Capturing accurate performance data that gives a true picture is difficult

Most of the companies with which we work will conduct regular risk audits. Whilst companies recognise the need to review their risk posture to assure themselves that the range of measures they have put in place are delivering their intended effect and that the company’s policies and procedures are being followed, their approach can vary significantly. The quality of the performance data they obtain is also variable and the true picture as to the effectiveness of their risk mitigation can, by their own admission, be questionable.

Most risk audits are conducted through a site visit and recorded manually…

In many instances, corporate heads of risk and compliance will, depending on the size of the organisation and the nature of the audit, rely on their own teams to conduct an internal audit. The audit will often consist of a programme of site visits during which a member of the audit team may use an internal check list against which the site’s level of compliance will be judged and to which a written assessment may also be added that records any observations. The report will then be processed manually according to the company’s own internal processes and the data obtained may be recorded on a centralised excel type spreadsheet. The programme of visits and their frequency will depend on the number of auditors available, the number of sites to be visited together with their complexity which will in turn impact on the time it will take to conduct each visit and to complete each report. Some sites may have their own dedicated auditor in which case audits are more easily managed as the sites will be required to assess and record their level of compliance.

…or use subject matter specific software

In some instances, bespoke software designed to audit specific areas of risk, such as health and safety, is used. But the data captured relates only to that one area of risk and won’t cover other areas of potential risk, such as, security or fire.

If a business has multiple sites, there can be a reliance on a third-party auditor

Many organisations have an extensive estate that can run to many sites of varying size and complexity both in the UK and internationally. For these organisations, there can be a reliance on third party suppliers to deliver part or all of the audit function. Indeed, in some instances there can be more than one supplier involved. These third-party suppliers may be required to use the organisation’s compliance criteria, if it exists, or use their own criteria and judgements, based on the experience of their staff to produce written reports which are then submitted to the corporate audit team.

Why are accuracy and consistency so difficult to achieve?

So why is it apparently so difficult for corporate heads of risk and compliance to measure the effectiveness of the measures that are in place and for which they are responsible in an accurate and consistent manner? There would appear to be several factors.

Poor quality data and inconsistent report writing

The first relates to the quality of the data and of the information that is being produced. Even when an organisation uses a standardised excel spreadsheet type approach, unless the spreadsheet is always being completed by the same people then inconsistencies in the way in which the data is being recorded are common. Even when completed by the same people, inaccuracies are common. Moreover, where a standardised check list approach is not used, and reliance is placed instead on a written report and someone’s judgement, the quality and the content of the report can vary widely. And the variation in the quality and the content of the reporting can become even more acute where more than one provider is being used and there is no consistency in either their approach or in the format of their reports.

The cost of annual audits can be prohibitive and Covid has made them more difficult

The second relates to the time and the cost that are involved in manual audits. Unless some form of standardised self-assessment is used by an onsite audit team, most audits involve a site visit. These can be resource intensive, especially if the site is large and complex and more than one person is required to cover the ground; and expensive if a third-party supplier is required. Covid and the disruption caused by multiple lockdowns, has exacerbated these difficulties. As a consequence, not all organisations will or have been able to conduct an annual site audit. They may choose instead to have a rolling inspection plan where all sites are visited in a two to three-year cycle, accepting that organisationally they will have to carry an element of risk between visits.

Capturing all relevant data and making sense of it can be very difficult…

The third relates to the difficulty many corporate heads of risk and compliance have in manipulating the data that has been collected and making sense of it. If a centralised spreadsheet approach has been adopted, then the results from each site need to be inputted manually as will any data that has been collected using bespoke software and interpreted before any judgements can be made about how much risk the organisation may be carrying across all its estate. Trends or failures in organisational performance are more difficult to discern as is the need for improvement. And these difficulties are magnified if the organisation relies on written reports, whether they are generated internally or by a third-party supplier, because the written reports will need to be assessed and synthesised into some form of overarching report. Moreover, in many organisations risk relating to, for instance, IT systems, HR and security will lie under the responsibility of different corporate departments. Thereby making it more problematic to integrate all the risk related data that has been captured and more difficult for the organisation to get an enterprise-wide view of the range of potential risks and vulnerabilities it may be carrying.

…As can making sense of a change in the threat level

Finally, the manual systems that are often in place make it difficult for organisations to understand quickly with any degree of precision what impact any changes in the local operating environment might have on their risk profile. Whether an organisation collects risk related data and stores it using a centralised spreadsheet or relies on the delivery of written reports for each of its sites, the consequences of any changes are difficult to gauge and will require either for all the data recorded to be adjusted manually or for the sites to be revisited and reassessed. Both of which can be time consuming and expensive.

The solution is to use a digitised, secure self-assessment system that addresses all aspects of risk in a multidisciplinary approach making your business safer, more secure and more successful

Citadel provides a scalable and consistent approach to risk management across your enterprise. Data is captured efficiently and effectively, saving you time and money whilst delivering a single and complete picture of your business's vulnerabilities. Areas of potential risk or non-compliance are identified and the integrated Risk Register presents a unified risk picture that allows speed of action to prioritise and mitigate any risk that cannot be tolerated.