Introduction
In the previous articles we have been unpacking various risk-based methodologies, such as the P2ST2 and the Internal Control Methodology. Based on this departure point, Crest Advisory Africa (Pty) Ltd, always start with these questions to determine the maturity of a company’s risk and control processes.
And very view companies can answer these questions. This creates for us and the client a dilemma, as we need to educate the specific committee, whether Board Risk Committee, Executive Risk Committee, Departmental risk Committee or various Operational Committees, before we can commence with the risk assessment process to create or review the Strategic Risk Register, the Tactical Risk Registers or the Operational Risk Registers.
To address a risk that is specifically addressing the Objective of the Company, on whichever level the risk register is (Strategic, Tactical or Operational), you must have performance in mind and without verifiable, repeatable and validated information, how can one provide the Assurance to the leadership.
And without statistics, graphs, and trend analysis, the information you provide to the leadership is in-complete.
The ICE Methodology in Practice
Many companies have specific Governance, Risk and Compliance (GRC) software that they are using. This usually provides the client with a number of reports, based on the information that is captured within the system.
The question is always, what is the methodology used? Do you have a variety of performance indicators to measure the Management Controls? How are these controls assessed? How can the performance be verifiable, repeatable and validated? What is the base of departure?
Let’s get to the practical example. In my previous article titled P2ST2 Methodology in Risk Control and ICE Methodology in Risk Control, I have explained these two methodologies.
The extract in the P2ST2 article we have demonstrated the Contributing Factor (CF) and the analysis of the CF in terms of the P2ST2 methodology. Now we will take this a step further and evaluate the Management Control (MC) listed against the ICE Matrix Criteria. The result is as follows:

The table above indicates the golden threat between the Strategic Objectives, the Tactical Objectives, and the Management Controls (MC) listed against every Contributing Factor (CF). The specific Control is then measured in terms of the Internal Control Effectiveness (ICE) percentage evaluation, for each control. Not overall.
The result of this assessment provides a mathematical assessment of what is the percentage Level of Assurance (LoA) provided for this control. This percentage is then used to determine the Level of Risk (LoR) which needs to be treated.
This could easily be displayed using Business Intelligence (BI) software. The figure below shows the performance of a company’s controls over a number of departments. This is measured over 1581 internal controls listed between all the departments. This is indicative of a verifiable, repeatable and validated process and performance. Based on the two (2) methodologies, P2ST2 and ICE.

The following figure indicates the Top 10 performance of the P2ST2, based on the ICE measurement. The results of the P2ST2 methodology is different and needs to be interpreted in terms of the Top 10 risks of the company.

The performance indicates that the company is very people driven, which needs to be controlled by robust processes, from top down. Systems have been implemented to enable the company in its performance and the 54% performance indicates that there is a lot of growth needed to lift the company. But in the changing global environment, technology implementation and enablement are of critical importance.
Conclusion
The measurable criteria for Risk Management must be verifiable, repeatable and validated. The results of the various assessments are indicative of a process and results that can be trusted by the leadership.
The question that every risk register need to answer is, can the Level of Assurance (LoA) provided by the Risk Owner be accepted as a single version of the truth of the performance on a strategic, tactical or operational level.
There are a number of graphs available to analyse the performance, from a strategic perspective and deploy the internal audit resources to conduct audits on the controls on a random basis, within the below tolerance criteria as well as the well performing controls.
These articles are steadily proceeding through the structure of a Risk Register and how to optimise the risk management process as a trusted process within the Strategic Management ecosystem of any company.