Design, implement and evaluate your controls

Options for controlling risk

So far we’ve looked at how you might assess your options for controlling risk, using the bow tie to analyse how you can control likelihood or the severity of the consequences.

You may not need to do that bespoke analysis though. Many regulatory and accreditation processes build in controls when they require you to demonstrate that you have certain procedures in place. There are examples of this in health care and education.

Procurement, privacy and prudential standards should all be understood as ways of controlling risk—if you comply with the standard, then the risk of financial waste or corruption, for example, is controlled. This is also true for compliance with legislation such as the Climate Change Act and the Modern Slavery Act.

Moving out of the compliance sphere, we can also find examples of voluntary codes and strategies, where someone’s already done the work to validate their effectiveness in a wide range of situations. The Australian Cyber Security Centre’s Essential Eight or AS/NZS ISO/IEC 27001- Information security, cybersecurity and privacy protection — Information security management systems — Requirements are examples of that.

Preventing, correcting and detecting

Another way to look at controls is to look at the structure of risk.

Preventative controls reduce the likelihood of an event happening.

The best way to control a risk is to prevent it from arising in the first place. You might be able to reduce the likelihood of loss or harm to, or close to, zero. Two examples of this, one from everyday life and the other from the workplace, are:

• the design of electric plugs and sockets which make it impossible for a person to touch a live current
• a protocol for releasing confidential information with approval steps designed to ensure that any release for any purpose is approved by the appropriate person in the organisation.

Detective controls pick up the signs that a risk is changing, or an event has happened.

Another way to control a risk is to attempt to detect and report undesirable events or conditions, enabling you to respond promptly and take corrective actions. Examples of detective controls are:

• Audit reviews: Regular audits by internal or external auditors to review financial and operational processes
• System logs and alerts: Using automated systems that log activities and flag unusual actions for review.

Corrective controls reduce the severity of the consequences if the event does happen.

These controls are activated after a risk event has been materialised, aiming to restore operations to their desired state and to prevent the recurrence of similar problems in the future. Examples of corrective controls include:

• A Business Continuity Plan that has been reviewed, exercised and updated in the past 3 months
• An IT Disaster Recovery Plan that has been reviewed, exercised and updated in the past 3 months.

Monitoring changes to your risks

Risk is dynamic. A risk may increase or decrease as a possible event becomes more or less likely. It can also increase or decrease according to a change in the potential consequences. You need to monitor signs of that change.

These signs are your risk indicators.

Your risk analysis will help you to work out what indicators you need to pay attention to, by giving you insight into the causes of events and the factors that make them more likely and their consequences more harmful.

By watching these indicators, you’ll be able to see

• whether your efforts to control the risk are effective
• when you need to escalate a risk that’s approaching a threshold of tolerance.

An evidence-based approach to controlling risk depends on risk and performance indicators. Not only will it help you achieve your objectives, it’ll help you demonstrate, in economic terms, the value of managing risk effectively.

What is control effectiveness and why is it important?

Control effectiveness is the term used to describe how well a control is reducing or managing the risk it is meant to modify.

The more effective a control is, the more confidence you have the risk is being managed as you expect. A control is more effective when it is highly:

• relevant (it’s designed to address the intended risk)
• complete (it addresses most/all the risk)
• reliable (it operates as expected)
• timely (it operates at the right time and reacts quickly enough).

Understanding how effective your controls are will assist you in planning and prioritising risk management actions and making informed decisions.

What is control effectiveness testing?

Control effectiveness testing involves regular review of your controls, to ensure they’re designed correctly and are effectively reducing or managing risks as expected.

Note that you are evaluating whether the established controls (preventive, detective, and corrective) within your organisation are operating as intended and are effective in mitigating identified risks to acceptable levels.

The purpose of control effectiveness testing

• Assess adequacy and effectiveness: To determine if controls are adequate to address specific risks and if they are effective in either reducing the likelihood of an event occurring or minimising its consequences should it occur
• Identify weaknesses and gaps: Testing helps identify weaknesses or gaps in the control environment, providing an opportunity to strengthen controls before failures occur
• Compliance verification: Your organisations must adhere to various regulatory requirements and standards. Control testing ensures compliance with these mandates by verifying that controls meet or exceed required standards
• Support continual improvement: By regularly testing controls, you can make informed decisions about where to make improvements or adjustments, supporting a continual improvement cycle in risk management.

Control effectiveness testing may be more suited for organisations that have stable control environments, mature risk management frameworks and resources available to do the testing. You may choose to test some controls more often than others, or to prioritise testing based on factors such as internal audit findings.

The VGRMF includes control effectiveness testing in its guidance on good practice risk management, however it’s not a mandatory requirement.

Risk and/or control owners are usually responsible for testing control effectiveness and ensuring the control is working as intended.

So, how do you test for control effectiveness?

Testing for control effectiveness includes:

1. Understanding the control’s purpose
2. Gathering evidence
3. Evaluating, and
4. Planning treatments and update the risk register.

Find out more about each of these steps, below.

Weighing up the costs of control

Controlling and monitoring risk, like all management activities, comes with a cost. There are two ways to look at this:

• weigh up the cost against the benefit of achieving your objective
• look at the opportunity cost of spending money on controlling the risk, rather than something else of value to the organisation.

Costs and benefits

The benefit you’re seeking comes from achieving your objective. So, your question here is whether the cost of controlling the risk you need or want to take to achieve your objective is worth it.

For example, is it worthwhile to invest $500,000 on building upgrades when the whole organisation will be moving to another office within 12 months?

Opportunity costs

The other concept to bear in mind is opportunity cost. Your organisation’s resources are finite. If you decide to spend money on controlling a risk so that you can achieve an objective, then that money isn’t available for other work.

That needs to be a conscious decision. When you’re making decisions about how to control your risks, you should always ask yourself whether that puts other objectives at risk.

For example, if you didn’t spend that $500,000 on the building upgrade, that money would be available for an upgrade to the health and well-being program and other culture initiatives.

This is how you demonstrate, in economic terms, the value of managing risk effectively.

What is a control library?

A control library is a central list of all your organisation’s controls. Control libraries are best suited to larger organisations, where there’s a critical reliance on operational processes that need to be well documented and regularly monitored.

It may contain:

• a list of controls
• a description of each control
• the risk/s a control aims to modify
• the effectiveness of a control
• the control owner
• categorisation into preventative, detective, or corrective
• categorisation into key controls or non-key
• categorisation of general type (IT, manual, environment).

A control library allows you to see all controls operating within your organisation and their effectiveness in one place. It allows you to view controls that are in place for other business areas, so you can consider using or adapting them to address other risks.

For some organisations, control libraries exist as databases or modules within their governance, risk and compliance applications/systems, including safety, IT and finance. Control libraries are sometimes used by auditors to identify and test the key controls relating to an audit area.

Take a look at our Control Library example [PDF, 264KB].