2018 Blog # 4 – Proportionality is the Key

I have discussed the importance of controls and their effectiveness to the risk management process in many forums including Risk Tip #2- Control Effectiveness.  It is still my belief that the management of risk cannot be effective unless an organisation understands not only what controls are in place, but, more importantly, how effective they are.

I have recently worked with a number of organisations that have embraced the concept of controls and their importance, but what has become obvious to me is that there is a belief that a control needs to be applied to the same level across the organisation.  This is not the case and it can lead to expending far more resources than are necessary controlling something that doesn’t require it. Proportionality is the key.

What do I mean by proportionality?

Put simply, proportionality means that the same control is applied, but at different levels based on the consequence should the risk occur.

Prisons are an excellent model for the concept of proportionality.

If we use the following risk: prisoner escapes from custody we can see how it is applied.  We will use three levels of custodial confinement to illustrate.

Minimum Security Medium Security Maximum Security
Prisoners who require a low degree of supervision and control within the prison and who can be reasonably trusted in open conditions. Some of these prisoners will meet the eligibility criteria for external program activity and work camp placements Prisoners who cannot be trusted in open conditions, but present a low to moderate risk of escape and/or a moderate risk to the safety of the public in the event of an escape Prisoners for whom high conditions of security are necessary and for whom escape must be made very difficult

It would be extremely ineffective and cost-prohibitive, if all prisoners were to be treated the same and classified as maximum security.  Instead, prisoners are categorised not only on the likelihood of escape but, more importantly, the potential consequences (to public safety and reputation) if they did escape.

We can also apply the same concept of proportionality in our workplaces.  The tables below highlight some of the circumstances where proportionality could be considered:

Fraud

Consequence Levels
Insignificant/Minor Moderate Major/Severe

Standard Controls:

·     Code of conduct

·     Employee screening

·     Fraud awareness training

·     Fraud Control Policy

·     Separation of duties

·     Informal spot-checks

Standard Controls plus:

·     Supplier and customer screening

·     Regular and random audits

·     Experienced staff in roles

Enhanced controls which incorporate (above the other controls listed):

·     Rotation of personnel

·     Increased requirement for security clearances

·     Experienced staff in roles

·     Independent validation of supplier goods

Procurement/Grants

Consequence Levels
Insignificant/Minor Moderate Major/Severe

Standard Controls:

·     Procurement policy

·     Training of staff

·     Non-complex procurement documentation ((Request for Quotation)

·     Selection by one person with low level delegate sign-off

·     Limited/standard procurement agreements

·     Declaration by recipient of delivery

Standard Controls plus:

·     More detailed procurement documentation

·     Potentially more than one person involved in evaluation

·     Sign-off by higher delegate

·     More detailed contract including performance measures

·     Limited assurance built into contract management regime

·     Inspection of goods and services once delivered

Enhanced controls which incorporate (above the other controls listed):

·     Request for Tender

·     Tender Evaluation Board established with Tender Evaluation Working Groups

·     Source evaluation report with high-level delegate sign-off

·     Contract with detailed performance measures and assurance requirements

·     Audit/assurance program

·     Regular meetings with vendor

·     Verification and validation of goods and services delivered

This all seems common sense I hear you say – but if only that were the case.  If we look at Government procurement which sets limitations on what can be a simple procurement and what needs to be a complex procurement, it is mostly based on cost (although there are also considerations for complexity).

Let’s imagine we have two procurement activities – one for $100,000 and one for $1,000,000, neither of which will have an impact on the organisation’s reputation if what was delivered was not fit for purpose.  Under the current policies, the second activity would have significantly more time effort and energy allocated to it which, on the surface, might seem to be justified.  But when we consider that, in this Department the consequence matrix looks like this:

 

Financial
Insignificant If this risk was to occur, it would lead to a loss to the Department of less that $2 million

……. we can start to see that, potentially, a significant amount of effort is being applied to an activity where the consequence to the Department (and not just the financial consequence) of it failing is insignificant.

Summary

In previous blogs I have talked about linking controls to the highest consequence risks, but what I have tried to demonstrate here is that they may only be critical in certain areas, due to the fact that the consequence level is inconsistent across the organisation.

So remember, using proportionality can save a significant amount of resources with no impact on the risk profile of the organisation.

SUBSCRIBE TO OUR NEWSLETTER
Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
FREE RISK MANAGEMENT E-BOOK
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.
{Download-submit}