The means by which an organisation marshals its resources to achieve its objectives

  
  Construct your ISMS with IMS-Smart On-Line … add on the new privacy standard and quality management for a comprehensive integrated management system
 

The IMS-Smart philosophy

IMS-Smart is a management philosophy for establishing, implementing maintaining and continually improving systems of internal control in conformance with the principles of sound corporate governance.

Internal control and corporate governance

Internal control is the means by which an organisation marshals its resources to achieve its objectives, and there are two parts to it:

  • the parts for doing the job
  • the parts for doing the job the way the boss wants it done.

The latter part is often referred to as the controls and there are numerous standards, regulations and codes of practice for dealing with that. However, without the first part an organisation would be incapable of meeting its objectives, let alone managing its risks along the way.

All organisations have a system of internal control, whether the formal systems of large corporate organisations, or the style of just doing what the boss tells workers to do in very, very small organisations. Regulations for corporate governance unanimously call for a sound system of internal control, so its not whether an organisation has such a system, as we have said they all do, but whether it is any good.

A sound system of internal control

At the heart of a sound system of internal control will be a means to establish, police and improve that system. This is indeed evident in the advice given by the UK Audit Practices Board to UK listed companies in the wake of the first Turnbull report on corporate governance. In that document, the UK Audit Practices Board advices those responsible for establishing as well as auditing an organisation’s system of internal control must first have empathy with the organisation’s mission and its business objectives. They may then determine the business risks and from that which ones are applicable. Internal controls are then established to manage those risks and their effectiveness should subsequently be the subject of regular review. This review process feeds back to the start of the analytical process, i.e., the mission statement, as shown below.

It should also be evident that such an architectural diagram aids understanding of how the various components of internal control link together, and that the feedback loop is fundamental to the achievement of continual improvement. It is customary to refer to such an engine as a management system. It should be born in mind, however, that a management system is in reality a management capability, albeit supported by documentation and records, perhaps in conformance with one or more management system standards.

IMS-Smart has such an architecture. It is somewhat more sophisticated that this simple UK Audit Practices Board model and indeed covers both parts of internal control, i.e., the parts for doing the job as well as the parts for doing the job the way the boss wants it done.

Risks

What risks should be of concern to the board? The answer is all those that could prevent or impede the organisation from succeeding in its mission. The exact nature of the risks is many and varied. They might concern failure to win business, regulatory infringement, pollution, health and safety issues, fraud and so on. Risk is often measured in units of money and time. If the frequency or likelihood of the occurrence of an impact are high, as is often the case when IT is involved, then the usual recourse is for preventive controls. Otherwise detective controls as are often found in accountancy systems are sufficient. However, it is very prudent to consider those infrequent events that could have a major impact. This is were business continuity (reactive controls) plays a major role and 9/11 is a case in point. Above all, what is needed is an approach to risk assessment that possesses a number of qualities:

  • It is holistic, covering all aspects of an organisation’s business
  • It is presented in meaningful business terms and is understandable by the board and senior executives
  • It facilities the identification of all necessary preventive, detective and reactive controls
  • It ensures that there is at least one control which has the objective of detecting when a non-applicable risk transitions into an applicable risk
  • It permits actuarial data, obtained for example from incidents, exercises, tests and audits, to be used as a means to determine the effectiveness of the controls.

IMS-Smart does all of this and in particular uses a "tell it like a story" approach to presenting the results of the risk assessment/ risk treatment process.

Rewards

As we said in the introduction, without the first part of internal control - the parts for doing the job - an organisation would be incapable of meeting its objectives. Not only is this part of internal control embraced by the IMS-Smart architecture, but IMS-Smart has a means, exactly analogous to the risk assessment/ risk treatment process, called opportunity exploitation for dealing with reward, i.e., the accumulative benefit from exploiting opportunities in the course of pursuing the organisation’s business objectives.

Effectiveness

An effective system of internal control detects both opportunities and events in sufficient time to do something positive about them. In the case of opportunities, the objective is to exploit them to create a benefit and thus accumulative reward before the window of opportunity expires. Likewise, in the case of events, the objective is to prevent the occurrence of an impact and thereby to reduce risk. IMS-Smart uses the time theory and an understanding of the properties of controls to ensure that this is done.

Management system standards

There are currently a whole host of management system standards, e.g. ISO 9001 (quality), ISO 14001 (environmental protection), OHSMS 18001 (operational health and safety), ISO/IEC 20001 (IT service delivery), ISO 22000 (food safety), ISO/IEC 27001 (information security) and ISO 22301 (business continuity). Each of these forms a projection of some aspect of the overall system of internal control (see diagram left). The diagram shows that all of these management system standards exhibit a significant overlap and indeed this corresponds for all practical intents and purposes to the continual improvement engine in the IMS-Smart architecture.

The significance of this is that IMS-Smart provides a means to factor out the controls that relate to one or more management system standards from an organisation’s system of internal control, and represent them in such a manner as to demonstrate conformance with those standards. This approach is quite distinct from the more traditional approach of trying to knit independent management systems together.

An important feature of the IMS-Smart philosophy is that an established organisation must be doing something right otherwise it would be in the process of changing it. The IMS-Smart approach is therefore to superimpose the IMS-Smart architecture on top of an organisation’s system of internal control and use it immediately to identify corrective actions and improvements. These are then managed through a To-Do-List with appropriate business priority. As a consequence of this pragmatic approach IMS-Smart uses a hypertext based technology to ensure that all documentation and records in support of the management system are just one-click-away from those people who need them – the managers. Documentation is minimised and the focus of demonstrating conformance is on records of performance.

Scalability

As we mentioned in the introduction, systems of internal control have no bounds. They exist in all organisations, irrespective of their objectives and size. Therefore if a common architecture were to exist, and we submit that IMS-Smart is such an architecture, it must be scalable from the extremely small to the extraordinarily large. To accommodate this requirement, IMS-Smart uses an hierarchic arrangement of superior and subordinate IMSs.

Through IMS-Smart’s opportunity and risk assessment practices, a superior IMS dictates those policies, sprites and controls that must be implemented by its subordinates in order to maximise reward and reduce risk that is common across all subordinates. Each subordinate may, however, augment its superior’s OEPs and RTPs to deal with cases, peculiar to its business responsibilities (i.e., not common across all subordinates) where there is greater opportunity or greater risk.

Each subordinate may also introduce additional OEPs and RTPs where the opportunities and risks are entirely peculiar to it. We refer to the most superior IMS as the overarching IMS.

The Civil Service in Mauritius affords a exemplar of this concept, where an IMS situated in the Prime Minister’s Office establishes common policies and procedures for the entire Civil Service. At the ministerial and even department level, subordinate IMSs augment and add sprites and controls as appropriate. Indeed, as should be immediately appreciated government departments may have much in common in terms of HR, finance and IT, but the business of for example Passport and Immigration and Social Security are very different.

Summary

IMS-Smart is a management philosophy for creating, policing and improving systems of internal control in conformance with the principles of sound corporate governance. It has an architecture that embraces both parts of internal control: the part for doing the job in pursuance of the organisation’s business objectives, realised through a set of opportunity exploitation plans; and the part for ensuring the job is performed in accordance with the organisation’s wishes, realised through a set of risk treatment plans.

Both sets of plans are designed using complementary "tell it like a story" methods, which:

  • are understandable by everyone, and in particular senior business people
  • cover all interests of the organisation, in other words they transcend across all corporate functions, disciplines and processes, and are equally applicable to financial as well as non-financial risks
  • are amenable to measurement, so that the effectiveness of the system of internal control can be determined and in particular its ability to met the performance and policy objectives of the board.

The architecture is fully compatible with all new and revised ISO management system standards (i.e. those that conform to Annex SL of the ISO Directives). This renders the construction of integrated management systems and certification straightforward.

Nevertheless, despite only being a management philosophy, IMS-Smart is supported by technology which ensures that all documentation and records in support of the management system are just one-click-away from those people who need them, and plays a key role in the process of factoring out controls and representing them in conformance of one or more management system standards.

In this regard, IMS-Smart is not only essential to creating a sound system of internal control but it is a true integrated management system in the context of ISO management system standards.