Monday, 15 June 2015 12:28

Ask 5 Questions Before Assessing Your Controls

Written by
Rate this item
(1 Vote)

Risk and control assessments are basic tools. Everyone uses them and most struggle with them. Ask five people at a conference and you will find that even the name is not uniform—risk and control self-assessment, risk control self-assessment, control self-assessment. These assessments can quickly become wasteful or distracting if key prerequisites are not met.

To avoid problems, ask yourself five key questions:

  1. Do we “know the business”? Many assessments are focused only on known risks, controls and weaknesses (“watched pots”); they miss weaknesses that are less apparent and those in the underlying process.
  2. How sound was the risk evaluation that led to the controls being designed and implemented? Assessments depend on properly completed prior steps in risk evaluation and response, including environment and enterprise capability evaluation, scenario analysis, root-cause analysis, dependency analysis, control design, and control implementation. If not sound, it is likely that the wrong controls are assessed and that the findings have little value.
  3. Does the assessment cycle keep pace with real-world change? If change in risks (environment and process, or controls) is more frequent than the evaluation period, the assessments will miss real risk. For example, if your IT environment changes every few months, business continuity test cycles should match that cycle—anything else gives a false sense of confidence.
  4. Do control assessments actually focus on controls or do they mix in policies, procedures or rules? “Green” ratings for the existence of policies is a long way from examining a control that can detect an out-of-bounds conditions and act on that information.
  5. Do assessments divert attention from daily use of risk management? Both lag time and emphasis on control (rather than environment or business capabilities) have a tendency to cause organizations to see risk management as only a “bandage” assurance function, rather than a valued management function that fixes root causes.

If they fall into the traps noted here, risk or control assessments probably also divert resources from more helpful risk management activities and create a false sense of assurance. These traps have led to serious harm. Consider data breaches, frauds, network outages, robo-signings and other problems that occurred when controls were, on paper, acceptable. Of course, assessments and tests must be applied with appropriate rigor to drive meaningful action. The good news is that these problems are relatively easy to fix.

This article was adapted from Brian Barnier’s book The Operational Risk Handbook for Financial Companies.

Read 4265 times Last modified on Wednesday, 24 June 2015 10:59
Brian Barnier

Brian Barnier, CGEIT, CRISC, is a principal at ValueBridge Advisors, where he analyzes trends and advises/mentors business and IT leaders to help them accelerate business performance improvement, including risk management. In the past, he has held business, IT and risk roles and is an advisory board member for the World Conference on Disaster Management. Barnier teaches, speaks and researches widely.


0 # Nicki 2015-10-10 05:04
There are a few things to look for to ensure that you are using a reputable plastic manufacturer that
can meet your business's unique needs. Traditionally, they are obtainable through on-site,
mail, telephone, and fax. One is to ask them about their training and certification. People mostly
find their answers on the first page itself. They can be found in the trees, stalking monkeys and birds.
Some brides are really shy and the more subtle shades may reflect her personality more
than the extravagant dramatic style.

Review myy blog; Canadian Visa
Reply | Reply with quote | Quote

Add comment

Security code