Skip to content

Six key questions to define risk control

We've previously discussed the basic but often confused issue, of describing operational risks in a logical and understandable way. In this blog, I turn to controls, which are often as equally poorly defined and understood.

The ISO 31000 standard defines control as a “measure that is modifying risk”. While not incorrect, this definition is broad, and I am not sure overly meaningful or engaging with the employee at the coal face. 

To find out more about risk controls and how they fit into our ERM framework, read our free eBook:

Find out more

Risk control definition

I think a risk management framework that wishes to engage the front line needs a more practical definition and understanding of controls.

Let’s investigate further by asking these key questions:

    1. What aspect(s) of risk is the “measure” modifying?
    2. How does a control “modify” risk?
    3. What is a “measure”?
    4. What is a control and what is not?
    5. What are the main types of control?
    6. What “measures” should be ideally recorded in a risk and control register? 

1. What aspect(s) of risk is the “measure” modifying?

Risk is generally measured through a combination of an assessment of the likelihood of it occurring and the impact if it were to occur. These are considered the key characteristics of a risk that a control may modify. A control will, therefore, modify the likelihood and/or impact of a risk. 

Another aspect of risk that a control can modify is the risk’s velocity (a risk aspect that is not talked about much but which we discuss here). This is the speed at which a risk passes through the phases of its life from initial cause to final impact. A bilge pump on a sinking ship reduces velocity to allow more chance for passengers to evacuate the ship.

2. How does a control “modify” risk?

The ISO 31000 definition specifically does not say “measure that is reducing risk” but rather “measure that is modifying risk”. This recognises that the risk aspect may be either increased or decreased by the control. The general assumption with most controls is that they will reduce risk which is usually valid. However, some controls may reduce one aspect of the risk while increasing another.

Taking out mobile phone insurance for loss of phone for your staff will reduce the net impact of a financial loss but will most likely increase the likelihood of it being lost as the employee will care less as the net impact to them is zero or negligible.

We need to understand the way that controls modify all aspects of the risk in order to understand whether overall the control reduces or increases the risk.

3. What is a “measure”?

There is a range of treatment methods we can apply to risk that will modify it. The main treatment methods we have available are:

  1. Accept the risk
  2. Eliminate / avoid the risk by stopping the activity causing the risk
  3. Reduce the risk by increasing controls
  4. Reduce the risk by transferring some of the risk impact (e.g. Insurance)
  5. Reduce or increase the risk by transforming the inherent risk environment. This would usually involve process re-engineering.
  6. Increase the risk by reducing controls

Not all of the above would be considered “controls”. Controls are only involved in points 3, 4 and 6.

“Measures” that are controls are therefore usually considered to be either a procedure/action or a device that is aimed at modifying a risk(s).

4. What is a control and what is not?

A definition of control in risk management: the ISO 31000 standard says “Controls include any process, policy, device, practice, or other actions that modify risk.” In reviewing many risk registers, “controls” are identified as many things, including:

  • Policies e.g. HR Policy
  • Documented procedures e.g. Documented procedures for paying suppliers
  • Actions to fix a broken control e.g. Fixing of broken door locks
  • Parts of the inherent risk environment e.g. Fixed window panes
  • Committees e.g. Pricing Committee 

The above are not controls. They may have controls embedded in them but this is what should be called out. “HR policy” or “Pricing Committee” as a control is too vague. Parts of the inherent risk environment are not controls.

I often find it useful to differentiate between controls and “part of the furniture”. An item that is part of the furniture is expected to be there in a normal operating environment and will have multiple purposes, not just the modification of a single risk. 

An example is the fixed window pane in a building. The window reduces the risk of unauthorised access but we a) would expect it to be present in a typical building and b) it also keeps out the weather, keeps us warm and allows us to get natural light. 

In contrast a security guard would be identified as a control because not all buildings have them and their primary role is security.

5. What are the main types of control?

Controls are usually categorised as either Preventive, Detective or Reactive. This is based primarily on where in a risk’s life do they apply and as a result, do they modify the likelihood and or the impact of the risk.

Preventive controls apply at the beginning of a risk’s life, at or near the root causes(s). As a device, they often act as a barrier to “nip it (the risk) in the bud”. They primarily reduce the likelihood of the risk occurring. Examples are system passwords, locked doors, machinery maintenance etc.

Detective controls usually apply somewhere in the middle of the risk’s life. Detective controls rely on the analysis of information in order to detect that a risk is “in motion”. Detective controls that are “early” in the risk’s life usually modify likelihood and those that are “late” in the life, usually modify impact. Examples are data reconciliations, smoke detectors, exception reports, etc.

Reactive controls (sometimes also called responsive or corrective), apply towards the end of a risk’s life when the impact is imminent or being felt. They are focused on modifying impact. Examples are DRP, Insurance, media management etc.

6. What controls should be recorded in a risk and control register?

Controls should be recorded in the risk register against the related risk. The issue is which controls should be recorded. I usually consider that “measures” can be divided into four main types:

  1. Base line “controls” = Part of the furniture
  2. Minor controls = Very little impact on the risk
  3. Medium controls = Negotiable but important
  4. Key Controls = Non-Negotiable

Only the key and medium controls should be recorded. This should limit the number of controls for each risk to between 2 and 4.

Conclusions and next steps for your organisation

The quality for risk data in your risk system and the level of staff engagement with risk is highly dependent on the level of understanding that staff have of the basic components of risk and controls. The issues above should be addressed in your guidance and training of staff as without clarity much confusion will exist.

To find out more about risk controls and how they fit into our ERM framework, read our free eBook:

Find out more

 

For risk management to be effective, it needs to be embedded as part of day-to-day activities - not something separate. In Protecht Academy's Risk Management for Line 1 training course we cover the role of Line 1 in risk management, what 'Line 1' really means, the key risk management processes Line 1 may be involved in, and the skills and behaviours required to achieve organisational objectives.

Find out more about Protecht Academy and purchase our training course online:

Find out more

 

This article originally published October 2015, updated July 2023.

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.