Most issues or events that impact on an organisation’s objectives occur due to the absence of, or ineffectiveness of controls – so it follows that ensuring the current controls that are in place are effective is fundamental to reducing an organisation’s risk exposure.
The bottom line – if controls are not being measured it is
impossible to determine whether or not they are effective.
If you can’t establish control effectiveness you can’t make a
reasonable determination of risk level and the organisation may
have a higher exposure to risk than it believes to be the case.
ISO AS/NZS 31000 defines a control as a “measure that is modifying risk”. Controls include any process, policy, device, practice, or other actions which modify risks.
There is a direct correlation between the effectiveness of current controls and the Likelihood and/or Consequences of the identified risk i.e. the more effective the controls the lower the Likelihood of the risk occurring or the lesser the consequences if the event does occur.
It needs to be remembered that an absence of an incident/event is not necessarily an indicator of control effectiveness – it is simply an indicator that all of the pre-conditions required for that incident to occur have not been present i.e. it may have been more through good luck than good management that the incident has not occurred.
So what do we do to improve assessment of effectiveness?
The most effective method is to identify the risks with the highest consequences within the organisation. For each of these risks, identify the controls currently in place to reduce the Likelihood of the risk occurring. Once this is completed ensure that performance indicators are in place for each of the controls, and that the performance is being monitored through the organisation’s internal audit program.
The bottom line – if controls are not being measured it is impossible to determine whether or not they are effective. If you can’t establish control effectiveness you can’t make a reasonable determination of risk level and the organisation may have a higher exposure to risk than it believes to be the case.
PO Box 359, MITCHELL ACT 2911 Australia
T 0400 666 142 | F 02 8208 7398
E [email protected] W: www.paladinrisk.com.au