Close this search box.

The Role of Training in Strengthening Internal Controls and Managing Risk

Think about all the activities in your Organisation.  Think about the number of people who perform these activities.  Think about the number of processes involved.  Think about the many legal and regulatory requirements staff must follow. Think about the risks and consequences should these activities and processes fail.  Pretty soon, you’ll appreciate the importance of people knowing exactly what to do, why they do it, how to do it and what will happen if it is not done correctly. Tony Harb from InConsult looks at the importance of staff training to the organisation, staff and its role in helping to strengthen the internal control environment and manage risk.

Staff training needs are dynamic

When people start in an organisation, they often start in a functional role that is well defined.  Although people will have the basic vocational skills and qualifications to fulfil their role, the organisation will provide staff with another level of training to contextualise its business, expected behaviours and operating environment.  This will include induction training covering topics like code of conduct, key legislative requirements and workplace health and safety (WHS).

Over time and as people move up and through the organisation, their role will expand, responsibilities increase and many laws and regulations will change.  This means that the training needs will also change for each person and each role.

Training develops new skills and confidence

Training can achieve many objectives, but one of the primary objectives is to build staff capabilities in key areas or up skill staff for new and different tasks.

A new manager was requested to review the organisation unit’s risk register.  She did, to the best of her ability.  However, the manager had no understanding of, or training in, risk assessment and no appreciation of the organisation’s risk management framework, risk ratings, risk appetite or what a treatment plan was.  So how effective do you think the risk review was?

Staff training will improve work quality, work practices and efficiency.  Think about how many computer systems each staff member uses within your Organisation.  Are staff using these systems correctly?

An internal audit in one government agency revealed that staff in one section were not using the organisation’s electronic document management system in accordance with the organisation’s policy because they had not been ‘adequately’ trained.  Consequently, important documents were stored in Outlook and on shared drives making it difficult to easily locate and provide information to the public under the NSW Government Information (Public Access) Act.

Training reinforces commitment

Staff training will increase job satisfaction and staff retention because people feel the organisation is investing in them.

Staff training covering safety and WHS sends the message that the organisation takes staff safety seriously and is meeting legal obligations.

Councillor governance and induction training helps new councillors (who may not have local government experience) understand key and relevant topics and reinforces the need to foster a culture of good governance.

Similarly, Board member governance training will help ensure all members have a basic understanding of good governance. A team building exercise is also recommended to break the ice and highlight the importance of working together.

Repeat, repeat, repeat

Whatever the training topic, the fact that the organisation has organised training can send a strong messages to staff.  But when the training is repeated every year or two, the importance of the topis is amplified.

In one state government organisation, the Chief Executive personally delivers Code of Conduct training every year and attendance is compulsory.

The message is simple “your compliance with the organisation’s code of conduct is so important to me that I am personally delivering the training, every year, to make sure you understand it and how important this topic is”.

Staff training supports internal control

International risk management standard AS/NZS ISO31000 defines a control as a measure that is modifying risk.  This is why staff training is often identified as a control for risks in an organisation’s risk register.

Internal auditors view staff training as a key element of the organisations internal control environment.  Training records are frequently audited by internal auditors to confirm existence and validate the effectiveness of controls.

Depending on the type and objectives of training, staff training can support both ‘hard controls’ and ‘soft controls’.

Specific ‘how to’ training will support hard controls such as safe work methods statement and specific organisational policies.

Code of conduct and induction type training will support soft controls as they will set out desirable behaviours, reinforce morale and set the tone at the top.

In terms of managing risk, training typically address the reducing the likelihood of the risk part of the equation as staff are made aware of expectations and how to perform activities.

Staff training is required and strongly encouraged by regulators

In some industries, pro-active regulators will recommend, mandate, review and audit training records.

The Australian Prudential Regulation Authority (APRA) regulates the financial services industry and it recommends training and awareness programs in many of its Prudential Practice Guides and Standards, for example, CPS232 Business Continuity Management.  In addition, after a prudential review with a regulated entity, APRA has made recommendations that insurers conduct staff and/or board training in a number of areas.

A discussion paper titled Risk Management of Private Health Insurers by the Private Health Insurance Administration Council (PHIAC) proposes that the Board, senior executives and employees are provided with risk management training and ongoing support.

The NSW Treasury Risk Management Toolkit (TPP12-03) states that risk management training “should form a mandatory component of continued professional development within your agency”

The NSW Division of Local Government’s (DLG) Promoting Better Practice Review specifically evaluates ‘staff development’ and various other ‘training’ aspects of a council’s operation.

After a major fraud and/or corruption investigation, The NSW Independent Commission Against Corruption (ICAC) often makes recommendations for further staff training.

Before a charity can be registered with the Australian Charities and Not-for-profits Commission (ACNC), it must meet a set of governance standards that requires “providing annual training for all responsible persons on their duties and responsibilities”.

Therefore, across many industry sectors, the various regulators highlight the importance and need for staff training.

Staff training is required by best practice standards

In addition to regulatory requirements, most organisations adopt Australian and International Standards to support various best practice activities.  Often, these standards will require adequate training to be maintained.

Australian Standard AS/NZS ISO31000 recommends organisations “allocate appropriate resources for risk management” including “training programmes”. It also recommends that “those who are accountable for managing risk are equipped to fulfil that role by providing them with the authority, time, training, resources and skills sufficient to assume their accountabilities”.

Australian Standard AS/NZS 5050 relating to business continuity recommends organisations hold information and training sessions covering the organisation’s disruption-related risks.

Australian Standard AS/NZS 4801 relating to workplace health and safety management systems recommends that an organisation in consultation with employees identify WHS training needs and develop procedures for providing WHS training.

Australian Standard AS 8001 relating to fraud and corruption control, recommends “management and staff awareness training” to assist in the prevention and control of fraud by raising the level of awareness amongst all staff.

One of the eight tips for preventing fraud recommended by the Association of Certified Fraud Examiners is to educate employees about policies and procedures relating to fraud, and how violations of these policies will be disciplined.

Put training into practice

When the training is followed up by an activity, the impact of training is again magnified.

Conducting a risk assessment activity or risk workshop after risk management training will help put the risk theory into practice.

Conducting a business continuity exercise after completing the business continuity plan (BCP) is a great idea.  But conducting business continuity implementation and awareness training in between finalising the BCP and doing the exercise is even better, not only because it is good practice, but the people responsible for implementing the BCP feel more confident during the exercise and don’t feel as if they have been set up to fail.

Communicate expectations of behaviour and consequences

Training not only helps set expectations of performance, behaviour or compliance, but it should also communicate consequences.

ICAC’s Operation Jarek Investigation Report concluded that just training public officials to be aware of policies concerning gift acceptance can be ineffective and made a recommendation that councils ensure that staff training also focus on the disciplinary consequences.

Final thoughts

Staff training is an organisational responsibility, that is, it is up to the organisation to identify the training needs and implement appropriate training strategies.

Organisations should not train just for the sake of training or meeting a meaningless KPI.  Ideally, the training KPI’s should be developed and linked to organisations objectives and strategy.

The training should be well planned, with specific training objectives and ideally post-training activities undertaken.

Training has many benefits for both the organisation and staff like establishing expected behaviours, acquiring new skills, improving staff productivity and quality and enhancing staff satisfaction.

From a risk management, audit and governance perspective, training as the foundation of many important activities and an important control.  Effective training will help strengthen internal controls, improve the control environment, help manage risk and support the achievement organisational objectives.

* * * *

Tony Harb B. Bus, CA, MBA, MIIA (Aust)

Tony has over 20 years’ experience in risk management, audit, finance and insurance. He is a qualified trainer and has trained board members, councillors, managers and staff in risk management, fraud & corruption awareness and business continuity management.  He can be contacted on 02 9241 1344 or by email at