Risk control techniques

ISO 31000:2018 30 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/11/Risk-Control-Techniques_-Biswas.wav

Risk control techniques in Enterprise Risk Management (ERM) are strategies and methods used to mitigate or manage identified risks. These techniques aim to minimize the likelihood and/or impact of risks while supporting the organization’s objectives. Below are the key risk control techniques

Different types of controls are used to manage hazard risks, commonly categorized as preventive, corrective, directive, and detective. This classification creates a clear hierarchy, with preventive controls being the most effective. Preventive controls aim to stop hazardous events, such as using safer materials or enclosing activities to eliminate exposure to harmful substances. These are the most commonly implemented controls in organizations. Corrective controls focus on addressing problems or reducing risks after they arise, like using machinery guards to minimize accidents. Directive controls involve providing instructions or procedures to ensure specific outcomes, such as training employees to use protective equipment or outlining response plans for potential risks. Detective controls are designed to identify when a risk event has occurred, with examples including post-incident reviews to prevent further issues. Disaster recovery planning (DRP) and business continuity planning (BCP) are essential for managing crises but do not fit neatly into this framework. Some consider them directive controls because they provide guidance during a crisis, while others see them as corrective controls because they help limit damage and costs after a loss. Another perspective is that DRP and BCP form a separate category of controls, focusing on post-loss procedures to ensure minimal disruption. The effectiveness of controls generally follows a hierarchy: preventive controls are the most effective, followed by corrective, directive, and then detective controls. Preventive controls are preferred as they stop problems before they occur, while corrective and directive controls help manage risks during or after an event. Detective controls, being the least effective, only confirm that an event has happened. Despite their unclear classification, DRP and BCP are crucial for minimizing damage and ensuring continuity when a hazard risk materializes.

Take the example of an oil and gas company aiming to reduce the number of process safety incidents, such as equipment failures, leaks, or spills, per million operating hours. The company can utilize the preventive, corrective, directive, and detective control hierarchy to establish a structured approach:

  • Preventive controls may include implementing rigorous hazard identification and risk assessment (HIRA) during project planning to ensure potential risks are addressed in design and operations. Additionally, introducing automated shutoff valves and pressure relief systems can prevent hazardous events caused by equipment overpressure or leaks.
  • Corrective controls could involve enhancing maintenance schedules, such as adopting predictive maintenance techniques using sensors and analytics to identify wear and tear before failure occurs. Improved reporting mechanisms for employees to log near misses or equipment issues can also be part of corrective measures.
  • Directive controls might focus on comprehensive training programs for process operators, emphasizing safe work practices and emergency response protocols. The company could also provide easy-to-follow operating manuals and procedures for handling critical equipment safely, ensuring all employees understand the steps to mitigate risks.
  • Detective controls already in place might include gas detection systems to identify leaks and prevent escalation. To enhance this, the company could implement periodic audits of safety-critical equipment and processes, as well as conduct employee behavior assessments to ensure compliance with safety protocols.

Other controls the company might evaluate include routine inspections of pipelines and storage tanks to detect early signs of corrosion or damage and reviewing energy consumption patterns to identify inefficiencies or unsafe operating conditions. By integrating these measures into a structured and measurable loss-control program, the oil and gas company can effectively reduce the number and impact of process safety incidents while optimizing operational costs.

Hazard Risk Zone

The figure shows three zones in the risk matrix, with the cautious and concerned zones forming a central area. The comfort zone includes risks with low likelihood and low impact. There are always risks with such a low chance of happening or minimal impact that they remain in their comfort zone. As the likelihood and impact of a risk increase, a point is reached where a decision must be made about whether to accept the risk. This is the cautious zone, where organizations usually take steps to manage or transfer the risk. The boundary between the cautious and concerned zones represents the organization’s risk appetite, showing the level of risk the organization is willing to tolerate. Together, these zones reflect the organization’s tolerance for variability or uncertainty in managing that particular risk. When likelihood and impact increase, a critical point is reached where the risk becomes unacceptable, and the organization will aim to eliminate exposure to it. However, in some cases, these high risks cannot be avoided, either because they are essential for the business or tied to a high-risk, high-reward strategy approved by the board.

  1. Preventive controls: Preventive controls are the most important type of risk control, and every organization uses them to manage certain risks. However, completely preventing or eliminating all risks may not be practical or cost-effective, and in some cases, it might not be desirable for maintaining key activities. Examples of preventive controls include measures like requiring approval from another person before making payments or preventing the same person from ordering goods and authorizing their payment. In health and safety, preventive controls aim to remove hazards or replace them with safer alternatives. For instance, a hazardous chemical used in cleaning might be swapped for a less harmful substitute. The main advantage of preventive controls is that they eliminate risks, removing the need for further management. However, this approach can sometimes be expensive or impractical for operational reasons. Additionally, eliminating certain activities might lead to outsourcing or replacing them with less efficient options. Health and safety experts often focus on eliminating risks “as far as is reasonably practicable.” This means balancing the time, effort, and cost of risk reduction against the benefits of lowering the risk. For example, underground mines can reduce the risk of collapse by installing support beams, but the cost and practicality of doing so must be weighed against the level of safety improvement achieved.
  2. Corrective controls: Corrective controls are used when preventive controls are not practical, desirable, or cost-effective. These controls aim to reduce risks to a level that aligns with the organization’s risk appetite. In health and safety, examples of corrective controls include installing barriers or guards to contain hazards. For fraud prevention, measures like using passwords, access controls, rotating staff, or regularly changing supervisors are common corrective controls. Corrective controls have several advantages. They are often simple, cost-effective, and can be applied without needing to overhaul existing practices or procedures. They fit within current operations and processes. However, a challenge with corrective controls is that their benefits can sometimes be hard to measure or justify as cost-effective. In some cases, they may be overly complex or expensive compared to the benefits they provide. Often, corrective controls are implemented to meet regulatory requirements, which can add extra costs or inefficiencies for the organization. Organizations need to ensure these controls meet legal requirements without being excessive or ineffective. The design and implementation of corrective controls can lead to debates and disagreements. For instance, there is often discussion about installing sprinklers in buildings as a fire control measure. While sprinklers can minimize fire damage, some building occupants, such as those with computer installations, may argue that sprinklers are inappropriate due to the water damage they can cause. Fire safety experts typically counter this by emphasizing that water may cause damage, but fire results in total destruction. This highlights the need to carefully consider the potential downsides and unintended consequences of corrective controls before implementing them.
  3. Directive Control: Organizations are familiar with directive controls because they involve guiding staff on how to perform tasks safely and correctly. For tasks with risks, directive controls include documented procedures, training, and instructions. These controls are often present for most risks, even if other types of controls are also used. An example of directive controls is requiring workers to wear personal protective equipment (PPE) for hazardous tasks. Employees must be trained in how to use PPE properly, and supervision is needed to ensure compliance. The benefit of directive controls is that they can be explained to employees during regular training sessions. However, these controls provide a lower level of risk management and often need constant oversight to ensure procedures are followed. On their own, directive controls are not very reliable or secure, but they are always part of an organization’s overall risk management strategy. Developing systems, procedures, and protocols is vital, but if these are not implemented, the organization may face criticism for poor risk management. Having procedures shows that risks are recognized and addressed, but failing to follow them leaves the organization vulnerable to claims of negligence. Directive controls are valuable and relevant. For example, contracts often include written instructions on how to respond to specific situations, such as an insurance claim. Additionally, directive controls are often the first step taken in response to unexpected events. While the ideal approach in stable situations follows a hierarchy of controls, in emergencies, directive controls or preventive measures are typically introduced first to address immediate risks, especially safety concerns. These initial actions create time to design and implement corrective controls as the situation becomes clearer and stabilizes.
  4. Detective controls: Detective controls are procedures used to identify when a hazard has already occurred. While detecting risks after the fact is not ideal, it can be justified in situations where other controls cannot fully prevent the risk. Examples of detective controls include inventory or asset checks to ensure nothing has been taken without permission, bank reconciliations to spot unauthorized transactions, and post-project reviews to learn lessons for the future. These controls are closely tied to monitoring and review processes in risk management. Detective controls are often simple to implement and can provide early warnings when other risk controls fail. However, their downside is that the risk has already happened by the time it is detected. On the positive side, the presence of detective controls may deter people from bypassing other controls. For example, fraud can usually only be detected after it occurs, but early detection can reduce the damage, stop similar future fraud, and improve security. Even in health and safety, detective controls have a role. Some jobs expose workers to hazards that can cause serious long-term health issues. Early detection of symptoms, such as lung disease from dust, dermatitis from skin exposure, or hearing loss from noise, allows for timely intervention to prevent further harm. These examples highlight the importance of detective controls in managing risks effectively.

Cost of Risk Controls

The inherent level of risk is the risk that exists without any controls in place, often called the gross risk. The current level of risk is the risk after considering existing controls, sometimes referred to as residual risk. In this context, “current level” is preferred to emphasize a more dynamic approach to managing risks. When controls are applied, they reduce the risk level, which can be visualized as a “control effect” or “control vector.” For example, if an organization considers inherent, intermediate (when multiple controls are in place), and target risk levels, it must also account for the costs of implementing those controls. These costs are part of the total cost of managing risks and help determine whether the controls are cost-effective. Using a simple example: for Risk A, three controls (A1, A2, and A3) are needed to bring the risk down to the target level. For Risk B, only one control (B1) is sufficient. This shows that managing Risk A requires more effort and resources than Risk B. It’s essential for management and internal audit teams to ensure these controls work effectively and efficiently. The gap between inherent risk and current risk shows the impact of the controls. If the organization sets a lower target risk level, additional effort and controls will be required to bridge the gap from the current to the new target level. This example illustrates the relationship between risk levels and control efforts.

Risk treatment, also known as risk response or risk control, involves choosing and implementing actions to reduce the likelihood and impact of risks. Different types of controls should be considered in sequence when deciding how to manage risks effectively. Whenever possible, preventive controls should be the first choice, as they aim to stop risks from occurring. If prevention is not feasible, corrective controls can be applied to reduce the likelihood and impact of adverse events. Once risks are minimized as much as is cost-effective, directive controls can be introduced to guide the actions of those managing the risk. Finally, detective controls may be added to identify when a risk has materialized. These controls are commonly used in areas such as health and safety. It’s useful to assess risks at their inherent level (before controls are in place) to determine the necessary control efforts. By calculating the risk exposure at both the original and new levels, the effectiveness of each control can be measured. This allows the organization to conduct a cost-benefit analysis for each control and prioritize the most cost-effective solutions for managing risks.

Examples of key dependencies and significant risk for financial, infrastructural, reputational, and marketplace.

1 Financial

Availability of funds: Insufficient funds available from parent company
Correct allocation of funds: Inadequate profit because of incorrect capital expenditure decisions
Internal control: Fraud occurs because of inadequate internal controls
Liabilities under control: Higher than-expected liabilities arise in the pension fund

2 Infrastructure

People– Failure to achieve/maintain health and safety standards
Premises- Damage to key location caused by insured peril
Processes- IT control systems are not available because of viruses or hacker activity
Products- Disruption because of the failure of the supplier

3. Reputational

Brand– Product recall causes damage to product image and brand
Public opinion- Lost sales or revenue because of changes in public tastes
Regulators– Regulator enforcement action causes loss of public confidence
CSR– Allegations of unethical product sourcing cause loss of sales

4. Marketplace

Regulatory environment- Change in tax regime results in unbudgeted tax demands
Economic health- Decline in world or national economy reduces consumer spending
Product development- Changes in technology reduce product appeal and sales
Competitor behaviour- Competitor substantially reduces prices to win market share

The above examples cover the main hazard risks likely to concern an organization.It explains what could go wrong with the hazard and outlines the key factors and issues to evaluate. It then reviews the available control options for the risk and identifies which controls are needed and suitable.

The diagram illustrates the concept of cost-effective controls by balancing the cost of controls and the potential loss due to risk. Here’s a simple explanation:

  1. Potential Loss Curve: This line shows how much risk or potential loss an organization faces without controls. As control improves, potential loss decreases.
  2. Cost of Controls Curve: This line represents the cost of implementing controls. Initially, the cost of controls is low, but as more stringent controls are added, the cost increases significantly.
  3. Total Cost of Risk: This curve combines both the cost of controls and the remaining potential loss. It shows the total expenditure related to managing the risk. The lowest point on this curve represents the optimum level of control, where the total cost of risk is minimized.
  4. Judgment Area: Around the lowest point of the total cost curve, organizations need to decide the best level of controls.
    • To the left of this point: Controls are cost-effective since they significantly reduce potential losses at a reasonable cost.
    • To the right of this point: Further controls are not cost-effective, as the additional cost outweighs the benefits of reducing risk further.

The goal is to find the balance where controls are effective enough to minimize potential losses without incurring excessive costs. Beyond this point, adding controls results in diminishing returns and is no longer economical. When choosing and applying controls, it’s important to focus on those that are cost-effective. The diagram shows how increasing levels of control (horizontal axis) relate to the cost of controls and the reduction in potential losses (vertical axis). By adding the cost of controls and the potential loss at each level, the diagram identifies an optimal level of control where the total cost (controls + potential losses) is at its lowest.

  • Cost-effective Controls: In the early stages, low-cost controls lead to a big reduction in potential losses, making them highly cost-effective.
  • Judgment Zone: In the middle, spending more on controls reduces the overall risk cost, but organizations need to decide if the extra spending is worth the benefit.
  • Not Cost-effective: On the far right, additional spending on controls only slightly reduces potential losses, making it uneconomical.

The goal is to find the balance where controls minimize total costs while keeping risks at an acceptable level.One key benefit of learning from controls is the ability to identify controls that are unnecessary or overly complicated. These controls can then be removed, adjusted, or replaced with simpler and more cost-effective options. Risk assessments should consider ongoing reviews of controls, as the level of risk depends on how effective and suitable those controls are. Monitoring controls is a well-established area of expertise, especially for internal audit teams.

Learning from controls mainly focuses on making them more efficient, but it’s equally important to ensure they are effective and appropriate. Internal audit plays a key role in assessing how well controls work and how efficiently they operate, helping organizations learn and improve their systems. When evaluating controls, it’s also essential to consider the level of reward being pursued. This means looking at both strategy and tactics, as well as how well hazard and compliance controls are functioning. Initially, as risk increases, organizations expect higher rewards, and the rewards typically grow faster than the risks. However, at some point, risks will continue to rise without any significant increase in reward, making it unwise to take on additional risks. In between these extremes, organizations may see small increases in reward with higher risks, and this is where management must decide if the additional risk aligns with the organization’s risk appetite. Sometimes, taking on extra risk for a small reward might be necessary to meet customer needs or achieve long-term goals. A similar evaluation applies to hazard risks, where the cost of adding controls must be weighed against the reduction in risk. When deciding on additional controls, organizations need to consider their risk appetite and make a careful judgment about the risks they are willing to accept to reach their strategic goals.

Example of Control of financial risks

1.Fraud: Fraud is a major financial risk for all organizations, and it can be committed by employees, customers, or suppliers. Sometimes, organizations themselves may commit fraud by falsely reporting their financial results, which is a focus of laws like the Sarbanes-Oxley Act. Fraud typically occurs when there is motivation, valuable assets to steal, an opportunity to commit fraud, and weak controls. To prevent fraud, organizations should also focus on reducing theft by implementing measures such as security fences, gates, guards, better lighting, and secure building access. It’s important to regularly assess how effective fraud controls are, an area where internal audits are often involved. This review should look for financial or asset losses and identify weak areas in current controls. It should include a proactive analysis of vulnerable assets, responsible personnel, potential methods of fraud, and the strength of existing controls. Additionally, organizations should conduct an annual review of all fraud incidents and share these findings with the audit committee. A corporate fraud policy should be established to outline the organization’s approach to fraud, responsibilities for managing it, investigation methods, and resources for fraud detection. The policy should also include whistleblowing procedures and guidelines for handling suspected fraudsters. Fraud prevention and control can be divided into preventive, corrective, directive, and detective measures. Here are some methods organizations can use to reduce fraud:

  • Strengthen hiring procedures.
  • Reduce motivations for fraud.
  • Limit the number of assets that can be stolen.
  • Minimize opportunities for theft.
  • Increase supervision levels.
  • Improve financial controls and management systems.
  • Enhance fraud detection.
  • Keep better records.

2. Historical liabilities: One of the most challenging financial risks organizations face is dealing with historical liabilities. These are obligations resulting from past activities or acquired through the purchase of other companies, including their old liabilities. For industrial companies, one difficult area is exposure to substances that can cause long-term health issues. A key example is asbestos exposure, which can lead to mesothelioma—a serious lung-related cancer. Claims for such illnesses often arise 30 to 40 years after exposure, making it hard to verify insurance coverage or working conditions from that time. Another major area of historical liability is related to pension plans. In the past, many companies offered defined benefit pension plans, where the employer guaranteed a pension amount based on the employee’s final salary. In these plans, the employer bears the financial risks tied to the pension fund’s value and payouts. Recently, there has been a shift toward defined contribution pension plans, where employees contribute to their own pension funds, and the risks of fund value and retirement income are transferred to the employee. However, for companies with defined benefit plans, a key concern is liabilities to former employees who are no longer with the company but still have pension entitlements (called deferred benefits). Organizations have several options to manage these deferred benefit liabilities:

  • Offering former employees a payout to leave the pension scheme.
  • Transferring liabilities to an insurance company by paying a premium.
  • Moving deferred benefits into a captive insurance company.

Historical liabilities are particularly significant for long-standing organizations, as they may face claims from activities that occurred decades ago. These liabilities can be even harder to manage if the organization has become smaller or changed significantly over time. Companies involved in frequent mergers or acquisitions are also more exposed to these risks.

Examples of Control of Infrastructural Risks

1) Health and Safety at Work: One key concern for organizations regarding infrastructure risks is workplace health and safety. This area is heavily regulated and should be a top priority. While health and safety is a core part of risk management, it’s often handled as a separate function. The risks include legal action from regulatory authorities, lawsuits from injured employees, and disruptions caused by accidents or dangerous incidents. Many tools and techniques used in health and safety are also relevant to broader risk management, making collaboration with health and safety specialists crucial for success. Health and safety risk assessments have been standard practice for a long time. Simple assessments are used for low-risk activities, while high-risk activities require detailed, written evaluations. A risk assessment involves identifying hazards, understanding who might be harmed, and analyzing the severity of potential injuries. It should also document existing controls, additional steps needed, and ensure adequate safety measures to protect people. After assessing risks, organizations need to implement controls, including:

  • Preventive controls: To minimize risks.
  • Corrective controls: To manage hazards.
  • Directive controls: To regulate staff and exposure.
  • Detective controls: To spot early warning signs, such as stress affecting employees.

The specific workplace hazards to consider depend on the organization’s activities. Guidance exists for managing various risks, such as:

  • Dangerous machinery
  • Pressure systems
  • Noise and vibration
  • Electrical safety
  • Hazardous substances
  • Lifting and manual handling
  • Slips, trips, and falls
  • Display screen equipment
  • Human factors like repetitive strain injuries
  • Radiation
  • Driving and vehicle risks
  • Fire safety
  • Workplace stress

Understanding and addressing these risks ensures a safer workplace and better compliance with regulations.

2) Property fire protection: One of the biggest risks for businesses in manufacturing, warehousing, retail, and leisure is fire. Over half of businesses that experience a major fire never fully recover. Fire is especially damaging in industries like manufacturing, transportation, retail, hospitality, and residential settings. Strong building security can also help prevent arson. When planning for fire safety, organizations should consider the common causes of workplace fires, which include:

  • Electrical issues
  • Hot work (like welding)
  • Faulty machinery
  • Smoking materials
  • Flammable liquids
  • Poor housekeeping
  • Arson

The primary goal of fire safety measures is to protect people. This includes ensuring adequate fire exits, clear evacuation signs, proper building construction, and protected escape routes, such as with sprinkler systems when needed. In addition to protecting lives, businesses need to manage potential disruptions caused by fire. Fire prevention strategies often focus on:

  • Preventive measures, like maintaining electrical systems, avoiding ignition sources, and safely storing flammable materials.
  • Corrective measures, such as using sprinkler systems and fire barriers to contain fires.
  • Directive measures, which involve training employees on fire response, early reporting to fire authorities, and using fire extinguishers when safe.
  • Detective measures, like fire alarms, heat detectors, and routine fire patrols to catch fires early.

By combining these approaches, businesses can reduce the risk of fire, limit damage, and recover more effectively if an incident occurs.

3) IT security: For most organizations, IT infrastructure is a critical part of their operations. A computer system failure can cause major disruptions, making disaster recovery planning (DRP) for IT systems a key priority. Losing computer data can be a serious problem, often caused by hardware issues rather than software errors, power failures, or human mistakes. IT failures can lead to:

  • Losing customers or business
  • Damaging credibility or goodwill
  • Cash flow issues
  • Reduced service quality
  • Inability to pay staff
  • Delays in work or production
  • Loss of important data or financial controls

As organizations rely more on IT, they must identify potential losses and manage the risks. Common causes of IT issues include:

  • Theft of hardware
  • Unauthorized access to systems
  • Viruses or malware
  • Hardware or software failures
  • User errors, like accidental deletion
  • Failed IT projects

Organizations should create an IT policy to guide proper data use and protect their systems. This policy should cover responsibilities for IT systems, backup procedures, antivirus measures, handling personal data, limits on personal internet use, and restrictions on accessing inappropriate websites. While personal use of IT systems by employees is often allowed, it should be controlled to prevent misuse. Organizations must also comply with data protection laws regarding the handling of personal information, which are strict in many countries. IT failures are inevitable, so organizations need solid backup plans to minimize data loss. For businesses heavily reliant on IT, detailed DRPs should include options like:

  • Hot-start facilities: Fully prepared backup systems with up-to-date data.
  • Cold-start facilities: Basic backup systems without preloaded data.
  • Warm-start facilities: Systems that fall between hot and cold starts, with partial data and functionality ready.

Backup facilities can be onsite, in mobile units, or at alternative locations, ensuring continuity in case of a major IT issue.

4) HR risks:

Every organization needs people to operate, whether they are employees, contractors, or volunteers. This means there are always risks related to managing human resources, regardless of the organization’s size, type, or activities. Key risks linked to human resources include:

  • Hiring, managing, and letting go of employees
  • Complying with employment laws and regulations
  • Recruiting, keeping, and maintaining skilled workers
  • Managing pensions
  • Handling performance issues and absences
  • Ensuring workplace health and safety

Large organizations usually have HR departments with specialized expertise. Traditionally, it was thought that smaller organizations faced fewer HR risks because employees often know each other well and work more closely together, reducing the chance of legal issues or conflicts. However, it is now clear that smaller organizations also face significant HR risks. To address this, many small organizations now provide staff handbooks that cover employment terms, including policies for sick leave, maternity leave, annual leave, appraisals, workplace behavior, and employee roles. Organizations must also ensure they comply fully with employment laws, including those related to diversity and non-discrimination based on ethnicity or physical ability. Beyond meeting legal requirements, organizations can benefit from clear and supportive recruitment, retention, and employment practices, which can create opportunities for growth and stronger employee relationships.

Example of Control of reputational risks

1) Brand Protection: An organization’s brand name is one of its most valuable assets, and protecting it from damage is essential. Brand damage can happen for several reasons, such as:

  • Changes in government policies
  • Shifts in the market or new competitors
  • Price wars or product specification challenges
  • Counterfeit goods
  • Misconduct by franchisees
  • Issues with sponsors or joint-venture partners

A recent trend is using well-known brands to sell unrelated products or services, like supermarkets offering insurance or fuel. While this “brand stretching” presents big opportunities, it needs to be done carefully to ensure it’s appropriate, credible, and successful. Many organizations understand the importance of their brands and look for ways to expand them. However, in large companies, responsibility for managing the brand can sometimes be unclear. Extending a brand into new products or industries should only happen when someone is clearly accountable for the brand’s success. Another trend is allowing branded concessions, like well-known catering brands operating cafes in department stores, or sports stadiums named after sponsors. Franchising is another common approach, where a brand is licensed to individuals or businesses. These methods help organizations maximize their brand’s value but come with significant risks and need careful management. Managing a franchise brand involves challenges, such as ensuring franchisees meet the brand owner’s expectations, which are often detailed in contracts. However, older franchises might not have the same strict agreements. Franchise owners typically provide extensive training, especially on product quality, and often require franchisees to source supplies from approved vendors to ensure consistency. Effective brand management and careful oversight of extensions, concessions, and franchises are critical to protecting and growing a brand’s value.

2) Environment: Global warming and its impact on individuals and organizations is a growing concern. Environmental issues can range from contaminated land and water to industrial emissions and the desire for organizations to be seen as environmentally friendly. Waste disposal is a significant issue for all organizations. Companies producing industrial waste must follow strict laws on how to handle and dispose of it. Even businesses that don’t produce industrial waste face challenges with commercial waste disposal, which can be expensive. Many countries require or strongly encourage recycling to reduce waste. Organizations are now focusing on reducing waste and adopting eco-friendly practices. In the public sector, recycling is often highly regulated, with targets that are closely monitored. Companies may choose to source environmentally friendly materials, implement recycling policies, and set up systems for collecting recyclable waste. Additionally, organizations can encourage employees to use public transport or reduce unnecessary travel to lower their environmental footprint. For industrial operations, strict rules and regulations govern environmental impacts, and enforcement agencies have the authority to ensure compliance. Regulators also consider public opinion and assess:

  • What environmental impacts might occur
  • How harmful those impacts are
  • The likelihood of the impacts happening
  • How often and where they might happen

Overall, organizations are increasingly expected to minimize their environmental impact and comply with both legal and social expectations for sustainability.

Example of Control of marketplace risks

1) Technology developments: One of the biggest challenges for organizations is keeping up with customer expectations, especially as technology keeps evolving. Companies that make tech-based consumer goods face constant challenges, but these also bring opportunities. Recent changes in home and mobile entertainment highlight this challenge. Not long ago, entertainment relied on CDs, but MP3 technology changed everything. Companies had to decide whether to switch to the new technology, which required significant investment and involved major risks. Those that made the right choices and influenced the market saw huge rewards. In fast-changing markets, having the right technology can be a big advantage, but predicting which technology will succeed is always difficult and expensive. Consumers choose new technology based on convenience, quality, price, and trends. Since these technologies are developed globally, only a few companies have the resources to fund the research, design, manufacturing, and supply of these products. To adopt new technologies, many organizations partner with others through joint ventures to share expertise and costs. Choosing the right partners is crucial. In some cases, competitors work together to agree on a common technology for global use. This strategy helps share research costs and avoids competition over technology. However, it also limits the chance for any one company to gain a major competitive advantage in the future.

2) Regulatory risks: Regulatory risk is one of the most challenging issues for many organizations. While compliance may seem straightforward, it can become complicated due to changes in regulations, differences in laws across regions, and shifting public attitudes. Different industries face varying levels of scrutiny and regulation depending on the location. For example, the sex industry and gambling are regulated very differently across the world, reflecting local public attitudes and legal frameworks. This makes it difficult for organizations to ensure compliance and maintain good relationships with regulators, especially when public opinion or laws are changing. Global insurance programs highlight some of these challenges. Two major issues in such programs are:

  • Paying insurance premium taxes in different countries.
  • Using “non-admitted insurance,” where an insurer operates in a country without being officially licensed there.

For instance, a global insurance policy might be issued by a company based in one country but cover operations in multiple countries. Each country has its own rules about paying insurance premium taxes and whether non-admitted insurance is allowed. Many countries require local insurers to handle policies, which increases costs. Organizations have limited options for managing regulatory risks. Compliance is essential for all business activities and often requires collaboration with third parties and advice from local experts. For insurance programs, this might involve working with local insurers in regions that don’t allow non-admitted policies or hiring fiscal representatives to handle tax payments. These steps ensure compliance but can add complexity and expense to operations.

Nature of Internal Control

Internal control in Enterprise Risk Management (ERM) refers to the processes, policies, and procedures established by an organization to ensure that risks are identified, assessed, and managed effectively. It helps the organization achieve its objectives by minimizing the likelihood of errors, fraud, or non-compliance while improving operational efficiency and safeguarding assets. Internal control can be defined as a system of policies, procedures, and practices implemented within an organization to provide reasonable assurance that the organization’s objectives related to operations, reporting, and compliance are achieved. Internal Auditor refer it as “Control environment“, ISO 31000 as “risk management context” and COSO as “internal environment” As per CoCo (Criteria of Control) it can be defined “Internal control is all the elements of an organization that, taken together, support people in the achievement of the organization’s objectives. The elements include resources, systems, processes, culture, structure and tasks.“. As per IIA (Institute of Internal Auditors) it is defined “A set of processes, functions, activities, subsystems, and people who are grouped together or consciously segregated to ensure the effective achievement of objectives and goals.“. As per COSO it can be defined as “A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
● effectiveness and efficiency of operations;
● reliability of financial reporting;
● compliance with applicable laws and regulations

Internal control is a key part of managing an organization’s risks successfully. It includes the methods, procedures, and checks that help ensure the organization meets its goals. Internal controls are the steps management takes to plan, organize, and guide activities, providing reasonable confidence that objectives will be achieved. Internal control also reflects how well-developed an organization’s processes are for managing risks. According to ISO Guide 73, a control is any measure that changes risk. This could be a policy, procedure, tool, practice, or action used to reduce or manage risk. However, Guide 73 also highlights that controls may not always work as intended or have the expected impact on risk. Internal control includes the organization’s structure, planning, and setting of goals. It focuses on evaluating controls that help the organization meet its goals, execute its strategy, and seize business opportunities. To design effective internal controls, the organization should ensure systems and processes support:

  • Reliable operations,
  • Timely and accurate information,
  • Protection of assets,
  • Efficient use of resources,
  • Prevention and detection of fraud and errors.

Financial controls are a key part of internal control. These involve keeping accurate accounting records to reduce financial risks and ensure financial information is reliable for both internal use and public reporting. The main goal of internal control activities is to help the organization achieve its goals. They typically aim to:

  • Protect the organization’s assets,
  • Keep accurate records,
  • Improve efficiency and effectiveness,
  • Follow policies, procedures, and control measures,
  • Ensure reliable reporting inside and outside the organization,
  • Comply with laws and regulations,
  • Protect the interests of shareholders and stakeholders.

The internal control system includes both the control activities and the structure and responsibilities that support them. This system helps leaders confidently guide the organization, whether times are good or challenging. Another purpose is to protect resources and maintain proper records and accountability systems. The purpose of the control environment is to ensure consistent and effective responses to risks and crises. A strong control environment helps implement preplanned actions efficiently during a crisis. Various methods can evaluate the control environment, including models like LILAC, CoCo, and risk maturity frameworks such as FOIL and the 4Ns. Using a maturity model helps assess the current state of the control environment and guides improvements to increase risk awareness across the organization. Frameworks like LILAC or CoCo can be chosen to drive and measure these improvements. The success of these efforts is reflected in the organization’s risk maturity level, as evaluated by models like FOIL and the 4Ns. Achieving higher risk maturity allows for more advanced and effective risk management. These models also help benchmark an organization’s risk management practices, setting targets to further enhance risk maturity over time.

1. LILAC Model: The LILAC model stands for:

  • Leadership: The tone set by leadership, ensuring ethical values and risk awareness.
  • Integrity: Upholding honesty, transparency, and consistency in operations.
  • Learning: Adopting a culture of continuous improvement and learning from past events.
  • Accountability: Clear responsibilities and ownership for decisions and actions.
  • Communication: Transparent and effective information sharing throughout the organization.

The LILAC model focuses on building a strong control environment by fostering ethical leadership, clear accountability, and robust communication.

2. CoCo Model: The CoCo (Criteria of Control) model, developed by the Canadian Institute of Chartered Accountants, provides a broad framework for evaluating internal controls. It has four key components:

  • Purpose: Ensuring objectives are defined and aligned with the organization’s vision.
  • Commitment: Promoting ethical values, competence, and employee engagement.
  • Capability: Ensuring resources, skills, and processes are in place to achieve objectives.
  • Monitoring and Learning: Continuously reviewing and improving processes and controls.

The CoCo model emphasizes not only achieving goals but also sustaining a culture of improvement and learning.

3. FOIL Model: The FOIL (Four Levels of Risk Maturity) model is a maturity framework to assess the progress of an organization’s risk management. The levels include:

  • Fragmented: Basic and inconsistent risk management practices.
  • Organized: Some systematic risk processes, but not fully integrated.
  • Integrated: Risk management embedded into core decision-making.
  • Leading: Proactive and innovative risk management practices that influence strategy and culture.

This model helps organizations measure their risk management maturity and set goals for improvement.

4. 4Ns Model: The 4Ns model of risk maturity evaluates an organization’s control environment and risk awareness:

  • Naïve: No formal risk management; reactive and unstructured responses to risks.
  • Novice: Initial awareness of risks with some basic controls in place.
  • Normal: Risk management practices are standardized and integrated across the organization.
  • Natural: Risk management is embedded in the culture and instinctively part of decision-making.

This model provides a simple way to identify and enhance an organization’s maturity in managing risks.

Control Environment

The Criteria of Control (CoCo) framework, developed by the Canadian Institute of Chartered Accountants (CICA), provides a structured approach to evaluating the quality of an organization’s control environment. It emphasizes that a strong control environment is essential for effective risk management and internal control processes. The framework consists of four interconnected components that form a continuous cycle: having clear goals and objectives, a strong understanding of the organization’s purpose and values, the necessary skills and abilities to meet objectives, and the ability to adapt and improve over time. Together, these elements help ensure the organization operates efficiently and maintains effective controls.

The control environment, called the “internal environment” in the COSO ERM framework, reflects the organization’s risk culture. Many organizations use the CoCo framework to assess their compliance with the internal control part of the COSO ERM framework. This approach combines the CoCo framework with the other seven components of the COSO ERM framework.

Components of the CoCo framework

Purpose

  • Objectives should be established and communicated.
  • Significant internal and external risks should be identified and assessed.
  • Policies should be established, communicated and practised.
  • Plans should be established and communicated.
  • Plans should include measurable performance targets and indicators

Commitment

  • Shared ethical values should be established, communicated and practised.
  • HR policies should be consistent with ethical values.
  • Authority, responsibility and accountability should be clearly defined.
  • Mutual trust should be fostered to support the flow of information.

Capability

  • People should have the necessary knowledge, skills and tools.
  • Communication processes should support the values of the organization.
  • Sufficient and relevant information should be identified and communicated.
  • Decisions and actions within the organization should be co-ordinated.
  • Control activities should be designed as an integral part of the organization.

Monitoring and learning

  • Environment should be monitored to re-evaluate controls.
  • Performance should be monitored against the targets.
  • Assumptions behind objectives should be periodically challenged.
  • Information needs and related information systems should be reassessed.
  • Procedures should be established to ensure appropriate actions occur.
  • Management should periodically assess the effectiveness of control.

The CoCo framework explains its approach by emphasizing that tasks are completed effectively when individuals understand the purpose, have the necessary skills, feel committed to doing the task well, and monitor their performance and surroundings to improve and adapt as needed. This principle applies to any organization, where control relies on these components. CoCo shares similarities with the LILAC approach to measuring risk culture, which highlights leadership, involvement, learning, accountability, and communication as essential for embedding risk management. Organizations can choose how to assess their control environment or risk-aware culture, but it is clear that a strong risk culture is essential for successful risk management. Although CoCo is an internal control framework, it is relevant to risk management because of its strong connection to internal control activities. It also provides a useful way to evaluate an organization’s risk culture. CoCo identifies three main objectives for controls: ensuring operations are effective and efficient, maintaining reliable internal and external reporting, and ensuring compliance with laws, regulations, and internal policies.

The COSO and CoCo frameworks differ significantly, though they share some key similarities. CoCo takes a broader view of the control environment than COSO. For instance, CoCo emphasizes the need for controls in areas such as setting objectives, strategic planning, and corrective actions. It also highlights the importance of the control environment in decision-making processes. When evaluating the control environment using CoCo, a company might score well on purpose, commitment, and capability but perform poorly in monitoring and learning. This insight can guide the company to focus more on challenging objectives and questioning underlying assumptions. To address these gaps, the company might implement better auditing processes and introduce structured reviews of risk management and internal controls by senior management.

CoCo differs from COSO in explicitly addressing certain issues, including exploiting opportunities, addressing weaknesses in business resilience, the role of individual trust in shaping the control environment, and periodically questioning assumptions. In the COSO framework, the control environment is the first component and emphasizes key factors such as the organization’s commitment to integrity and ethical values, board oversight of internal controls, management’s role in setting structures and responsibilities, attracting and retaining competent individuals, and holding people accountable for their control responsibilities.

  • Components of a good risk culture: A strong risk culture promotes consistent awareness, behavior, and decision-making about risks within a solid risk governance framework. It supports effective risk management, encourages appropriate risk-taking, and ensures that new or excessive risks are identified, evaluated, escalated, and addressed. A good risk culture focuses on: 1) achieving a balance between risk and reward that aligns with the organization’s risk appetite, 2) having an effective system of controls suitable for the organization’s size and complexity, 3) ensuring risk models, accurate data, and tools are reliable and open to scrutiny, and 4) investigating any policy violations, limit breaches, or operational issues, with appropriate corrective actions taken when needed.

CoCo framework of internal control

The CoCo framework has four key components that focus on effective internal control. The first component emphasizes setting clear objectives, identifying internal and external risks, and establishing policies to support the organization’s goals. It also highlights the importance of having measurable targets and performance indicators to track progress. CoCo stresses that organizations must analyze risks and opportunities in detail, assess resilience, and understand the sources of risk. The second component, commitment, focuses on shared ethical values like integrity, clear communication, and fostering trust. It also includes defining authority, responsibility, and accountability, as well as creating supportive human resource practices. The third component, capabilities, ensures that people have the skills and knowledge needed to achieve organizational goals. It emphasizes effective communication of relevant information, coordination of activities, and integration of these processes into the organization. The final component, monitoring and learning, involves keeping track of both internal and external environments to gather valuable insights. It recommends regularly evaluating performance against targets and questioning the assumptions behind objectives. When objectives change, the organization should reassess its information needs and adapt systems accordingly. Additionally, management should periodically evaluate the effectiveness of controls and share the findings with stakeholders.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

One thought on “Risk control techniques

Leave a ReplyCancel reply