Adopting a control-centric approach to risk management.
There are many circumstances where the likelihood of a risk occurring is not time or frequency dependent, so applying qualitative terms like POSSIBLE or LIKELY to define likelihood is not a very accurate determinant of probability. Instead, the likelihood of key risks arising can be more closely correlated to the effectiveness of the current control environment.
What does that mean? In simple terms, there might be a high probability of a risk occurring in organization (A) due to inadequate or ineffective controls, while the same risk might be low probability in organization (B) due to the presence of robust and redundant controls. Therefore, it can be useful to adopt a more control centric approach to risk management that accounts for these differences.
A control centric approach is one that places additional emphasis on risk controls, linking these to both the causes and the consequences of a risk event. It is still possible to assess the likelihood of a particular risk event using this model, however we do so within the context of the current control environment, which is a much more accurate way to determine likelihood.
Let’s take a step back for a moment to ensure we all have a shared understanding of the key terminology. So, what is a control? Controls are measures introduced to influence or change the likelihood or consequences of a particular risk event. There are several different types of controls that we can apply to achieve this, the first of which is Preventative controls.
Preventative controls are aimed at reducing the likelihood of a risk event occurring, for example; education and training and the development of policies and procedures allow personnel to develop a baseline level of knowledge and competence, which in turn reduces the likelihood of potential risks.
Then we have Detective controls, which usually provide a governance or assurance element and are aimed at identifying gaps or failures within the current control environment. Even with adequate education and robust policies and procedures Preventative controls can still fail or be ignored so Detective controls are employed as a safeguard to identify problems before a risk event can develop. Examples of Detective controls might include audit or oversight activities and performance reviews to ensure compliance.
Finally, we have Corrective controls, which are aimed at reducing the consequences of a risk event after it has occurred, thereby lessening the overall impact and speeding recovery. Examples of Corrective controls might include; crisis management or business continuity plans, which are intended to fortify response activities and promote organizational resilience or insurance coverage, which might be used to mitigate financial losses.
The final thing to consider is control effectiveness. Once we’ve identified the most prevalent risks to the organization we need to determine if the current control environment is effective. That is, do we have sufficient Preventative, Detective and Corrective controls in place and are these controls functioning effectively to ensure our risk exposure does not exceed acceptable or tolerable levels?
Keep in mind not all risks are equal... so higher consequence risks may require more layers of controls. This layered approach to managing risk is best illustrated by James Reasons Swiss Cheese Model of accident causation, whereby multiple controls must fail to create the pre-conditions for a significant risk event to occur.
Stay safe.
