6 Key Questions to Define Risk Control.
In last week's blog, I discussed the basic but often confused issue, of describing operational risks in a logical and understandable way. This week, I turn to controls, which are often as equally poorly defined and understood.
The ISO 31000 standard defines control as a “measure that is modifying risk”. While not incorrect, this definition is broad, and I am not sure overly meaningful or engaging with the employee at the coal face.
I think a risk management framework that wishes to engage the front line needs a more practical definition and understanding of controls.
Let’s investigate further by asking these key questions:
- What aspect(s) of risk is the “measure” modifying?
- How does a control “modify” risk?
- What is a “measure”?
- What is a control and what is not?
- What are the main types of control?
- What “measures” should be ideally recorded in a risk and control register?
1. What aspect(s) of risk is the “measure” modifying?
Risk is generally measured through a combination of an assessment of the likelihood of it occurring and the impact if it were to occur. These are considered the key characteristics of a risk that a control may modify. A control will, therefore, modify the likelihood and/or impact of a risk.
Another aspect of risk that a control can modify is the risk’s velocity (a risk aspect that is not talked about much but which will be the subject of a later blog). This is the speed at which a risk passes through the phases of its life from initial cause to final impact. A bilge pump on a sinking ship reduces velocity to allow more chance for passengers to evacuate the ship.
2. How does a control “modify” risk?
The ISO 31000 definition specifically does not say “measure that is reducing risk” but rather “measure that is modifying risk”. This recognises that the risk aspect may be either increased or decreased by the control. The general assumption with most controls is that they will reduce risk which is usually valid. However, some controls may reduce one aspect of the risk while increasing another.
Taking out mobile phone insurance for loss of phone for your staff will reduce the net impact of a financial loss but will most likely increase the likelihood of it being lost as the employee will care less as the net impact to them is zero or negligible.
We need to understand the way that controls modify all aspects of the risk in order to understand whether overall the control reduces or increases the risk.
3. What is a “measure”?
There is a range of treatment methods we can apply to risk that will modify it. The main treatment methods we have available are:
- Accept the Risk
- Eliminate / avoid the risk by stopping the activity causing the risk
- Reduce the Risk by increasing controls
- Reduce the Risk by transferring some of the risk impact (e.g. Insurance)
- Reduce or increase the Risk by transforming the inherent risk environment. This would usually involve process re-engineering.
- Increase the risk by reducing controls
Not all of the above would be considered “controls”. Controls are only involved in points 3,4 and 6.
“Measures” that are controls are therefore usually considered to be either a procedure/action or a device that is aimed at modifying a risk(s).
4. What is a control and what is not?
The ISO 31000 standard says “Controls include any process, policy, device, practice, or other actions that modify risk.” In reviewing many risk registers, “controls” are identified as many things, including:
- Policies e.g. HR Policy
- Documented procedures e.g. Documented procedures for paying suppliers
- Actions to fix a broken control e.g. Fixing of broken door locks
- Parts of the inherent risk environment e.g. Fixed window panes
- Committees e.g. Pricing Committee
The above are not controls. They may have controls embedded in them but this is what should be called out. “HR policy” or “Pricing Committee” as a control is too vague. Parts of the inherent risk environment are not controls.
I often find it useful to differentiate between controls and “Part of the Furniture”. An item that is part of the furniture is expected to be there in a normal operating environment and will have multiple purposes, not just the modification of a single risk.
An example is the fixed window pane in a building. The window reduces the risk of unauthorised access but we a) would expect it to be present in a typical building and b) it also keeps out the weather, keeps us warm and allows us to get natural light.
In contrast a security guard would be identified as a control because not all buildings have them and their primary role is security.
5. What are the main types of control?
Controls are usually categorised as either Preventive, Detective or Reactive. This is based primarily on where in a risk’s life do they apply and as a result, do they modify the likelihood and or the impact of the risk.
Preventive controls apply at the beginning of a risk’s life, at or near the root causes(s). As a device, they often act as a barrier to “nip it (the risk) in the bud”. They primarily reduce the likelihood of the risk occurring. Examples are system passwords, locked doors, machinery maintenance etc.
Detective controls usually apply somewhere in the middle of the risk’s life. Detective controls rely on the analysis of information in order to detect that a risk is “in motion”. Detective controls that are “early” in the risk’s life usually modify likelihood and those that are “late” in the life, usually modify impact. Examples are data reconciliations, smoke detectors, exception reports, etc.
Reactive controls (sometimes also called Responsive or Corrective), apply towards the end of a risk’s life when the impact is imminent or being felt. They are focussed on modifying impact. Examples are DRP, Insurance, media management etc.
6. What controls should be recorded in a risk and control register?
Controls should be recorded in the risk register against the related risk. The issue is which controls should be recorded. I usually consider that “measures” can be divided into 4 main types:
- Base line “controls” = Part of the furniture
- Minor controls = Very little impact on the risk
- Medium controls = Negotiable but important
- Key Controls = Non-Negotiable
Only the key and medium controls should be recorded. This should limit the number of controls for each risk to between 2 and 4.
The quality for risk data in your risk system and the level of staff engagement with risk is highly dependent on the level of understanding that staff have of the basic components of risk and controls. The issues above should be addressed in your guidance and training of staff as without clarity much confusion will exist.
Protecht.ERM allows for controls to be stored in a central library and ‘tagged’ into their various categories. Controls can be linked to risks on a one to one, one to many and many to one basis.
Please contact Protecht at firstname.lastname@example.org if you would like further information on establishing, categorizing and monitoring controls and how Protecht.ERM can assist in embedding your risk management framework in your organisation.