Risks and controls. While the latter are just one way to respond to risk, you’ll usually find them hanging out together in risk registers, and their relationship is embedded in most risk frameworks.
Risk can sometimes be unpredictable or temperamental, relying on their partner, Control, to keep them in check. Unfortunately, despite best intentions, Control sometimes gets distracted and leaves Risk exposed and vulnerable. It might be time to provide some therapy – we need to step in and provide Control some assurance.
In this blog (without any more tortured analogies) we will cover:
- Why controls assurance is required
- The key elements of controls assurance
- Common challenges in controls assurance
- Maturing your controls assurance processes
To grow your understanding and implementation of controls assurance, we invite you to register for our upcoming webinar, "From controls chaos to controls assurance":
Why you need controls assurance
Let’s begin with the foundations – the definitions of risk and control, taken from ISO 31000 Risk Management Guidelines.
Risk – The effect of uncertainty on objectives.
Control – A measure that maintains and/or modifies risk.
Combined, this becomes:
Control – Measure that maintains or modifies the effect of uncertainty on objectives.
Typically, controls increase the likelihood that we will achieve our objectives. However, ISO 31000 does include a sub-note to its definition of controls:
Controls may not always exert the intended or assumed modifying effect.
This is why controls assurance is crucial. Controls may not have the intended effect for many reasons, including:
- The nature of the risk has changed, rendering the control ineffective
- It wasn’t well designed or implemented in the first place
- Their efficacy reduces over time, especially for physical controls
- Manual controls get ‘forgotten’ or change over time
- They are considered a hindrance, so people create workarounds
You don’t have to look far in the news cycle for control failures. These headlines demonstrate the importance of controls assurance – you need to verify they actually work as intended.
What are the key elements of controls assurance?
Controls assurance is a structured approach to assessing whether controls have the intended effect. Assessing an individual control can be broken down into 3 key steps:
- Control objective: Understanding what the control is intended to do, and how it modifies risk.
- Design effectiveness: Determining whether the control is designed in a way that can meet the objective.
- Operating effectiveness: Ensuring the control operates correctly and consistently as intended.
Consider a sales exception report, where the control objective is ‘to detect inappropriate discounts in order to deter them from occurring in future’. If the report doesn’t actually identify inappropriate discounts, it has failed its design. Conversely, if the report identifies the discounts but no one reviews or actions it, it is not operating effectively.
While that covers an assessment of an individual control, the controls assurance program itself needs to consider the ultimate goal, which is to gain assurance over the likelihood of achieving objectives. There may be hundreds or even thousands of controls in an organisation. Gaining assurance over these controls requires resources, which requires planning. This may include a tester, as well as understanding the impact on the person who owns or operates the control.
This needs to be balanced against the risks the controls relate to. There is little point spending large sums on gaining assurance over a control that has limited impact on overall business objectives.
Common challenges in controls assurance
There can be some common suboptimal approaches in controls assurance, both at an individual level and when looking more broadly at the controls assurance program. Let’s explore them:
- Lack of clarity of control objectives: If your control framework doesn’t document control objectives, people will make assumptions about what it is meant to do. If the performance of the control has changed since it was implemented, that might not be identified, and may assume the current design is as intended.
- Testing data, not controls: Testers may check if risks occurred rather than whether controls prevented them. This is like leaving your car window down and saying the locks must be effective because it hasn’t been stolen yet.
- Duplicating control testing: Duplication can occur for a few reasons. First is duplication of the controls themselves across multiple areas that could be centralised, thus reducing controls that need testing in the first place. The second is when different teams assess the same controls due to a lack of communication or visibility.
- Inconsistent testing approaches: If there is no defined approach or criteria to test a control, multiple testers might test the same control and achieve different results.
- Treating all controls the same: Applying the same frequency or rigour to all controls is not an effective use of resources. It likely results in spending too much effort on low level risks and insufficient attention paid to controls over risks that need higher levels of assurance.
- Ineffective planning or resourcing: Controls testing may be based on current resourcing rather than understanding the objectives and risks that executive or the board want assurance over, or conversely might include a plan that simply can’t be achieved. This can be exacerbated if no thought has gone into how long assurance activities might take.
- No accountability for control effectiveness: Imagine a tester assesses a control is ineffective, emails a report to the control owner, and then moves on to the next test thinking their job is done. If there is no accountability built into the controls assurance program, then improvement to the control environment is unlikely to be achieved.
- No integration with the risk profile: Assurance over controls should not be completed in a silo. The whole purpose of a control is to modify risk – controls assurance should result in corresponding updates to keep stakeholders informed about the level of risk.
Maturing your controls assurance process
What are the key steps and considerations in maturing your control assurance processes?
- Define control objectives: While it may seem basic, ensure that control objectives are consistently documented. This sets the foundation for assessments.
- Define assessment criteria: Be clear how you expect design and operating effectiveness to be measured. Key controls should have clearly defined tests, so that there is limited variability across testers or if the test is reperformed.
- Be dynamic: While you might have an assurance plan, modify it in real time based on a changing risk profile. Use key risk indicators to identify controls that may require additional assurance, or anomalies in key control indicators to perform spot checks.
- Define roles, responsibilities, and accountabilities: Be clear on who is responsible for control assurance activities. This includes who defines the cadence of the assurance program, the different roles played by Line 1 and Line 2, and accountability for action when control weaknesses are identified.
- Be transparent: The results of assurance need to be incorporated into reporting along with other risk information up to senior management and the board as required. An overall level of risk can be aggregated with other risk data such as risk metrics, attestations, controls assurance, outstanding issues and actions, and more. At Protecht we call this Risk In Motion. If a risk is rated low but there are multiple control weaknesses linked to the risk, this may prompt further inquiry on the accuracy of the risk assessment.
- Audit trail and history: Maintain appropriate records of controls and associated assurance activities. It isn’t enough to know what the current status of the control is. How has its status changed over time? Who tested it and when? Who was notified of outcomes? Did it drive action?
Conclusions and next steps for your organisation
Controls are an integral part of an overall risk framework, however assurance activities can either be overlooked or not integrated. Establishing a robust controls assurance program is essential for ensuring that controls function as intended, adapting to changes in the risk landscape, and maintaining overall organisational resilience.
To further your understanding and implementation of controls assurance, we invite you to register for our upcoming webinar, From controls chaos to controls assurance on Thursday, 25 July 2024.
Join me and Protecht’s Chief Research & Content Officer, David Tattam to find out how you can build a robust control assurance program and bring it to life. Gain insights into assessing the effectiveness of controls, consolidating assurance efforts, and aligning with common control frameworks: