Control, in the context of internal controls and risk management is a term seldom defined and often misunderstood, particularly amongst non-risk experts (including audit, and compliance).
More important than the definition itself, are the controls that are implemented and operationalised to positive affect. Here we’re offering a practical approach. One that aims to help inform all stakeholder activities and continuous improvement efforts. It has evolved from experience rather than originated from risk management text books or technical guidance.
Our control framework works best when thinking through one risk at a time. When adopted, it helps structure critical thinking around what activities are in place and the effectiveness of each. This approach intuitively results in a gap analysis to inform improvement actions.
Often excluded from risk registers, we encourage naming control owners for greater accountability. Additionally, we recommend that multiple stakeholders contribute to each individual risk. This supports our belief that risk management drives cultural change including accountability, collaboration and transparency.
This framework applies best to operational risks i.e. those that can occur regularly and benefit most from controls and management discipline. Whilst fully configurable, editable (or can even be fully switched off), this control framework is built into the GOAT Risk™ default system setup to help users think through the current controls and the improvement actions that can be taken.
Risk Control Definition
The systems, people, procedures, contracts and other activities set inplace by management that are used to manage risks.
These can be detective, preventative, corrective or avoidance in nature.