Controls in a risk management strategy
All organisations should produce, maintain and keep updated a corporate risk map, the aim of which is to give the company an overview of its status in terms of how well prepared it is to deal with events that might hinder the development of business processes.
Basically, this status includes the level of detection, prevention and response to the occurrence of an event that could impact on the business.
Risk response: Controls based on its effectiveness
Based on knowledge about this status, decisions can be taken to try to mitigate the risks that are considered to be unacceptable to the organisation. The aim is to be able to prioritise available resources to improve the company’s response to the risk.
This process is known as risk analysis. It should be consistent with a previously established methodology for calculating levels of risk.
The control measures, or controls, are the way of responding to the risks. All organisations have different controls in place that need to be identified and assessed in the analysis.
The assessment of the controls should be based on their effectiveness. We need to know if the control really does help to mitigate the risk and to what extent it does so. This effectiveness value gives us the current level of risk faced by the organisation.
If the result we get indicates a high level of risk then this means the current control measures used by the organisation are not effective, or are insufficient. If the level of risk is low then this means our measures are both sufficient and effective.
The importance of the risk management strategy and the implementation of controls
It is essential to define the acceptable risk level based on the risk appetite the organisation has.
All risks with a score above the acceptable risk level must be assessed and a strategy defined to manage them. One possible strategy is to establish an action plan to improve the high risk situation, implementing new control measures or improving those already in place.
We should get approval of the risk analysis results from senior management, as the management team needs to know the situation the organisation is in, and get approval for the acceptable level of risk, as this definition will establish whether a risk is manageable or needs to be addressed.
Under no circumstances should a risk with a score above the acceptable risk level be left unevaluated.”
The controls are usually preventative or corrective, the first of which means they help us to prevent the risk from affecting us, and in this case make it less likely; or they help us to reduce the impact that the risk has once it has materialised, which is the case of corrective controls.
Action plan: controls to mitigate risks
The action plan, or risk treatment plan, should contain all the control measures needed to reduce high risk levels to an acceptable level. It might be that we have to implement more than one control for a particular risk, or that one control serves to mitigate more than one risk.
We need to select the controls and include them in the treatment plan based on our need to reduce the likelihood or impact of each risk.
Once the plan has been drawn up, it needs to be approved by senior management in order to guarantee the availability of resources to execute it and so that the people appointed to take charge of the projects to be carried out can assume their responsibilities.
We need to carry out the corresponding follow-up of the implementation of the plan, and once it has been completed, assess the effectiveness of the new controls and update the entire risk map in order to obtain the new status of the organisation.
Every time there is an important change, and periodically, the risk analysis should be updated, since, among other considerations, the effectiveness of the controls might change and, if they are not properly followed-up or monitored, they might become less effective over time.
This process, called risk analysis and management, should be considered within a risk management system implemented within the company. An international standard such as ISO 31000 could serve as a guide for being aware of the components this management system should include.
At GlobalSuite Solutions, we have a consultancy department who will advise you and help you to implement a corporate risk management system, which will help you to know the extent to which your organisation is protected from possible risks that could affect your business processes.
Furthermore, we also offer the GlobalSuite Risk Management application, This is a tool that helps us to implement the system and provides automation and traceability throughout the risk analysis and management process.