What's Hot

"Risk Dashboards should serve the stakeholder" | Advanced Risk Dashboards

Wednesday, September 26, 2012

How many controls are too many?

In a recent discussion on the G31000 Linkedin forum, a member put forward an interesting question. 

How many controls are too many?

Can an organisation literally have too many controls?

How many controls
For large institutions, especially those which have cross-border operations or which have multiple divisions, the total number of controls used to manage or prevent risk could reach into the thousands.

But then and with concern might I add, how many controls are simply too many?

The short answer to it all is, there isn't really an absolute limit. Nevertheless, if it costs more to control a business activity than it does to profit from it, you will have found the natural limit of controls.

All controls including the training of staff for improvements in the way they operate are an operating cost, compliance is an operating cost, audit adds to operating costs and these activities will inevitably impact the profitability of any operation.

To understand the most effective control number and types of controls a business employs is actually quite a complicated process to carryout because not all controls are equal. Some controls may be expensive to operate and may not be very efficient, while other controls will only work with specific products or markets. In the end, a risk analyst should build up a benefit of control cost optimisation model.

The only problem kicking off this control cost optimisation program, is that there aren't many of these templates or calculation spreadsheets floating around in the market place; literally finding the starting point for this exercise could actually be quite daunting. Perhaps in a future posting on this blog, I might consider building such a model if I can find the time.

Classing Controls
As the ISO G31000 control debate progressed, one participant put forward a control conundrum which I have lifted in brief, into this posting below:
A series of controls were put into place to manage all medical drug preparations, but incidents still occured until the solution was identified that in the case of this particular drug, it should only be produced in a delivery device that made wrongful application impossible.
This type of control is what we call an optimized control, in fact all controls go through a level of maturity as they are improved overtime to make them more "efficient" and more "effective". If you are in an institution and you want to cull controls, perhaps one method for improvement is to move inefficient controls up the maturity ladder so that they are more useful to the business.

Risk to Controls | Martin Davies [ Click image to enlarge]

The diagram that is shown above highlights various aspects of the relationship between a single risk to a single control and I have found it has been very useful in explaining how control maturity and control type interrelate in the control framework.

As it stands in ISO 31000, the standard doesn't specifically guide risk analysts through control maturity typecasting initiatives but that doesn't mean those who have taken on ISO 31000, shouldn't consider including this classification method in their control registration program.

1 comment:

  1. Interesting blog Marty. I think in todays day and age we probably have exhaustive controls in place and very few resoures have a clear handle of what these controls are really reflective of - Silo issues manifested et al.

    certainly a cleansing and full review back to front of what really matters would make a huge difference to many companies