During our review of the 7 steps of the risk management process, we identified the crucial role that controls play in mitigating threat risks to the organisation.
Recall that for those risks where the inherent risk level was unacceptable, we needed to take certain actions to mitigate the risk. Some people keep the term 'action' until such time that they have been fully implemented at which point they are called 'controls'. There are, of course many existing controls in organisations that have been developed over time as risks have been identified.
Where the risk identified is an opportunity for the organisation, there are also actions identified and put in place, with the intention being to increase the likelihood and impact of the risk event.
So what are controls?
If we recall the definition from the International Standard ISO31000:2009, risk is 'the effect of uncertainty on objectives'.
A control therefore is an activity designed to prevent or detect errors that may lead to the risk eventuating. These measures or actions taken to modify the risk typically include physical things like equipment or technology, or 'soft' controls like policies, procedures, techniques or methods.
Controls generally fall into one of three categories:
Preventative: these controls are designed to stop the risk from occurring (or facilitate the risk if an opportunity) in the first place and should link to the risk drivers, or causes, of the risk.
Detective: designed to identify the incidence of the risk occurring in a timely manner after the event (e.g. a fraud).
Recovery: once an event or risk has occurred, these controls are designed to return to 'business as usual' as quickly as possible.
In the area of safety of people, many will be familiar with the Hierarchy of Controls (shown below) which rates the effectiveness of the various controls options from most effective to least effective. Naturally, these controls are all preventative in nature.
Like the Hierarchy of Controls in safety, controls used to modify other risks will vary in their effectiveness.
Those controls relying on people to follow a process or procedure (people-based) will typically be less effective than a system or engineering (automated) control.
Some examples of people based controls include:
Segregation of Duties - for instance, one person cannot raise a purchase order and make a payment
Reconciliations - where two sets of numbers that should balance are tested, ensuring data is sourced from different systems or records
Management review - a person superior to the preparer reviews the evidence and processes performed, for instance, reviewing reconciliations
System or automated controls can include things like:
Password resets - scheduled changes to user passwords to reduce risk of unauthorised system access
'Deadman' switch - on equipment to automatically shut down if operator let's go or is incapacitated
Exception reporting - system generated reports indicating variations outside of acceptable parameters
Having controls in the business comes at a cost - implementation, review and auditing all cost the company resources. But there are very good reasons why all business need a good control environment. Good controls help businesses to:
Protect value and create value for the organisation
Set the culture to deter, prevent and detect theft / fraud and human error
Make sure policies and procedures are observed in practise
Achieve effectiveness and efficiency in business operations
Promote accurate and reliable financial records and reporting
To achieve these benefits, controls should be regularly assessed for effectiveness. This can be via self assessment in the first line of defence and/or through monitoring by the second line of defence.
For truly independent and objective feedback, the controls should be tested by the organisations Internal Audit function (noting the external auditors will also test internal controls related to the financials and of material values).
In order for clarity amongst all stakeholders, there should be some agreed rating level of control strength in order for the business to prioritise responses to control weaknesses. Below is an example Control Effectiveness Assessment:
Like every other aspect of the risk management process, controls should be regularly and critically reviewed. In some organisations, controls can be easy to design and implement but harder to retire once they have outlived their usefulness.
Ineffective or outdated controls waste time and effort and lead employees to wonder whether management really does understand the current business environment. Clear lines of communication, especially during the risk assessment process, should avoid this becoming an issue.
My focus at Proximity Risk & Assurance is to work with the first line of defence, the business operations, to better play their part in the risk management process. Please contact me to discuss how I can assist in your business - via this email link or on mobile - 0404 829 040.