Controls are often seen as a hindrance rather than an enabler. For some, they may be seen as a necessary evil – a compliance exercise that simply must be done. In this blog we explore some different ways to value your controls, limitations that impede effective valuation of controls – and why you should apply best efforts despite the limitations.
Some of the areas considered include:
- Cost versus value
- Risk-quantified ROI
- Are control scoring models helpful?
- Non-financial considerations
Learn how to build a control framework that’s effective, aligned with your goals, and integrated with your risk management processes:
Cost versus value
The ISO 31000 definition of a control is a measure that maintains and / or modifies risk. The financial cost of a control is based on how much it costs to put in place and maintain; the value of the control is the effect it has on the risk. Comparing these can help you identify the ROI of controls… but there are some wrinkles.
Nearly every risk – and the controls placed over it – have a time dimension. They may or may not occur (or occur multiple times) over a specified time horizon.
This raises questions about the cost of a control. Do you just consider the ongoing annual cost of a control (opex)? It might have a significant upfront cost to implement (capex) – do you include it? If so, do you amortise it over a period of time for ROI calculations? If yes, how long?
You could capture data about the control that looks something like this:
| Annual cost to perform | £10,000 |
| Allocated annual cost | £20,000 |
| Upfront cost | £50,000 |
| Amortisation period (years) | 5 |
Usually estimating these costs is not difficult. However, it does require a good understanding of the control objective, how it is performed, and how frequently it is tested (don’t forget to include those in the cost).
Beyond the purely financial costs, there may be other hidden costs. Performing the control might require subject matter experts, or the use of limited technology resources. These may represent opportunity cost if those limited resources could generate more reward elsewhere. While it may not be worth the effort to formally capture these qualities, they may be important factors in determining the business case for controls, and modifying them in future.
The value of a control
The real value of a control may be a little harder to nail down, but there are some proxies or simple calculations you might prefer to rely on. Controls modify risk; usually this is expressed as a combination of likelihood and impact. Most qualitative approaches combine these into a risk matrix and colour code or label the overall risk. You could compare the inherent risk to the residual risk, but in the strictest sense, ROI is one number divided by another – these qualitative approaches don’t help here.
A potential workaround is to take the midpoint of the likelihood/frequency scale and the midpoint of the impact scale and multiply them. Take the difference between inherent and residual as the value. This highlights another couple of bumps on our road to valuing controls:
- The difference between inherent and residual usually considers multiple controls collectively, not individual controls. The effect of each could be vastly different.
- If considered alone, a single control may have a high ROI (especially if cost is low) but not shift the risk into a different ‘bucket’. We get a divide by zero error.
This highlights some of the inherent flaws in risk matrices. You could forget the matrix and do a more simple assessment and calculation – how much might the likelihood / frequency or average impact change if they control didn’t exist? As an example, if a preventive control was removed, you might estimate the likelihood increases by 20% compared to current levels. If the average impact of the risk is estimated at £1 million, you could say the control is worth 20% x £1 million = £200,000.
If that control costs £20,000 to implement, you could say that its ROI is (£200,000 - £20,000) / £20,000 = 900%. However risk isn’t based on averages, it’s based on ranges.
Risk-quantified ROI
The next step up is to measure risks quantitively, and then how controls affect them. By definition, risks are uncertain and have a range of outcomes with differing likelihoods and impacts, which can be expressed as probability distributions. Controls can shift those probability distributions. You may have sufficient data, or you can use subject matter experts to provide opinions on these ranges.
You could take the average of the distribution before the control, then take the average of the distribution after the control, and you have defined the value of the control. Compare the two and we get the ROI. This is very similar to the simple calculation above.
Labels: Red = before controls, blue = after controls. X-axis is impact, y-axis is likelihood, no values
However, controls may be designed to manage different parts of the risk. Insurance is the easy target here – by definition it should have a negative ROI, but remains an important risk mitigation tool as it deals with high impact or tail risk events. We can supplement the simple ROI calculation with a conditional value of risk measure (i.e. compare the average impact of the worst 1% of outcomes with and without the control), or perhaps forget about likelihood and only worry about impact. Either way it highlights that a single measure may not be sufficient.
This may be the most accurate, but requires sufficient rigour (especially if you want it to be applied consistently for benchmarking), and increases challenges with communicating with other stakeholders.
What about control scoring models?
I can’t say I’ve found a control scoring model that I’ve liked – but I understand the desire. These approaches typically take a qualitative scoring model (like a risk matrix), and weight controls based on their qualities.
Common factors that complicate them (or even undermine their intent) are whether there are logarithmic scales, controls being weighted by type (preventive versus reactive) or whether they are key or non-key, or assumptions made about linear pathways if combining multiple controls into the equation.
The problem is that these proxies often end up not being a proper measure of the controls actual value, and turn qualitative assessments into proxies. A control with a score of 4 may be much better or worse than two controls with a score of 2, depending on the method.
Non-financial considerations
If you’ve calculated a workable ROI calculation or score, it may not be as simple as ordering them and getting rid of those with the lowest ROI. While controls modify risk, there might be some minimum control standards you need to meet from a regulatory perspective. You might also have made control commitments to a third party that don’t have good ROI in and of themselves, but are ‘table stakes’ in order to participate in an otherwise highly beneficial relationship.
In addition, you may want to consider the perception of your stakeholders, and in particular your employees who are likely to be more aware of your control environment. A stronger control environment may imply a stronger culture, and may improve their conduct beyond the impact of any specific control.
Risks may also be measured not just in their financial impact, but others such as safety, employees and people, and impact on the environment. While you can convert these to financial measures, this approach makes some people nervous, due to potential perception that matters such as safety are undermined.
Conclusions and next steps for your organisation
So should we ignore trying to value controls? Of course not. You and your people are already evaluating the value of controls on at least a subjective basis. You don’t need to perfect, just better than what you are doing today. Here are some steps you can take to improve, even if you can’t reach the holy grail of quantifying every control.
- Capture the operational cost of each control
- Consider a targeted ROI for preventive or likelihood reducing controls. This could be aligned with internal investment hurdle rates or similar metrics. Rather than spending effort analysing the specific reduction in risk, it can be faster to assess whether the control is likely to exceed the targeted ROI
- Use a similar approach when creating the business case for new controls. A minor increase in low level losses may be acceptable if investment can be put towards non-control activities that generate better rewards
- If you do capture the value or ROI of controls, use it as a baseline for rationalising your controls framework while considering the qualitative factors alongside those quantitative factors
Being able to consistently value, compare and benchmark controls requires consistent data capture and documentation. Protecht ERM simplifies this process by providing a comprehensive controls management and assurance platform that centralises your control data, automates testing, and delivers real-time reporting.
Here’s how Protecht ERM can help you unlock the full value of your controls:
- Single source of truth: Manage all control-related data in one place, ensuring consistency, accessibility, and accuracy.
- Test scheduling and assurance: Streamline control tests with pre-built templates, automated scheduling, and real-time monitoring to maintain control performance with minimal effort.
- Framework mapping: Align controls across multiple standards, reducing duplication and ensuring compliance with regulatory requirements.
- Performance insights: Use dynamic dashboards and detailed reports to track ROI, identify optimisation opportunities, and ensure your controls remain fit for purpose.
Download our Mastering controls for risk management eBook and learn how you can build a control framework that’s effective, aligned with your goals, and integrated with your risk management processes: