Effectiveness of current controls in Risk Management
Welcome! In this session, what I am going to talk about and expand on, is something I have talked about before which is the effectiveness of current controls. As I said in a previous blog, the effectiveness of your current controls that you have in place in your organisation is going to determine how likely a particular event is likely to occur. What I also said at that time is that if those particular events have significant consequences to your organisation you need to make very sure that those controls are effective.
In this blog, what I want to talk about is what does that mean? So I will go into a risk workshop and we will identify and detail a whole range of controls and I will ask how effective are they? People will say they are effective because nothing has happened in the past. The reality is that the absence of incidence does not necessarily indicate the effectiveness of your controls, the only way to do that is to measure them. What we need to do with every single one of those controls is to identify an owner but we also need to identify our performance measures. What are those areas that we are going to access for that particular control against? And in turn, what are the key performance indicators that we are going to use. What are our preventative controls? And how are we going to measure that those preventative controls are actually effective? What are some of the detective controls that we are going to have in place? And how are we going to measure the effectiveness of those as well.
As I said, you need to have performance measures and key performance indicators for every single one of your controls because if you don’t, you are never going to know how effective they are. Now you think about it, when we see stuff happening on the news and crises and things that have gone wrong, in rare cases it’s because there was absence of controls but in the majority of cases it’s because the controls that they had in place were not effective. So make sure, when you are developing these controls, you don’t just pay a lip service to it. We have a policy here or a procedure, identify the owners of that particular control, and then ask the question, how am I going to manage that this control is effective? If you never do that, you can never actually determine what the true likelihood of that risk is. That’s all I have got for this session, so as always, let’s be careful out there!