Protecht’s eleven part complimentary webinar series focusing on a comprehensive deep dive into Workplace Health and Safety (WHS), kicked off on 23 July 2020. Click here to join the upcoming remaining live sessions in this series.
In the 8th Webinar in the series we looked at the importance of Controls Design and Controls Assurance for WHS.
Objectives of Controls Design and Assurance
There are 5 Objectives of Controls Design and Assurance:
1. Design an optimal set of controls to achieve a risk level "As Low As Reasonably Practicable" (ALARP)
2. Design controls with optimal cost benefit. This also achieves lower risk.
3. Provide reasonable assurance as to the design and operating effectiveness of our current controls.
4. Identify control gaps and control weaknesses so that they can be remediated.
5. Comply with regulatory requirements.
In the ISO 31000 standard, controls design and assurance are primarily covered by process steps 6. Risk Treatment and step 7. Monitoring and Review. In the ISO 45001 standard, controls assurance is covered by section 8. Operations, in particular section 8.1.2 The Elimination of Hazards, and section 9. Performance Evaluation, in particular section 9.1.1 Monitoring, Measurement, Analysis and Performance Evaluation.
As we have discussed in previous Webinars, we are passionate about integrating WHS into the overall Enterprise Risk Management (ERM) process. The WHS controls process falls under the ERM Controls Assurance process.
In our first poll, we were interested to find out if our Webinar participants had a formal ongoing controls assurance program in place. We asked 'Do you have a formal ongoing controls assurance program in place over your WHS critical controls?'
- 45% of participants do have a formal program.
- 32% of participants do not have a formal program.
- 23% of participants have a formal program in development.
It is reassuring to see that nearly half of our webinar participants do have a formal program in place over WHS Critical Controls.
Controls Design: Objectives & Design Considerations
In the webinar we explored the importance of controls design to enable it to achieve the control objectives. The design of the control is crucial.
Control design effectiveness assessment assesses the degree to which a control's design allows it to meet the control objective(s). A control can never be better than how it is designed!
The starting point is to articulate the control objective. At Protecht we have developed the following guidance in order to articulate a control objective. The control of ear protection has been used as an example.
- Use the Control Type. i.e. To prevent,
- Reference the Risk to which the Control relates. i.e. the risk of hearing damage
- Define what the Control is expected to do to the Risk. i.e. by reducing the likelihood of hearing damage
- Define what the Control specifically does. i.e. by protecting the ears by placing a noise reducing barrier between the noise and the ear.
In our second poll we asked 'Do you formally record the control objectives of your critical controls?'
- 71% of participants do formally record the control objectives of their critical controls.
- 29% do not.
When considering Treatment Effectiveness methods in Risk Management, we consider the following 7 possible responses to a Risk:
- Accept the Risk. We would do this when it has been reduced to ALARP
- Transform the Inherent Risk. (Process re-engineer)
- Improve Controls.
- Transfer/Share the Impact. (relevant only for financial loss)
- Accept the Risk. (formally)
- Avoid the Risk.
- Reduce Controls. This would be considered only where we had gone past the point of ALARP.
If we relate this methodology to the WHS Hierarchy of Controls, "Elimination" at the top of the hierarchy is not a control but equivalent to avoidance. Next, "Substitution" is not a control but reflects transformation of the risk. Controls are reflected more in the Administrative, Engineering and PPE parts of the hierarchy.
Using Bow Tie Analysis, a concept that we have explored throughout this webinar series, we can identify our control types and the impact of the controls on likelihood and impact. This helps us to determine our control objectives and ensures that it is more proactive, as we know "prevention is better than cure."
Controls Assurance: Control Testing
Once we are happy with the design of our controls, we need to provide ongoing controls assurance that the controls are working effectively.
In Risk Management, we often use the 5 by 5 Risk Matrix to assess the effectiveness of controls. We can also use Bow Tie Analysis again to assess our controls effectiveness, individually or as a group covering all controls related to the risk.
At Protecht we follow a particular methodology to ensure control effectiveness. We recommend doing design effectiveness testing first, then operational effectiveness and combining them for an overall effectiveness rating.
With this in mind in our third poll we asked 'Do you test Design and Operating effectiveness separately and then combine them for an overall effectiveness rating?'
- 28% of participants combine the two for an overall effectiveness rating
- 72% of participants test the design and operating effectiveness separately
Controls Assurance: Dynamic Monitoring
As explored in previous webinars, Protecht is passionate about dynamic monitoring and reporting. This provides an an integrated, dynamic view of our controls. With that in mind, we were interested to find out how our Webinar participants are currently 'using automated continuous monitoring of controls?'
- 58% of participants are not using automated continuous monitoring
- 42% are partially using
- 0% are using automation comprehensively
These results are promising, I encourage more of you to start using more automated and continuous monitoring of your controls, this monitoring will allow for aggregation and more insight in your reporting.
Reporting & Communication
In the webinar we looked at some examples of aggregated and proactive reporting, the ultimate being the Protecht Risk in Motion reporting and for WHS Safety in Motion reporting. In the 10th & 11th Webinar of this series we will be exploring these dynamic visualisations in more detail.
I was interested to know how the webinar participants are currently recording and reporting on Controls Assurance testing:
- 32% of participants are using a variety of informal systems
- 32% of participants are using a dedicated WHS system
- 5% have a formal dedicated part of an ERM system
- 32% don't have a formal controls assurance process
As we have explored through this series, at Protecht we are passionate about integrating WHS with Enterprise Risk Management (ERM) to give a true consolidated organisational view of risk. These results whilst encouraging show that we have some way to go in developing a strong, integrated and efficient and effective controls assurance process.
In our next webinar we will continue our deep dive into WHS by looking at WHS Compliance and Compliance Risk Management.
To access the recording of the previous webinars and to save your spot for the upcoming webinars click the image below: