The following is a risk management methodology that aims to achieve objectivity in risk assessment, allowing the control, monitoring and evaluation of risk management on an objective basis. It will also allow an objective evaluation of the efficiency and effectiveness of the Internal Control System.
For its preparation, the various "schools" of risk management, statistics, probability theory, measurement scales and statistical quality control have been studied; Likewise, the concept of risk has been studied and a more functional or operational concept "grounded" has been adopted, which allows the objective assessment of its probability and impact, as well as the factors that determine it.
Although some people might think that this methodology is "ideal" and are in accordance with the methodologies adopted in Colombia, such as that of the Administrative Department of Public Function, or that proposed by the Standard Model of Internal Control, it is necessary to consider whether it is worthwhile. make an effort of “Risk Management” in order not to obtain objectively controllable, evaluable, verifiable results that allow valid opinions on the efficiency and effectiveness of Internal Control. This criterion must be applied to the entire Internal Control System, which sometimes uses ethereal concepts, inadequate measurement scales, subjective estimates or assessments, to conclude on "the efficiency and effectiveness" of the Internal Control System,without having done the study of the input-output relationship or the achievement of the desired effect on the proposed goal of reducing non-conformities.
Therefore, I invite you to put this “ESTRELLA” methodology into practice and verify the continuous improvement of quality and the entity's approach towards the principles of the Quality Management System.
1-Concepts:
Quality: set of agreed, adopted and objectively verifiable characteristics that the partial or final result of a process must have.
Non-conformity: failure to comply with any of the quality characteristics, objectively verifiable, by the service or product generated by a process, or any of its partial results.
Risk: Probability of presence of non-conforming products or services and their impact on different variables of the company.
Probability: it is the percentage of non-conformities, although it must be expressed on a scale from 0 to 1, sometimes it could be expressed as the number of non-conformities per hour, day, week, month, year…
Impact: it is the sum of costs, expenses and reduction of profits generated by the presence of the level of non-conformities.
Control: management element composed of the set of elements and activities that guarantee the fulfillment of the proposed objective or goal, it contains the following elements:
- Norm, standard or measurement Instrument and mode of measurement Comparison between the characteristic measurement result and the norm Evaluation of the degree or amount of deviation, causes, possible solutions and issuance of a rating on a scale appropriate to the process or activity Implementation of corrective and preventive actions in the process, if necessary.
Control is carried out within the framework of a given organization, with its structure, functions, relationships, institutional culture….
Reduction goal: it is the percentage number of non-conformities to be reduced or the level to be achieved in a period of time.
Efficacy: it is the achievement of the desired affect, it cannot be confused with the fulfillment of activity goals, actions, tasks or objectives.
Control effectiveness: it is the achievement of the reduction of non-conformities of the partial or final results according to the previously set goal.
Efficiency: it is the relationship between the inputs either in time, materials, labor or manufacturing load and the amount of product generated, this type of efficiency is considered technical efficiency; However, if we relate the value of the inputs and the value of the product generated, we will have the level of economic efficiency.
Control efficiency: it is the relation between input-results of the control system, which allows setting cost minimization goals for a certain level of non-conformities of a process, sub-process, or activity.
Macro process. Set of related or integrated processes that contribute to the generation of a result.
Process: set of sequential or integrated activities that contribute to generate a product or service.
Activity: is the set of related or integrated actions that contribute to the partial realization of the product or service.
Action: it is the execution of a task that generates value in the service or product in process.
Elements of a process:
The process must contain formal and material elements as follows:
Formal: formal adoption, by act of the administrative authority of the entity, socialization.
Materials or real:
Inputs or requirements clearly and precisely determined with their corresponding requirements or quality characteristics.
Clearly defined and sufficient actions and activities.
Clearly defined partial and final results with their corresponding objectively verifiable quality characteristics.
Control elements or actions that objectively demonstrate their effectiveness in reducing non-conformities.
Responsible.
Risk classes:
Inherent risk is the "normal" or "acceptable" level of nonconformities given a state of development of inputs, technology and level of human dexterity. This risk is reduced with the scientific technical advance in the factors that determine the quality of the product.
Control risk: is the probability of error or failure of the control mechanism, which generates the conclusion of accepting a process as controlled, when the level of non-conformities exceeds the level of inherent risk or of considering an uncontrolled process, when in reality the level of non-conformities is less than or equal to the level of inherent risk.
Audit Risk: it is the probability of conceptualizing as correct a level of non-conformities resulting from a process and its controls, when in reality the level of conformities exceeds the acceptable limit or of concluding the level of non-conformities as not acceptable, when it really is less than or equal to the inherent risk.
2- Risk management
Management consists of identifying and assessing risks, prioritizing, finding the appropriate control mechanisms to face and keep the level of probability and the value of the impact under control, according to the entity's policy.
Risk management policy can determine, reduce, share, or assume risks, depending on the immediate impact on the company's finances and image.
3- Identification of risks
Process for detecting the level of non-conformities, according to the quality characteristics adopted for the partial and final products or services of the company, or the goals defined objectively. It is not enough to meet and sit down to discuss all the “risks” or factors that affect the results of the entity; There must be documented data on the level of non-conformities through all the steps that the process complies with, from the reception of the inputs, to the final result, if the information does not exist, the mechanisms to obtain it must be adopted and implemented, as a step previous.
4-Risk assessment
The assessment must be made by determining the level of probability of historical occurrence of non-conformities and their impact on the entity's finances. The appropriate measurement scale for probability is a ratio scale, which adopts values from 0 to 1 and from 0 to infinity in money for the impact, which does not exclude that as an exception, a “high” risk can rarely be accepted. in impact.
This is how things are: it is not useful, it is not operational, it does not allow the control, monitoring or evaluation of the effectiveness and efficiency of the control, the adoption of high, medium, low scales, if they are not accompanied by the precise data the probability of 0 to 1 or the value of the impact in money.
Levels:
Macroprocess: at this level we will determine the number of non-conformities in percent or by period of time and their impact on money.
Process: in each of the processes we will also determine the probability and impact of the results on services or products.
Activity: If it produces partial results characterized and evaluable, it must allow the determination of the number of non-conformities per period or percentage.
Factors: taking into account that the process can be affected by negative factors that prevent compliance with the standards, the factor, its effect in the presence of non-conformities and the monetary value of its impact will be determined. Among the factors we have inputs, machines, labor or human factor, administration, environment, measurement and in general those accepted by industrial engineering.
The process will contemplate the sum of the impacts in money and the amount of non-conforming products expressed in probability, originated in the factors that affect the level of performance of the same process. Likewise, the Macroprocess will comprise the sum of the non-conformities expressed in probability and their impact expressed in money, originated in the processes that comprise it.
5-Controls, cost and their effectiveness
Once the risks have been clearly and objectively identified, the controls are adopted that guarantee the reduction of probability and impact. Next, the applied control cost should be established starting with the lowest level, that is, control actions, then these would be added to determine the costs per activity, which would allow to establish the cost per process and Macroprocess.
5- Acceptable non-compliance goals. The non-conformity goals will seek continuous improvement and will be adopted determining the objective of the probability level and the monetary impact of the non-conformities.
Until now, none of the risk management methodologies includes goals on a probability scale and in money that allow control, monitoring and evaluation of the controls and the internal control system of the entities.
6-Control, monitoring and evaluation of risk management
It is necessary to specify that without this measurement we cannot comment on the economic efficiency of the control, we could only comment on generalities such as. " Three actions are required to reduce the number of non-conformities to 2 per thousand ”. Which does not allow to have a precise knowledge of the efficiency of the control.
Efficacy can be verified if compliance with the impact reduction goals and probability levels has been met. If the probability level is reduced by the adopted goal and other economic factors have not changed, it is sufficient to assess the effectiveness level by dividing the achievement value by the goal level.
The risks could be identified in a spreadsheet with the following characteristics in columns and rows:
Macroprocess name and person in charge.
Number of non-conformities of the Macroprocess and impact
Process name and person in charge.
Number of non-conformities of the process and impact
Name and responsible activity.
Non-conformities of the activity and its impact.
Actions
Non-conformities of the action and its impact.
Factors that affect the non-conformity of the action.
Value of the probability of occurrence of the factor.
Impact value of the factor.
Control mechanisms for the factor.
Cost of control mechanisms.
Probability value after control mechanisms (meta)
Impact value after control mechanisms (meta)
Responsible for the activity or action.
The rows would be:
Rows for each of the factors affecting the activity or action, if that level was reached.
The above would be integrated into an activity row.
The set of activity rows would comprise a process row.
The set of process rows will integrate a Macroprocess row.
Bibliography
Standard Model of Internal Control, Colombia.
Risk Management Methodology, Administrative Department of Public Function, Bogotá Colombia.
General Systems Theory, a new approach to the unity of science. Bertalanffy.
Fundamentals:
Measurement scales.
Statistical Quality Control.
The Deming principles.
Control theory.
