Proportionality is the Key
I have discussed the importance of controls and their effectiveness to the risk management process in many forums including Risk Tip #2- Control Effectiveness. It is still my belief that the management of risk cannot be effective unless an organisation understands not only what controls are in place, but, more importantly, how effective they are.
I have recently worked with a number of organisations that have embraced the concept of controls and their importance, but what has become obvious to me is that there is a belief that a control needs to be applied to the same level across the organisation. This is not the case and it can lead to expending far more resources than are necessary controlling something that doesn’t require it. Proportionality is the key.
What do I mean by proportionality?
Put simply, proportionality means that the same control is applied, but at different levels based on the consequence should the risk occur.
Prisons are an excellent model for the concept of proportionality.
If we use the following risk: prisoner escapes from custody we can see how it is applied. We will use three levels of custodial confinement to illustrate.
Minimum Security | Medium Security | Maximum Security |
Prisoners who require a low degree of supervision and control within the prison and who can be reasonably trusted in open conditions. Some of these prisoners will meet the eligibility criteria for external program activity and work camp placements | Prisoners who cannot be trusted in open conditions, but present a low to moderate risk of escape and/or a moderate risk to the safety of the public in the event of an escape | Prisoners for whom high conditions of security are necessary and for whom escape must be made very difficult |
It would be extremely ineffective and cost-prohibitive, if all prisoners were to be treated the same and classified as maximum security. Instead, prisoners are categorised not only on the likelihood of escape but, more importantly, the potential consequences (to public safety and reputation) if they did escape.
We can also apply the same concept of proportionality in our workplaces. The tables below highlight some of the circumstances where proportionality could be considered:
Fraud
Consequence Levels | ||
Insignificant/Minor | Moderate | Major/Severe |
Standard Controls: · Code of conduct · Employee screening · Fraud awareness training · Fraud Control Policy · Separation of duties · Informal spot-checks |
Standard Controls plus: · Supplier and customer screening · Regular and random audits · Experienced staff in roles |
Enhanced controls which incorporate (above the other controls listed): · Rotation of personnel · Increased requirement for security clearances · Experienced staff in roles · Independent validation of supplier goods |
Procurement/Grants
Consequence Levels | ||
Insignificant/Minor | Moderate | Major/Severe |
Standard Controls: · Procurement policy · Training of staff · Non-complex procurement documentation ((Request for Quotation) · Selection by one person with low level delegate sign-off · Limited/standard procurement agreements · Declaration by recipient of delivery |
Standard Controls plus: · More detailed procurement documentation · Potentially more than one person involved in evaluation · Sign-off by higher delegate · More detailed contract including performance measures · Limited assurance built into contract management regime · Inspection of goods and services once delivered |
Enhanced controls which incorporate (above the other controls listed): · Request for Tender · Tender Evaluation Board established with Tender Evaluation Working Groups · Source evaluation report with high-level delegate sign-off · Contract with detailed performance measures and assurance requirements · Audit/assurance program · Regular meetings with vendor · Verification and validation of goods and services delivered |
This all seems common sense I hear you say – but if only that were the case. If we look at Government procurement which sets limitations on what can be a simple procurement and what needs to be a complex procurement, it is mostly based on cost (although there are also considerations for complexity).
Let’s imagine we have two procurement activities – one for $100,000 and one for $1,000,000, neither of which will have an impact on the organisation’s reputation if what was delivered was not fit for purpose. Under the current policies, the second activity would have significantly more time effort and energy allocated to it which, on the surface, might seem to be justified. But when we consider that, in this Department the consequence matrix looks like this:
Financial | |
Insignificant | If this risk was to occur, it would lead to a loss to the Department of less that $2 million |
……. we can start to see that, potentially, a significant amount of effort is being applied to an activity where the consequence to the Department (and not just the financial consequence) of it failing is insignificant.
Summary
In previous blogs I have talked about linking controls to the highest consequence risks, but what I have tried to demonstrate here is that they may only be critical in certain areas, due to the fact that the consequence level is inconsistent across the organisation.
So remember, using proportionality can save a significant amount of resources with no impact on the risk profile of the organisation.