Embedding Risk Management into Business Operations through Internal Controls In today’s complex and competitive business environment, effective internal controls are no longer a compliance formality. They are a core management tool that supports risk management, operational efficiency, and sustainable growth. Organizations that embed internal controls into daily operations are better positioned to prevent losses, respond to risks, and achieve strategic objectives. Internal control is best understood as the set of policies, procedures, and behaviors through which management ensures that operations are conducted efficiently, assets are safeguarded, financial information is reliable, and laws and regulations are complied with. Strong internal controls translate risk awareness into practical actions across all levels of the organization. Risk management and internal controls are closely linked. Risk management identifies what can go wrong and assesses its potential impact, while internal controls define how those risks are mitigated in practice. When controls are weak or poorly implemented, risks materialize in the form of fraud, errors, inefficiencies, and reputational damage. When controls are well designed and consistently applied, they act as preventive and detective mechanisms that protect the organization and support informed decision-making. Management plays the central role in designing, implementing, and operating internal controls. Controls are not owned by auditors. Internal audit provides independent assurance on the adequacy and effectiveness of controls, but accountability rests with management. A strong control environment is driven by leadership tone, ethical culture, clear responsibilities, and ongoing supervision. Effective internal controls must cover the full business cycle, including procurement, inventory, sales, payroll, fixed assets, and financial reporting. They should be practical, risk-based, and aligned with business realities. Tools such as control self-assessment encourage ownership within business units and help identify weaknesses before they escalate into significant issues. Ultimately, robust internal controls deliver measurable value. They reduce fraud and errors, improve operational discipline, enhance governance, and build stakeholder confidence. Organizations that treat internal controls as an integral part of business operations, rather than a checklist exercise, are better equipped to manage uncertainty and achieve long-term success.

1. Embedding Risk Management into
Business Operations
Internal Control
Practical Guide
Ahmad Tariq Bhatti, FCMA, CGMA

2. Internal Controls as a Management Tool
 Purpose
 Internal controls support risk management, efficiency in operations and growth
 They are embedded in daily operations and are not just compliance activities
 Risk Link
 Risk assessment is the component of internal control
 Internal controls define how risks are prevented, detected, and managed
 Ownership
 Management designs and operates controls
 Internal audit provides independent assurance, not ownership
 Leadership tone and culture drive effectiveness
 Business Value
 Reduced errors and fraud support more reliable and efficient operations
 Better decisions and operational discipline
 Stronger governance and stakeholder confidence encourage more investment

3. 5
Provides reasonable but not
absolute assurance against all risks
Reasonable Assurance
4
Designed to manage rather than eliminate
the risk of business failure
Risk Focus
3
Business Integration
2
Safeguard assets, ensure reliable reporting,
promote efficiency of operations by
preventing errors, fraud, waste, abuse and
ensure regulatory compliance
Purpose
1
System encompassing policies,
processes, tasks, and behaviors
leading to efficient and effective
operations
Definition
Introduction to Internal Control
Controls should be embedded within
operations and must be followed
under all circumstances, no exception
should be given in this regard

4. ATB 4

5. ATB 5

6. ATB 6

7. ATB 7

8. ATB 8

9. ATB 9

10. ATB 10

11. ATB 11

12.  Preventive controls
Designed to prevent errors or fraud before they occur
Examples: segregation of duties, authorization limits, supervisory controls
 Detective controls
Identify errors or irregularities after they occur
Examples: reconciliations, internal audit reviews, special reviews,
 Corrective controls
Address issues identified by detective controls
Examples: error correction, disciplinary action, devising additional controls
Types of Internal Controls by Purpose

13. Internal controls should be designed for all business processes, with
depth proportionate to risks. Areas such as operations, finance and
accounting, human resources, must be evaluated for their risk profiles.
Examples include:
• Procurement and payments
• Inventory and stores
• Sales and receivables
• Payroll and human resources
• Fixed assets
• Financial accounting & reporting

14. ATB 14

15. ATB 15

16. ATB 16

17. ATB 17

18. 6 Internal audit should report regularly
to the Board via the Audit Committee
Board Reporting
5 Function must maintain objectivity and
adequate resources to be effective
Independence Requirement
4 Internal audit should provide value-
added services to the Board
Value-Added Service
3 Evaluate other means of obtaining
sufficient objective assurance if no
internal audit
Assurance Alternative
2 Consider the complexity, diversity and scale of
business operations, evaluate the effectiveness of
current controls, reinforce them with the additional
controls, check the need for new controls, review
employee numbers and corporate culture
Risk Factors
1 Board should annually assess the need
for internal audit function, new areas
and review resources
Annual Review
Internal Audit Function

19. ATB 19

20. 6 Implement ongoing monitoring and
annual effectiveness reviews for
continuous improvement
Continuous Improvement
5 Determine resource requirements and
obtain board commitment for process
implementation
Resource Mobilization
4 Design new or adapt existing processes
with management and assurance
function input
Design Process
3 Develop a clear vision and framework
defining what successful risk
management looks like
Clear Vision
2 Document and assess existing
processes before implementing a new
risk management framework
Current State
1 Making a business case demonstrating
risk management benefits to business
performance, efficiency & growth
Case for Risk Management
Embedding Risk-Based Methodology

21. Role of the Management & Internal Audit
• Management designs and operates controls
• Controls are part of daily work and activities
• Internal audit independently evaluates controls
• Audit provides assurance, not ownership
• Strong controls mitigate risks
• Controls are reviewed through ongoing management
oversight, periodic evaluations, and internal audit. They should
be fortified after regular reviews

22. • Business units should assess the effectiveness of controls
• CSA promotes ownership and accountability
• It identifies control weaknesses early
• It encourages risk awareness and mitigation
• It reduces surprises during audits
• It helps management in developing and implementing an effective
system of controls
• CSA results should be independently validated to mitigate self-
assessment bias by the internal audit
Control Self-Assessment (CSA)

23. Finally,
Effective internal control is a shared responsibility
across management, operations, and assurance
functions.

24. ATB 24

25. ATB 25