In my last blog, Control Effectiveness—Is the Glass Half Empty?, I examined how control effectiveness is often measured incompletely and inaccurately. Let’s look at what we learned and discuss a better way to determine effectiveness.
There are three lessons we can learn about making conclusions on control effectiveness:
- Controls’ effectiveness can’t be measured against “control objectives”. Control effectiveness can only be measured against the broader, business (or in the examples, community and therapeutic) objectives. (Most of the major corporate failures we have seen in the financial crisis have rated their internal controls as “effective” immediately before failing).
- Controls don’t have objectives of their own and, even if they did, meeting a control objective is not sufficient consideration to decide on the efficacy of effective controls. (Or put another way, its not enough for the patient to take the pill; the pill must treat the illness).
- Controls can obviously have unintended negative consequences on other objectives. It’s not intellectually or professionally honest to offer an opinion on “control effectiveness” if the unintended consequences are not completely understood and accepted. (For example, is it really OK if motorists stop at the stop signs but speed in between them?)
A Better Way To Understand Control Effectiveness – Measuring the Entire Glass
There is a better way to understand control effectiveness. One suggestion is that practitioners provide an opinion on the level of residual risk status remaining for each objective (or risk category, or organization) after taking into account risks and controls related to the objective. Residual risk status refers to what we know about the level of risk remaining (qualitative and quantitative) after taking controls and other responses into account.
It’s the same principle as understanding how big the glass is before we decide to call it half full (or empty).
It’s too big a subject to expand on here. But the principle is that as GRC practitioners we need to know the business objectives, the related risks, controls, the issues, incidents, business obstacles, polices and regulations, performance indicators, and loss amounts experienced before coming to a conclusion on the total contents of the glass, so to speak.
Ideally, the GRC professional would report on both the empty and the full part of the glass, and then tell us if it will satisfy our thirst.
There are several ways to do this and I’ll explore some in future blogs. But I’m interested in your experience.
How do you assess and report on control effectiveness? Are the professional standards useful in providing the guidance you need? What suggestions can you share?
If you want to read more on Myths in Risk Management , read the other blogs in the series: Exposing the Flaws of Risk Heat Maps, Can Risks Be Registered, Can Risks Be Owned, You Don’t Need to Start with a Risk, and Controls Are Bad for You.