The importance of current controls in Risk Management
Today’s topic is talking about current controls.
Now, these are like the red-headed step children of risk management. We tend to ignore the current controls that we have in place within an organisation to deal with risks that might occur.
Over time within organisations, things have happened, events have happened. It might be fraud, it might be safety incidents. And as a result of those particular incidents, new controls have been put in place to make sure that they don’t happen again or to try and minimise the chance that they‘re going to happen again.
What we tend to do when we’re managing or identifying and analysing risk, is we pay lip service to those current controls. So not only do we need to identify what those controls are but we need to look at the effectiveness of those controls.
There is a direct correlation between the effectiveness of your control environment and the likelihood and/or consequence of your risk. So the less effective your control environment, then it follows that the chance of that risk occurring is greater. Now what I’ve seen in risk workshops is organisations will identify their current controls and they’ll ask the question “How effective is it?” And they’ll say “That’s effective”, or “That’s partially effective” or “It’s not effective”. But they are qualitative judgements. And when I ask what they’ve based that grading of effective on, they’ll tell me ‘Well nothing’s happened so it must be effective’. This is a real false sense of security.
The thing that I tell my students and the thing that I tell my clients, an absence of incident is not an indicator of an effectiveness of a control. What it is is an indicator of good luck in most cases. The only way to understand how effective your control is, is to actually have measures of effectiveness; and to measure against those measures of effectiveness.
The first thing that we need to do when we develop our controls is have a control owner. If we don’t have a control owner, then how are we ever going to know whether those controls are effective because nobody has got their hands on the wheel? So when we identify and put in place a new control, we need to identify a control owner, we also need to identify the measures of effectiveness and we need to put in place some form of internal audit or checking to make sure that those controls are effective. This is absolutely critical for controls where the risk consequence is severe or major in an organisation.
The higher the consequence level, the stronger your controls need to be to keep the likelihood of that risk at a lower level.
Controls and control effectiveness are absolutely critical to the process and if you go back over a range of post-event analysis or coroner’s reports or audit reports from ANAO, what you will find is that many of the incidents have been caused as a result of ineffectiveness of the current controls in place.
So, my advice to you is before you go to put new risk treatments in, how about you have a look at the effectiveness of your current control environment and if it’s not effective, bring it up to a state where it is effective. Then you probably will not need to spend resources and money to put new controls in place.