This tutorial is for managers who need assurance that critical controls are in place and working, and that they will work in the future if they are needed. In particular, the approach described here will be useful for:
- Risk owners, for the key controls associated with their risks
- Control owners, for the controls for which they are accountable
- Those managers who either conduct or review the conduct of assurance activities.
This tutorial is intended for Line 1 and Line 2 managers in the three lines of assurance (Figure 1).
Control assurance in practice
A control is an ‘enabler’, something that helps an organisation achieve its objectives. Critical controls are those whose effectiveness contributes materially to the achievement of the organisation’s objectives, or that are required for policy, contractual or regulatory compliance. Typically a control is critical where the consequences might be high or very high if the control were to fail.
Control assurance is an important review process within the ‘monitor and review’ step of the risk management process (Figure 2). Monitoring and reviewing critical controls provides assurance to managers, the Executive and the Board that control effectiveness is consistent with the amount of uncertainty the organisation is prepared to tolerate.
In practice, implementing effective control assurance requires:
- An understanding of which controls are critical
- The allocation of critical controls to nominated control owners, individuals accountable for specific controls as recorded in a risk register, a position description, a policy or a procedure
- A process for ensuring that controls are checked regularly by control owners
- A sound control self-assessment process that control owners have been trained to use.
The purpose of control self-assessment
Control self-assessment asks the following questions:
- What are the most critical controls in terms of achieving the organisation’s objectives?
- Are there any gaps in, or problems with existing controls?
- Are there any additions to or changes in the external or internal context, such as expected changes that might affect the controls and the way they work?
- Could the activity be done in a different and more efficient way? Identifying critical controls
Critical controls are those whose effectiveness contributes materially to the achievement of the organisation’s objectives, or that are required for policy, contractual or regulatory compliance. It is important for control owners to test the controls periodically to ensure they work as expected.
Critical controls are often associated with risks where the consequences might be high or very high if the controls were to fail, a measure called potential exposure or maximum possible loss (discussed in more detail in an earlier tutorial here). The top-left region of the diagram in Figure 3 is particularly relevant. At first sight, it might seem unusual to focus on risks falling at the lower end of the scale, at the left hand end of the horizontal axis. However, in this region the levels of risk with the controls in place are low, but the consequences if the controls were to fail would be high. A low level of risk can lead to complacency, but the point of control assurance is to protect against the potential high consequences, not to reduce further the level of risk.
Assurance questions for controls
Table 1 shows the three main questions a control owner should ask when examining a critical control, and the detailed subsidiary questions.
1: Design: could the control work?
Is the control designed for the risk?
Does the control ‘match’ the risk, particularly the causes?
Are there any gaps?
Have there been any changes in the context, since the control was designed, that might affect the risk and the suitability of the control?
Evidence: how do we know?
2: Implementation: does the control work?
What happens in practice?
Will the control work effectively when we need it? Is it reliable and available at all times?
Have there been any changes in the context that might affect the control?
Evidence: how do we know?
3: Improvement: could we be smarter about how we do things?
Could we enhance the controls?
Might more cost-effective controls be possible?
Could the activity be performed in a different way?
Do we need as many controls?
Evidence: how do we know?
A control self-assessment involves several factors:
- Reviewing a control and expressing a view on its adequacy and effectiveness
- Suggesting further risk treatment tasks and new controls if required
- Suggesting the removal or replacement of a control if justified.
In practice this requires:
- Identifying the critical controls for the work process, function or area (often known already from the risk register, possibly with additional new controls)
- Involving the relevant stakeholders
- Observing the work process
- Evaluating the adequacy of the current controls
- Agreeing improvement actions
- Reporting to inform higher-level managers about actions and any important matters for escalation.
While providing assurance and generating improvements are the primary aims of a control self-assessment, the process also offers an opportunity to update relevant information on the control and associated risks in the risk register.
A control self-assessment has to be done ‘on the ground’, by observing the control and the way it works in practice. It cannot be a desk exercise that is performed remotely.
Conducting a simple control self-assessment
A manager’s control self-assessment need not be complicated or time-consuming. Table 2 shows the steps in a simple control self-assessment for a business process that might be conducted by a manager in about an hour, working with one or two direct reports and one or two people from the process being reviewed. Ideally there should be no more than five people. This process can be adapted and extended as necessary according to the context, the nature of the business process and the kinds of controls involved.
Step 1. Prepare by examining the context and agreeing the existing risks and controls relevant to the business process being reviewed
Step 2. Review the process and assess the control adequacy and effectiveness
Step 3. Identify opportunities for improvement
Step 4. Agree improvement actions and allocate them to named individuals for implementation
Step 1: Preparation
Preparation begins by clarifying the purpose of the control self-assessment. This might be to identify ways to improve a specific area, process or activity, to examine controls to ensure they’re working, or to examine a control or process as part of a planned cycle of reviews.
The next step is to describe in detail:
- The business areas to be reviewed
- Any major risks that have been identified in past assessments
- The critical controls that are expected to be in place to achieve the business objectives.
The review team should be clear about the context and agree it before moving forward.
Depending on what is being examined, information that should be available in advance to support the context discussion might include:
- The relevant risk register
- The business plan and the strategic objectives
- Recent internal, external or other audit reports, and the records of past self-assessments
- Process maps and organisational diagrams
- Records of recent incidents, accidents, successes and failures, including near misses
- Policies, standards and written procedures, including legislation and policy guidance
- Relevant legislation and contracts.
Step 2: Process review
It is essential that the review team develop an understanding of the way the processes and activities are conducted. This should be by direct observation where possible, or asking those involved to describe the steps in detail.
The team should observe and note work processes:
- Advise anyone being observed about the review, but do not get in the way of the work processes
- Concentrate, don’t be distracted or allow any interruptions
- Use all your senses
- Take notes, using key words rather than detail
- Compare what you see and hear with the process map and any written procedures
- Note any deviations and whether control checks take place.
During the observations, the team should keep in mind the three main assurance questions noted in Table 1: - Is the control well designed for the risk? - Is the control implemented well? Is it actually achieving levels of effectiveness, reliability and availability that are consistent with the criticality of the associated activities? - Could the control be improved?
Use the template in Table 3 to record what controls are examined, and note relevant evidence and observations.
Step 3: Improvement opportunities
The team should discussed improvement opportunities immediately after the process review and record them in the template:
- Discuss the process being considered, as it was observed
- Ask questions to build a common understanding
- Highlight the ‘good news’ where there is exemplary practice
- As a group, discuss opportunities for improvement and the associated advantages and disadvantages.
Step 4: Improvement actions
The opportunities for improvement should be formalised in specific action plans, again recorded in the template:
- Agree and document the actions to be taken to improve controls
- Review the current level of risk for those risks for which the controls are relevant
- Advise the risk owners if the risk register needs to be updated
- Enter the outputs of the review into the risk management information system, so tasks are allocated, tracked and closed out.
Planning control self-assessments
Developing a control self-assessment plan
Control self-assessment should only be performed down to the level that risk assessments have been conducted. Business processes should be sufficiently discrete and defined, and the risks, controls and tasks should all be recorded in the information system.
It is important not to try and get everyone doing control self-assessments at once. It is better to take time and plan, concentrating on one function or business area at a time. Once people are familiar with the control self-assessment process, it can be extended to other areas and functions.
It is often very useful to create and monitor key performance indicators for the implementation of a control self-assessment plan. Simple KPIs might include:
- The number of control self-assessments conducted by each manager
- The number of improvement tasks generated in each control self-assessment.
Senior managers should ask for reports on completed control self-assessments and the associated KPIs should be reviewed frequently at management meetings.
Developing a control assurance program, including regular planned control self-assessments, is discussed in more detail in another Broadleaf tutorial available here.
Questions for managers
Now that you have read this tutorial, you should ask yourself how you and your organisation might benefit from it. Here are some pertinent questions for you:
- How could you develop a control self-assessment program for your business area?
- How could you integrate control self-assessment in your normal business processes and activities?
- Who could help you develop your own control self-assessment plan? How?
- Who should monitor and report on control self-assessment progress, and how might that be done?
The simple control self-assessment process described here allows line managers to review their operations and controls in a structured way, without huge investments of time and effort.
Control self-assessment should be a planned activity. It should be part of each manager’s routine oversight activities, and ideally integrated and embedded into normal day-to-day business.