of a risk management framework. Used wisely, it can be a powerful tool for profiling the company’s risk environment and existing processes.
The key benefit of the assessment process is uncovering hidden risks, which can inform decisions and contribute to achieving a company’s strategic goals. Typically, a control self-assessment involves a questionnaire completed by staff within the assessed business unit(s).
Self-assessments present opportunities for process owners to offer open and honest feedback, which can uncover unknown risks and potential blind spots of the leadership team.
Self-assessment tools are particularly useful in organizations with active acquisition strategies, multiple locations/branches, and decentralized processes.
Tools and Execution
- Tailored Questions: Questionnaires can be customized based on risk level. Depending on the desired response, questions can be set up as yes/no, multiple-choice, open-ended, or requiring documented support. This streamlines the review and reporting process.
- Technology and Reporting: Efficient and automated technology tools, such as Microsoft Forms, can consistently track user responses until 100% completion is achieved. These survey tools enable data reporting and visualization, helping to picture holistic results that inform decision-making.
- Identifying Trends and Heightened Risks: If self-assessments are completed periodically, responses can be baselined to identify trends in shifting risks, including new and heightened risks.
Accountability and Policy Reinforcement
- Compliance with Regulations and Policies: Answers may reveal potential compliance issues with regulations or policy standards that can be preemptively addressed.
- Accountability: The self-assessment can include a formal acknowledgment that users have read and understand policies, emphasizing critical points.
- Onboarding: Self-assessments can assist in onboarding new employees, reinforcing training and key policy items.
Utilizing Results
- Risk Awareness and Identification: Employees can readily identify risks they encounter in their day-to-day duties, which might not be known to management. This can also reduce the risk of fraud by flagging unusual responses.
- Monitoring Key Risk Indicators (KRI): Answers can be evaluated against key risk indicators and compared to the company’s risk appetite to ensure alignment.
- Best Practices and Comparative Analysis: A self-assessment allows employees to share best practices that can be evaluated and applied to other locations or business units. Responses can also be compared to identify similarities and differences; and where consistency might be beneficial.
- Feedback on Processes: Employees can submit (potentially anonymous) feedback on key processes, gaps, and issues resulting from processes outside of their ownership. It allows employees to provide input on whether key policies might need to be refreshed.
- Business Objective Awareness: Self-assessments often align with critical business objectives, providing additional support for these initiatives.
- Internal Audit Supplement: The assessments complement periodic location/branch audits and support an annual risk-based internal audit plan. Responses help to ensure that testing procedures address the highest-risk items and identify the need for one-time process audits.
Reach out to the Schneider Downs Risk Advisory team to learn about our tools and templates for risk assessment and other processes, or to see how a control self-assessment can benefit your organization.
About Schneider Downs IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
