Using Controls to Mitigate Risks

This week Tony & John discuss the use of different types of controls to mitigate risk using operational risk software. 

This exert is taken from their book Mastering Risk Management…

Controls are the most common method of mitigating risks. They are completely within the management’s sphere of influence and in a firm practicing good risk management they will be increased or decreased to reflect the sensitivity of the firm to a particular risk.

Identifying risk controls

Just as identifying a suitable level of risk can be a challenge, so too can identifying the appropriate level of control. However, as controls are typically identified after risks, it is often easier to set control identification to the appropriate level. If the risk identification has been set, for example at a business objectives level, the controls which are identified should be at the same level.

It is very easy to identify controls at a departmental or activity level and relate these to the business objectives of a firm. However, this should be avoided as there will be a mismatch between the level of the risks and the level of the controls. In addition, it is important to identify and then score the strategic controls which are in place to mitigate the risks to the business objectives. If this is not undertaken, a firm can be lulled into a false sense of security, believing that its business risks are well controlled by a considerable number of activity or departmental controls.

When identifying controls, we are seeking to identify the independent controls which mitigate a risk. Although there is some point in identifying linked controls, far more business benefit will be achieved through identifying and scoring controls which are independent of each other. Controls which are linked to each other, perhaps in a sequence, are only as good as the preceding control. This means that if the first control in the sequence fails, none of the other controls give any benefit in mitigating the relevant risks. It is therefore vital that controls are checked to ensure that they are independent, otherwise, they become another source of false security.

Beware of linked controls

It is often said that a single control mitigates more than one risk. In principle this may well be true. In practice it is unlikely that the application of the control is exactly the same. Often the control is the same, but applied differently by different departments. For example, a staff appraisal is a very common control which mitigates the risk of ‘Failure to retain key staff’. However, the control is likely to be applied differently in different departments and the effectiveness of the control will vary considerably around the firm.

The head of risk should therefore challenge whenever it is suggested that a control mitigates more than one risk, in order to avoid two similar controls being mistaken for the same control. 

Assessing risk management controls

When assessing controls it is helpful first to differentiate the controls identified into their various types. Controls can be divided into four types; directive, preventative, detective and corrective.

• Directive controls provide a degree of direction for the firm and are typically policies, procedures or manuals.
• Preventative controls act to prevent the risk or event from happening. They are often automated controls, such as guards round a piece of machinery or system checks to prevent limits being exceeded.
• Detective controls act after the risk or event has happened and identify and mitigate the risk which has occurred. Typical detective controls might be the sensors providing warnings of the safety around a piece of machinery being compromised, or reconciliations and monitoring of accounting entries.
• Corrective controls again act after the risk event has happened and mitigate the effects of the event through remedial action. Typical corrective controls are following-up on outstanding reconciliation items or other risk reports and taking action following risk monitoring.

Control types and their effect on Risks

Analysing preventative and directive controls is particularly important in risk and control self-assessments as they tend to reduce the likelihood of a risk occurring, whereas detective and corrective controls tend to reduce the impact that the firm suffers. Most risk managers aim to have a balance, where possible, of controls which mitigate risk before the event and its effects after the event.

When a variety of types of controls have been identified, their effects can be assessed on the inherent likelihood and inherent impact scores.  This provides validation and confirmation of residual likelihood and residual impact scores if the firm has undertaken a residual risk assessment.

Design and Performance

Controls should be assessed on their inherent ability to mitigate risk, their design, and on their actual performance. There are a number of advantages to this method of assessment over assessing only the effectiveness of a control:

• It enables a control assessment to differentiate between the theoretical and the actual effectiveness of the control. While a control may be theoretically effective, such as a reconciliation performed to mitigate the misstatement of an account balance, it may not be very effective in reality. It may only be performed monthly, rather than the intended period of weekly, or reconciling items may not be followed up diligently.
• The 4Ws (who, where, when and what) can be used to help the assessment of the design of a control. If the 4Ws are well understood, it is likely that an assessment of the design of the control will be high.
• The design of a control is often a reflection of the systems or processes underpinning that control, whereas the performance of a control is often about people operating the control. Assessing both design and performance enables action plans to be drawn up which enables an action to be better focused.
• The use of two dimensions to assess a control mirrors the two dimensions (likelihood and impact) used to assess a risk. This facilitates a comparison of the strength of the controls compared with the risk that the controls are mitigating.

Having identified risks and documented the controls to mitigate those risks, the next stage is to analyse and if necessary to challenge the assessment scores.  Tony and John tackle this in their next blog.