Training objective
The objective of this practical and simplified mini-training video is to enable you to select and implement the most effective controls that pass the controls effectiveness test so that you can achieve your objectives.
What you’ll learn
Understand the two key criteria for testing controls effectiveness and what types of controls are considered effective and ineffective.
Transcript
[Slide 3] All controls are not created equal
Two groups of controls can be used to mitigate our risks, as shown in this slide.
The first group of controls relates to whether the controls can reduce the likelihood or consequence of a risk. In this group, there are two types of controls – likelihood or preventative controls and consequence controls.
Likelihood controls act to reduce the likelihood of the risk cause from occurring. These controls are represented in blue font.
Consequence controls act to reduce the negative consequences of a risk event if it does occur. These controls are represented in the maroon font.
The second group of controls relates to whether the controls exist. Controls could either be in existence at the time of the risk assessment or planned to be implemented in the future as treatments to mitigate the risk to reduce the risk rating.
Existing controls are represented in green font, whereas future treatments are represented in orange font. When these planned future treatments are fully implemented and operating effectively as intended, they become controls.
[Slide 4] All controls and mitigations must be effective
All controls must be effective in managing risks and issues.
A key concept for us to remember is control effectiveness.
Control effectiveness reflects not just the ability of a control to theoretically mitigate or treat a risk, but also its actual effectiveness in terms of design, consistency, completeness, reliability, and timeliness of operation.
It measures two key criteria for controls effectiveness:
1. The control’s design intent or its adequacy for managing risks.
2. The control’s actual effectiveness or implementation in practice.
Control effectiveness is based on perceptions and knowledge of how well controls are designed and how are they implemented and operating in relation to the risk identified to achieve the objectives.
A well-designed control addresses the root causes of risk.
And a well-implemented, well-managed, and well-operated control effectively manages the risk to an acceptable level of risk.
[Slide 5] Ineffective controls and treatments
This brings us to the controls listed on this slide.
These controls are considered ineffective as they fail to meet one or more of the key criteria for controls effectiveness as discussed in the previous slide.
As an example, we read in surveys where more than 35% of employees found that they wasted two to five hours per day on meetings and they have achieved nothing. Yet, we have seen “meetings” being listed as a control to mitigate risks in risk registers. Meetings are means to an end, and they are not controls to a risk.
Therefore, critically evaluate the controls on your risk register. Determine whether they are effective based on the two criteria of design and implementation.
Alternatively, refer to the list of ineffective controls listed on this slide and avoid them where possible.
These ineffective controls do not pass the controls effectiveness test.
[Slide 6] Effective controls and treatments
Controls that do pass the controls effectiveness test are listed on this slide. They are listed as a hierarchy, starting with the most effective control to the least effective control.
Controls are hierarchical when it comes to their effectiveness. There are different levels of control effectiveness.
Aim for controls that are considered as most effective, starting from the top of the hierarchy. Then work your way down this checklist. Consider what type of effective controls you have or can implement that will pass the controls effectiveness test.
To recap, control effectiveness is based on perceptions and knowledge of how well controls are designed and how are they implemented and operating in relation to the risk identified to achieve the objectives.
The goal is to implement effective controls that will enable your organization to achieve its objectives by mitigating your risks.