Risk and Internal Controls

There are numerous definitions of risk and internal control.

Ultimately, risk in an organization is unintended loss of assets or underperformance. The causes of these risks are conditions or events that may or may not be controllable. Loss of assets, ultimately cash, can be caused by intentional or unintentional acts or failures to act, or human error. It is noteworthy that automated system errors are rooted in intentional or unintentional human error in programming or interfacing. Underperformance can be driven by operational disruption, reputational harm, human failure, or failure to capitalize on opportunities.

Conditions or events that cause risk originate both internal within and external to the organization:

  • Errors (unintentional discrepancies)
  • Irregularities (intentional discrepancies also known as fraud)
  • Variability (natural and expected in any process)
  • Unusual and Infrequent Events or Variations
  • Opposing Interests (competitors, business partners, employees, stakeholders)

Risk is controlled (not eliminated) by:

  • Preventing conditions or events
  • Detecting the occurrence of conditions or events either:
    • in time to reverse or reduce the impact, or
    • to take corrective action to recover or reduce the impact

Most risk is not fully controlled or controllable, and therefore “residual risk” remains in any system of internal control. The day to day risk, control activities, and residual risks are managed throughout the organization while significant organizational risk is managed at the higher levels. University administration, the Board of Trustees and the State of Illinois have the prerogative to determine the overall acceptable level of risk that remains uncontrolled, or residual risk, as well as significant individual residual risks

In a nutshell:

Risk is the chance that something bad will happen, measured jointly by likelihood and significance.  “Something bad” is either an unintended loss or expense, or an obstacle to achieving a mission, purpose, or objective. An internal control is something that helps reduce riskRisk cannot practically be eliminated so University administration and auditors have to take a cost/benefit view of the nature and extent of internal controls. An organization’s vision, mission, and objectives need to be established before risk can be fully assessed and managed through a system of internal controls.