Six key questions to define risk control
We've previously discussed the basic (but often confused) issue of how to describe operational risks in a logical and understandable way. In this blog, I turn to how to define controls, which are often equally poorly defined and understood.
The ISO 31000 standard defines a risk control as a “measure that is modifying risk.” While not incorrect, this definition is broad, and I am not sure overly meaningful or insightful.
To find out more about risk controls and how they fit into our ERM framework, read our free eBook:
Risk control definition
I think a risk management framework that seeks to engage front-line employees needs a more practical definition and understanding of controls.
Let’s investigate further by addressing these key questions:
- What aspect(s) of risk is the “measure” modifying?
- How does a control “modify” risk?
- What is a “measure”?
- What is a control and what is not?
- What are the main types of control?
- What “measures” should be ideally recorded in a risk and control register?
1. What aspect(s) of risk is the “measure” modifying?
Risk is generally measured through a combination of an assessment of the likelihood of it occurring and the impact if it were to occur. These are considered the key characteristics of a risk that a control may modify. A control will, therefore, modify the likelihood and/or impact of a risk.
Another aspect of risk that a control can modify is the risk’s velocity. This is the speed at which a risk passes through the phases of its life from initial cause to final impact. (This is a risk aspect that is not talked about much but which we discuss in detail here). For example, a bilge pump on a sinking ship reduces velocity to allow more chance for passengers to evacuate the ship.
2. How does a control “modify” risk?
The ISO 31000 definition specifically does not say “measure that is reducing risk” but rather “measure that is modifying risk”. This recognizes that the risk aspect may be either increased or decreased by the control. The general assumption with most controls is that they will reduce risk, which is usually valid. However, some controls may reduce one aspect of the risk while increasing another.
For example, taking out mobile phone insurance for the loss of a mobile phone for your staff will reduce the net impact of a financial loss, but will most likely increase the likelihood of it being lost as the employee will care less as the net impact to them is zero or negligible.
We need to understand the way that controls modify all aspects of the risk in order to understand whether overall the control reduces or increases the risk.
3. What is a “measure”?
There is a range of treatment methods we can apply to risk that will modify it.
The main treatment methods we have available are:
- Accept the risk
- Eliminate or avoid the risk by stopping the activity causing the risk
- Reduce the risk by increasing controls
- Reduce the risk by transferring some of the risk impact (e.g., insurance)
- Reduce or increase the risk by transforming the inherent risk environment; this would usually involve process re-engineering.
- Increase the risk by reducing controls
Not all of the above would be considered “controls”. Controls are only involved in points 3, 4 and 6.
“Measures” that are controls are therefore usually considered to be either a procedure or action or a device that is aimed at modifying a risk(s).
4. What is a control and what is not?
Let's review the definition of control in risk management. The ISO 31000 standard says, “Controls include any process, policy, device, practice, or other actions that modify risk.”
In reviewing many risk registers, “controls” are identified as many things, including:
- Policies, e.g., HR policy
- Documented procedures, e.g., documented procedures for paying suppliers
- Actions to fix a broken control, e.g., fixing broken door locks
- Parts of the inherent risk environment, e.g., fixed window panes
- Committees, e.g., a pricing committee
The above are not controls. They may have controls embedded in them but this is what should be called out. “HR policy” or “Pricing Committee” as a control is too vague. Parts of the inherent risk environment are not controls.
I often find it useful to differentiate between controls and “part of the furniture.” An item that is part of the furniture is expected to be there in a normal operating environment and will have multiple purposes, not just the modification of a single risk.
An example is the fixed window pane in a building. The window reduces the risk of unauthorized access, but we a) would expect it to be present in a typical building, and b) it also keeps out the weather, keeps us warm, and allows us to get natural light.
In contrast, a security guard would be identified as a control because not all buildings have them and their primary role is security.
5. What are the main types of control?
Controls are usually categorized as either Preventive, Detective or Reactive. This is based primarily on where they apply in a risk’s lifecycle, and, as a result, do they modify the likelihood and/or the impact of the risk.
Preventive controls apply at the beginning of a risk’s life, at or near the root causes(s). As a device, they often act as a barrier to “nip it (the risk) in the bud.” They primarily reduce the likelihood of the risk occurring. Examples include system passwords, locked doors, and machinery maintenance.
Detective controls usually apply somewhere in the middle of the risk’s life. Detective controls rely on the analysis of information in order to detect that a risk is “in motion”. Detective controls that are “early” in the risk’s life usually modify likelihood and those that are “late” usually modify impact. Examples include data reconciliations, smoke detectors, and exception reports.
Reactive controls (sometimes also called responsive or corrective) apply towards the end of a risk’s life when the impact is imminent or being felt. They are focused on modifying impact. Examples include insurance and media management.
6. What controls should be recorded in a risk and control register?
Controls should be recorded in the risk register against the related risk. The issue is which controls should be recorded. I usually consider that “measures” can be divided into four main types:
- Baseline “controls” = Part of the furniture
- Minor controls = Very little impact on the risk
- Medium controls = Negotiable but important
- Key controls = Non-negotiable
Only the key and medium controls should be recorded. This should limit the number of controls for each risk to between 2 and 4.
Conclusions and next steps for your organization
The quality of risk data in your risk system and the level of staff engagement with risk are highly dependent on the level of understanding that staff have of the basic components of risk and controls. The issues above should be addressed in your guidance and training of staff since, without clarity, much confusion will exist.
To find out more about risk controls and how they fit into our ERM framework, read our free eBook:
For risk management to be effective, it needs to be embedded as part of day-to-day activities - not something separate. In Protecht Academy's Risk Management for Line 1 training course we cover the role of frontline employees, or Line 1, in risk management, what Line 1 really means, the key risk management processes Line 1 may be involved in, and the skills and behaviors required to achieve organizational objectives.
Find out more about Protecht Academy and purchase our training course online:
This article was originally published October 2015, and updated in July 2023.