Part of a continuous improvement culture means looking at your processes regularly and taking action to improve them, where you can.

One way of looking at your processes is through a risk and internal controls lens.

Risk – these are all the things that might go wrong in your business. It may not make any money, a competitor may put you out of business, your customers may not want your products etc.

And controls – these are those things that you put in place to reduce that risk, such as competitor research, monitoring your profit and loss, sending out surveys to your customers, so you understand what they want.

When I worked in corporate I worked for a nuclear generating utilities company, and the industry we were in meant that we took risk even more seriously than most.  The business was governed by procedures, making sure that risk was reduced as low as possible.

When we brought in new suppliers, we ensured we did due diligence, and follow the EU procurement directive, even though as a utility we had no legal obligation to do so. We followed the Prince methodology for project management and health and safety was put before anything else.

Then we merged with another company to create a larger organisation that generated and sold electricity, bringing with it an accountability link a parent organisation.

Shortly after, a new assessment process was introduced and a new risk and internal controls corporate function with 12 staff created. Each of the 2 business units and corporate function was given the assessment and asked to return the completed assessment before the end of the year. 

The assessment took each function with the organisation, identified the general risks to that function. It then stated the activities that should be put in place to reduce the risk to an acceptable level.

If these controls were operating effectively, then theoretically the organisation was doing its best to minimise its risks in all areas of the business.

Within my business unit, my head of function (HoF) was tasked with ensuring that the assessment for the whole business was completed on time and accurately reflected our position. This included 7 divisions and the corporate functions, so it wasn’t going to be an easy task.

Although the organisation was used to reviewing its risks and the controls it had in place to reduce the risk this was the first time that it had had to review the controls across the whole business in one final document.

Risk Based Approach


My HoF wasn’t sure where to start. A very intelligent person, very creative, very ambitious, but more suited to strategic, blue sky thinking than to how to deal with this very operational problem. Plus, a lot rested on doing this well. A promotion could be on the table, if the assessment process was successful.

So a team was pulled together and we brainstormed different options and came up with a solution that should be robust, but we know will take a lot of work.

We asked each process to undertake an assessment that is built up from information gathered from the 8 divisions under that function. This assessment was produced by each function understanding their key risks and the controls that they should have in place to reduce the risk.

The first thing we needed to do is to sell it to the executive team. At first we got lots of pushback, they thought it would be too difficult, too time consuming for the business units, and wouldn’t be cost effective.

Finally we succeeded in persuading them that this is the best way to assess our controls. After all, if we work with the people that are doing the job to assess how well the controls are working, then we are able to accurately understand how well the control is working.

Then we had to go to each of the divisions, who also said its too difficult and would have an impact on their productivity. So, we spent time explaining the value that the assessment will provide, that the review will highlight where they need help, rather than be used as a stick to hit them with.

They finally agree, albeit reluctantly and we started the assessment, using mature processes where we could, so that we could get the buy in of the organisation. We communicated regularly with the executive and divisions. We created a system and structures which were easy to follow, and minimised the time it will take them to do the assessment, while still adding value.

I spent many hours, days and weeks, working within the organisation to take the divisions through the process, to demonstrate the value and to make sure that the right people are involved in completing the paperwork.

It was hard work, but when it was finally its done, it was to a high standard.  The divisions had taken the task seriously and as they went through the process, they realised that it was a great way to understand what could go wrong, as well as identify the things they had in place to reduce that risk. Having quantifiable evidence in place meant that they were also able to lobby their management teams for more resources, where they could demonstrate the benefit would outlay the cost.

I then took all the information and used it to produce a business unit report, which my HoF then used to create a high level presentation of the results to to show the executive.

They loved it. It went to our CEO, who also loved it, and loved the fact that there is a level of detail behind it to demonstrate the accuracy. The other thing he loved, is that we did all of this with just 2 full time staff.

So an overhead cost of 10 staff are absorbed into the organisation, our HoF got promoted and a new, more streamlined risk and internal controls team was formed.

We spent the next 12 months, tracking the improvements, and embedding the self assessment process into the organisation by introducing rinse and repeat solutions, so we knew that they’d get done, even if we moved on.

It doesn’t matter how big or small your business is, you will still be faced with risks and will need to implement controls to manage those risks

An internal controls assessment is a great way to map out and review your risks, to understand what controls you have in place, and how well they’ve been implemented. You can identify what is working and where you need support to reduce those risks early.


And you don’t have to be big to be worried about your risks. All companies face risks every day. Are you going to earn enough to pay the mortgage, do you have the right insurances in place, do you have all your legal obligations covered etc.

Once you have identified your risks, then think about what controls you have in place? Have you put all your eggs in one basket, and if you lose that big client, you just don’t know what you’re going to do, or have you made sure that any one client doesn’t make up more than 40% of your client base. Have you got public liability insurance, just in case something goes wrong?

Identify all the risks to your business and the controls you think you should have. Then review your business, which ones have you got in place? Which ones do you need to improve, and which ones have you not even thought about, until now!!

Make sure you know your strengths. Don’t try to do everything yourself. If you don’t have the expertise and the risk is that important to mitigate against, then reach out to someone who does have the knowledge and know how to implement the controls

I can’t help you with everything, but I can help you implement a risk and controls assessment and identify the actions that could help your business grow.

I will get your systems and operations in order before offering my experience on how to simplify your workflows, so that you can have a more structured, simplified and streamlined business

If this sounds like something you want to take advantage of, then contact me HERE