Good internal controls start with a full risk assessment and this control should be introduced and amended to respond to changes in the risk profile as appropriate on an ongoing basis. To have risk awareness and risk systems embedded implies a number of things.
It means that risk management is included within the control systems of an organisation. An example is the company’s budgetary control system which will need to reflect the risk metrics in the embedded system.
When risk is embedded, the budgetary control and reward systems would recognise the need for risk awareness in them by including risk-related metrics. When embedded, risk is interconnected with other systems so that risks must be taken into account before other internal controls will work effectively. So a given job description, for example, might have a particular risk check included in it which is then assessed annually in the job-holder’s appraisal. This would typically be a part of an operation manager’s job description where, for example, the accident rate could be a metric built into his annual appraisal.
In an embedded risk system, risk is not seen as a separate part of internal control but is ‘woven in’ to other internal controls and is a part of the organisation’s culture. The cultural norms in the IT department, for example, would be an implicit understanding that sensitive data is not transferred to portable laptops and that laptops are not left in unattended cars. This is a part of the taken-for-grantedness of embedded risk systems when woven into culture.
Finally, the management of risk is ‘normal’ behaviour at all levels. Behaviour concerned with risk management is never seen as ‘odd’ or ‘interfering’ but as much a part of the normal business activity as trading and adding shareholder value.