In this session, Alejandro Orrego, CEO of Pirani, teaches us risk treatment, control categories, what you can do to mitigate the risk, what it's residual risks, control effectiveness, control robustness level and 10 tips for good controls.
Risk treatment
- Avoidance: This involves taking steps to eliminate the risk altogether. For example, if a company decides to avoid the risk of a certain product line, it may choose to discontinue that product line entirely.
- Mitigation: This involves taking steps to reduce the likelihood or impact of the risk. For example, if a company identifies a cybersecurity risk, it may implement additional security measures to reduce the likelihood of a cyber attack.
- Transfer: This involves transferring the risk to another party, such as an insurance company. For example, a company may purchase insurance to transfer the risk of a natural disaster or other event that could result in financial losses.
- Acceptance: This involves accepting the risk without taking any further action. This may be appropriate if the likelihood and impact of the risk are deemed to be low, or if the cost of mitigating the risk is greater than the potential impact.
Controls
In the context of risk management, controls refer to the measures and actions implemented to mitigate or manage risks within an organization. Controls are put in place to minimize the likelihood or impact of potential risks and ensure the achievement of objectives.
Controls can take various forms, including policies, procedures, practices, guidelines, tools, technologies, and other mechanisms designed to identify, assess, monitor, and control risks. They act as safeguards or countermeasures against potential threats or vulnerabilities that could negatively impact an organization's operations, assets, or reputation.
Control categories
- Preventive controls: These are measures implemented to prevent risks from occurring or to minimize their likelihood. Examples include access restrictions, training programs, segregation of duties, and physical security measures.
- Detective controls: These controls are designed to identify risks or potential issues after they have occurred or are in progress. Examples include security monitoring systems, regular audits, data analysis, and incident reporting mechanisms.
- Corrective controls: These controls are put in place to address and rectify risks or issues that have already occurred. They focus on minimizing the impact and restoring normalcy. Examples include backup and recovery systems, incident response plans, and disaster recovery procedures.
- Compensating controls: These controls are alternative measures used to compensate for the inadequacy or absence of primary controls. They provide an equivalent level of risk reduction. For example, if a specific control cannot be implemented, an organization may implement an alternative control to achieve a similar level of risk mitigation.
Residual risk
Residual risk is the level of risk that remains after controls or risk management strategies have been implemented to reduce the inherent risk of an activity, process, or system.
Control effectiveness
- Design of a Control: The design of a control refers to the process of conceptualizing and creating the control itself. It involves determining the structure, components, and parameters of the control. During the design phase, the control is planned, documented, and tailored to address specific risks or objectives. Key considerations include the control's objectives, activities, responsibilities, and integration with existing processes. The design stage lays the foundation for the control's implementation.
Here are some key considerations:
- Risk assessment: The control design should be based on a thorough understanding of the associated risks. Conduct a comprehensive risk assessment to identify and prioritize the relevant risks that the control aims to address. This helps ensure that the control is specifically tailored to mitigate the identified risks.
- Clear objectives: Clearly define the objectives of the control. What risks is it intended to address? What outcomes or results is it expected to achieve? Well-defined objectives provide a basis for evaluating the control's effectiveness and measuring its performance.
- Control activities: Determine the specific activities or actions that need to be performed to implement the control effectively. Consider the sequence, timing, and dependencies of these activities. Ensure that control activities are practical, feasible, and aligned with organizational policies, procedures, and guidelines.
- Segregation of duties: Evaluate whether appropriate segregation of duties is incorporated into the control design. Segregation of duties ensures that critical functions or responsibilities are divided among multiple individuals to minimize the risk of fraud, errors, or unauthorized activities.
- Scalability and flexibility: Consider the scalability and flexibility of the control design. Will the control be effective as the organization grows or changes? Ensure that the control can adapt to evolving circumstances, such as changes in technology, processes, or regulatory requirements.
- Execution of a Control The execution of a control refers to the actual implementation and operationalization of the control. It involves putting the designed control into action and executing the activities defined in its design. The execution phase includes tasks such as allocating resources, assigning responsibilities, training personnel, following control procedures, and monitoring its performance. The execution stage focuses on ensuring that the control is effectively carried out and its intended risk mitigation capabilities are put into practice.
Here are some key considerations:
- Implementation planning: Develop a well-defined plan for implementing the control. Consider factors such as resource allocation, timeline, and responsibilities. Assign accountability for the execution of the control to ensure that it is properly implemented.
- Training and awareness: Provide appropriate training and awareness programs to personnel responsible for executing the control. Ensure that they have the necessary knowledge and skills to carry out their roles effectively.
- Monitoring and supervision: Establish mechanisms for ongoing monitoring and supervision of the control's execution. Regularly assess whether the control is being implemented as intended and whether it is achieving the desired outcomes. Implement monitoring tools, performance metrics, and reporting systems to track the control's effectiveness.
- Documentation and communication: Document the control procedures and guidelines clearly to facilitate consistent execution. Communicate the control requirements and expectations to relevant stakeholders to ensure a common understanding and adherence.
- Continuous improvement: Regularly evaluate the execution of the control and seek opportunities for improvement. Analyze feedback, incidents, or audit findings to identify areas of enhancement. Foster a culture of continuous improvement and learning.
In summary, the design of a control involves the planning and creation of the control itself, while the execution of a control involves the implementation and operational aspects of putting the control into action. Design precedes execution, as the control must be designed and documented before it can be effectively executed. Both design and execution are crucial aspects of establishing and maintaining effective controls within an organization's risk management framework.
Control robustness level
Strong or High
Controls classified as strong or high robustness are characterized by their effectiveness in preventing or mitigating risks. These controls are well-designed, properly implemented, and consistently monitored and tested. They exhibit a high level of reliability, accuracy, and efficiency in addressing the identified risks. Strong controls typically have well-documented processes, clear responsibilities, and a comprehensive approach to risk management.
Moderate
Controls classified as moderate robustness are generally effective but may have some limitations or areas for improvement. They are designed and implemented adequately, but there might be minor gaps or weaknesses that could impact their overall effectiveness. These controls are still capable of providing a reasonable level of risk mitigation, but periodic evaluations and enhancements may be necessary.
Weak or Low
Controls classified as weak or low robustness have significant weaknesses or limitations that reduce their effectiveness in managing risks. These controls may be poorly designed, inadequately implemented, or lack monitoring and testing mechanisms. They may have notable gaps or vulnerabilities that could be exploited, leading to a higher risk exposure. Organizations should prioritize improving these controls to strengthen their risk management efforts.
10 tips for good controls
- Conduct a comprehensive risk assessment: Start by identifying and assessing the risks your organization faces. Understand the potential impacts and likelihood of each risk. This information will guide the development of controls that are specifically targeted at mitigating those risks.
- Clearly define control objectives: Clearly articulate the objectives of each control. What risks is it intended to address? What outcomes or results is it expected to achieve? Well-defined objectives help ensure that controls are focused and aligned with the organization's risk management goals.
- Follow a risk-based approach: Prioritize controls based on the significance and likelihood of associated risks. Focus your resources on controls that address high-impact or high-probability risks. This allows you to allocate your efforts effectively and maximize the impact of your risk management efforts.
- Involve relevant stakeholders: Engage stakeholders who have a deep understanding of the risks and the business processes involved. Seek input from subject matter experts, process owners, and employees who are directly involved in the areas being controlled. Their insights and expertise will contribute to the development of effective controls.
- Adopt a layered approach: Implement a combination of controls that work together to provide a layered defense against risks. Incorporate preventive, detective, and corrective controls to address risks at different stages and from different angles. This helps create a comprehensive risk management framework.
- Use industry best practices: Leverage industry standards, frameworks, and guidelines for control design. These resources provide proven methodologies and best practices that can enhance the effectiveness of your controls. Examples include ISO 31000, ISO 27001, COSO ERM, and NIST SP 800-53.
- Ensure control feasibility: Consider the practicality and feasibility of implementing the control. Assess whether the control can be effectively executed given available resources, technology, and capabilities. Strive for controls that are realistic, achievable, and sustainable within the organization's context.
- Regularly review and update controls: Risk landscapes evolve over time, so it's essential to review and update controls periodically. Conduct regular assessments to ensure controls remain effective, aligned with current risks, and updated based on changes in the organization or its environment.
- Test and monitor controls: Implement mechanisms to test and monitor the effectiveness of controls. Conduct regular audits, assessments, or simulations to evaluate how well the controls are functioning. Establish key performance indicators (KPIs) or metrics to measure the control's performance and monitor deviations or exceptions.
- Foster a culture of risk awareness: Instill a risk-aware culture throughout the organization. Educate and train employees on risk management principles, their roles in control implementation, and the importance of adhering to controls. Encourage reporting of potential risks or control deficiencies to facilitate timely action.
Interact with Pirani