Get the latest insights delivered straight to your inbox.

Subscribe to our insights

Controls – the heart of managing risk

Control risk managment

The four core questions to risk management

A lot of the theory and discussion around risk management can seem complex, but essentially everything boils down to four core questions….

  1. Do you know the things that matter most to help you succeed?
  2. Do you understand how and why these things might be disrupted through uncertainty and what you can do about that?
  3. Are you doing something to minimise the effect of uncertainty on the things that matter most?
  4. Do you know if what you are doing is working or not?

Everyone needs to understand the risks they face to get the outcome they want. Choosing which risks to control and which to live with reflects your appetite for risk and the potential exposure you can manage.

What is a control?

A ‘control’ (or group of controls) provides you with the ability to monitor and influence risks through a pre-determined risk treatment strategy. A control can also give you an improved measurement to understand the level of risk you are facing at any point in time.

Controls take many forms, but generally they are one of the following:

  • a process,
  • an activity,
  • a physical mechanism or;
  • a pre-set threshold

Benefits from defined controls

If you have the right controls in place then you can measure the reduction in risk exposure that they provide, versus the cost of the controls. It is one important way of measuring how well your risks are being managed. If you have set a Risk Appetite Statement and you do not have defined controls, then you will almost certainly struggle to be able to operationalise it and understand whether you are really taking acceptable risks.

Controls give you the ability to see early warning signs that risks might be about to escalate into a problem. This in turn gives you the opportunity to proactively address the risk and keep it from becoming an unacceptable issue.

When you look at this process at scale in a complex organisation it is critical to know that all your controls work to prevent risks from becoming problems, keep you within your budget and keep your staff working on building the business rather than responding to avoidable issues.

For all of your risks, you need to understand what your controls are, who owns them and whether they are the right controls:

Example 1 – In order to ensure you got the value you paid for and met your obligations under a third party supply agreement, some controls might be:

  1. An SLA (Service Level Agreement) that captures the key performance metrics on the parties and which is appropriate to use day to day to ensure you get what you pay for;
  2. Clear ownership of the agreement by someone in the business who will stay across required changes and opportunities to protect and grow value from the arrangement;
  3. An agreed independent assurance cycle whereby Internal Audit/Operational Risk (or someone else) reviews the ongoing governance and management by the parties.

Example 2 – If a gas compression cylinder relies on a valve handle to be closed when not in use and if the handle is not closed properly, a dangerous gas leak could become an explosion risk. Some of the preventative controls would include:  

  1. A locking mechanism on the valve handle;
  2. An indicator light (green/red) indicating that the tank pressure is stable,
  3. This may also be connected to an alarm that sounds if the tank pressure drops and the valve handle is not in the locked position.

If the ‘control’ was simply to ensure that the last person to use the tanks shuts off the valve, then there is little to prevent this from causing an incident if the person is distracted and doesn’t shut the valve properly.

Controls are important in managing your business and avoiding failure/s which could hurt your staff, customers, supply chain, finances and hard-earned brand.

Are you in control of your risk profile?

So how do I know if I am prepared and in control of my risk profile for my business? 

Some of the key questions we find many organisations – even the largest and most well managed – benefit from asking are:

  1. Do I know what the most important controls are in my organisation?
  2. Is it clear who is accountable for all of these controls?
  3. How do I know that these controls are the right controls?
  4. How do I know if these controls are working the way they should?

If you don’t know the answers to the four questions above, then you would likely benefit from an assessment of controls current state.

Click here to learn how to better understand your risk culture and make better quality decisions.

Want to learn more?

Talk to a friendly member of our team about how we can help you with benchmarked and customised risk and compliance consulting services

Latest Insights

Read all Insights
What the Federal Budget means for Aged Care

Following the Royal Commissions recommendations in March, the recent Federal Budget had a strong focus on Aged Care. This insight outlines what announcements were ...

4 steps to better business resilience

Business resilience is maintaining the ability to deliver on your objectives through volatility in the environment. Here is insight into 4 steps to better business ...

Reduce patient suffering through compassionate connected care

Health care providers first step to addressing unmet patient needs is to acknowledge this and take action. The Compassionate Connected Care model is a way to frame ...

Strategies to advance nursing excellence

Advancing nursing excellence is necessary to transform performance. This insight provides key suggestions and video explanations.