Risk management - Part 2 exploring risk
Thinking a bit more about what we learned last time, identify a risk to your business and document what you think the cause and impact are. What is the probability of the risk happening? How much do you think it would cost you if it did happen? And what controls can you think of right now that would help to reduce the likelihood of it happening or the impact if it did?
We will then look at how we can implement controls in more detail.
Thinking about controls
There are 3 initial stages to consider within control design:
Control Design - where do you put them?
An important part of getting your controls right, is thinking about where you need to place them.
If you think about a project like a timeline, where would you place your controls? At the start of the project, at the end of the project, or throughout the project?
Each risk will have a different timeline. To have good control of your process, you need to make sure you are monitoring as you go.
To keep your house safe, you lock the front door. However, you wouldn’t lock the door at the end of the day but leave it open when you are out.
Risk in business operates in the same way. Where you place your controls can seriously impact their effectiveness.
Is it better to sell a prevention or a cure?
Detective controls help to ensure that we are aware of potential risks that could happen. This helps us to stop risks from crystallising by putting measures in place that will deter them. For example, using security cameras, access logs or system alerts can quickly detect and notify us of attempts to access unauthorised information or parts of a building.
Corrective controls help to mitigate any damage if a risk has materialised. Coupled with preventive and detective controls, corrective controls can restore normal operating abilities. For example, by backing up data, we can restore system functionality in the event of a crash or loss of client data.
Preventative controls can be really simple actions, such as putting a lock on a drawer or making sure that a building has an access control to get inside. Some of the most effective controls prevent fraud, theft, or ineffective operations. For example, ensuring that there is a ‘four eyes’ check on any information that is sent to a client helps to prevent the risk of incorrect information being issued.
Control Type - Manual vs Automated
Controls can either be manual or automated; however controls in most technology systems are a combination of both types of control. Often, there needs to be a manual control applied when there is judgement required.
As sophisticated and powerful as some risk dashboards are, they sometimes only provide a visual representation of the activities they are designed to track. This means that the output from this may need a manual intervention – someone to look at the trends and themes that are emerging, such as potentially fraudulent activity. There is often an interpretation required and this is critical to effective risk management.
However, it is also important to understand how critical automated controls can be. For example having a fraud management and detection system in place that will check thousands of account transactions needs to be automated, with a stop placed on any activity that looks fraudulent. However, a further manual control is then applied as a person will review the transactions that are flagged up and decide if they should be released or permanently rejected.
With all automated processes, there is still a level of risk. Ultimately, it is unwise to rely solely on automated controls, and it is the combination of robust automated systems and personal human insight that delivers the best risk management outcomes.