Internal risk control design & testing

When faced with an identified risk, your organisation has four fundamental options, often called the "four Ts" of risk response:

Tolerate: this means simply accepting the risk without further action. This approach is appropriate when inherent risks are small.

Treat: this involves implementing controls to reduce either the likelihood or impact of the risk (or both). Most of the risk responses fall into this category, which we explore in depth throughout this article.

Transfer: placing the risk with another party, typically through insurance or outsourcers. While this may shift financial responsibility, remember that reputational impacts can never be fully transferred.

Terminate: the most decisive response, where you eliminate exposure by discontinuing the activity generating the risk. While this provides the most complete protection, it may also mean forgoing potential benefits of the activity.

Your choice among these options and their intensity should be guided by your risk appetite as discussed in our second article of the BDO Risk Blueprint. For risks you choose to treat, your next step is selecting and designing appropriate controls.

Control types: your risk management toolbox

When implementing the "Treat" response, you need to select the right type of control for each risk. Following the Institute of Internal Auditors' categories, there are four essential types of controls that serve different purposes in your risk management system.

Preventative controls: stopping problems before they start

Preventative controls aim to reduce the likelihood of risk events by addressing their causes before they materialise. These are your first line of defence, designed to stop issues before they occur.

Examples include:

• Access controls (physical or digital)
• Segregation of duties
• Authorisation processes
• The strength of preventative controls is that they focus on avoiding the occurrence of the risk. However, they can sometimes impact operational efficiency if not designed proportionately to the risk.

Detective controls: early risk identification

Detective controls identify issues when they occur, allowing for quicker response and limiting potential damage. While they don't prevent the initial occurrence, they reduce impact through early detection.

Examples include:

• Reconciliation processes
• Exception reporting
• Log monitoring
• Fire alarm

The quicker you detect a risk that propagates rapidly, the more effective you are at reducing its impact. This principle is particularly relevant for risks like cyber breaches or data leakage, where early detection can significantly limit damage.

Directive controls: guiding proper behaviour

Directive controls provide guidance on proper execution and help prevent risks through governance and education. They establish the rules and knowledge that guide your organisation's risk management approach.

Examples include:

• Policies and procedures
• Guidelines and manuals
• Training programs
• Clear roles and responsibilities
• Supervision structures

Effective training is an important directive control, as it empowers your people and guides them toward better risk management practices, thereby reducing your level of non-financial risk.

Corrective controls: limiting impact after events

Corrective controls take place after an event has occurred and aim to reduce the impact of materialised risks. These have gained increased importance with the rise of resilience-focused regulations such as DORA and approaches to risk management.

Examples include:

• Disaster recovery procedures
• Business continuity plans
• Incident response protocols
• Compensation processes for affected parties
• Communication plans for stakeholders

While previously underemphasised in operational risk management, corrective controls have become essential components of resilience. They are particularly useful for addressing non-financial impacts like reputational damage, customer experience issues, and regulatory concerns.

The dangers of poor control design

Even with the right types of controls in place, your risk management can fail if those controls are poorly designed. We have identified three categories of ineffective controls that provide a false sense of security while failing to manage risk effectively:

Optimistic controls: unrealistic expectations

Optimistic controls rely on unrealistic levels of motivation or capability from those implementing them. They look good on paper but fail in practice because they don't account for human limitations.

Examples include:

• Requiring staff to read and sign off on lengthy policies they are unlikely to fully review.
• Complex verification procedures that are too time-consuming to be performed thoroughly.
• Rules or contracts that are not realistically enforceable.
• Controls where the controller lacks sufficient information to make proper judgments.

These controls often exist to satisfy compliance requirements rather than to effectively manage risks, creating documentation without real protection.

Duplicative controls: diluting accountability

Duplicative controls involve multiple people checking the same thing, under the mistaken belief that more eyes always lead to better results. In reality, they often dilute accountability as each checker assumes others will catch any issues.

More-of-the-same: reinforcing failed approaches

The "more-of-the-same" trap occurs when organisations respond to control failures by intensifying the same controls that already failed, rather than redesigning the approach. This reflects a fundamental misunderstanding of why the control failed in the first place.

A real-world example illustrates this danger: an organisation had information going to customers checked by two different parties. Each assumed the other was doing the thorough check, resulting in errors reaching customers. When they "fixed" the problem by adding a third checker, the same failure occurred because the root cause - diffused accountability - remained unchanged.

A better approach comes from the field of Prevention through Design (PtD), most notably championed by James Reason, who stated: "we cannot change the human condition, but we can change the conditions under which humans work." Effective controls accept human fallibility and design systems that make errors difficult or impossible to commit.

To develop truly effective controls, the "Swiss cheese model" by James Reason provides a powerful framework for understanding layered controls. In this model, each control layer is like a slice of Swiss cheese, with holes representing potential points of failure. When multiple layers are aligned, with independent controls stacked together, the holes rarely line up, which creates reliable protection.

The power of independent control layers

The effectiveness of layered controls depends critically on their independence. When controls fail for different, unrelated reasons, they create a much stronger system than multiple controls vulnerable to the same failure point.

Consider this example: imagine four key controls, each with a 10% failure rate. If these controls fail independently, the probability of all four failing simultaneously is just 0.01% (one in 10,000). However, if they all fail simultaneously because of perfect dependency (and poor design as exemplified above), the protection remains at just 90%, a thousand times less effective.

This mathematical reality has profound implications for the design of control layering. The independence between controls matters more than any individual reliability of a control. In practice, this means you should:

• design controls of different nature (automated, manual, physical);
• ensure controls are designed and operated by different individuals or teams;
• implement controls that rely on different technologies or approaches;
• test not just individual controls, but also their independence from one another.

Principles of a control testing programme

Even well-designed controls require testing to ensure they function as intended. The Institute of Internal Auditors and the Risk Management Institute recommend a hierarchy of testing approaches, with more rigorous methods required for more critical controls:

Reperformance: the gold standard

Reperformance means replicating the control to verify its effectiveness. This is the most powerful testing approach and is recommended for controls mitigating high inherent risks.

Examples include:

• Mystery shopping to test customer service quality
• Recalculating financial models to verify accuracy of results
• Reprocessing transactions to confirm proper execution
• Penetration testing of security of IT systems

Examination: document review

Examination consists of reviewing documentary evidence of the control's operation. This is a common approach used by internal and external auditors.

Examples include:

• Reviewing signature approvals
• Checking reconciliation documentation
• Examining control reports
• Verifying compliance certificates

Observation: witnessing control operation

Observation involves physically watching the control in action to confirm proper execution.

Examples include:

• Observing cash handling procedures
• Witnessing access control enforcement
• Monitoring supervisory activities
• Watching emergency response drills

Inquiry: the weakest approach

Inquiry simply involves asking whether controls are operating as intended. This is the weakest form of testing and should only be used for low-risk areas.

A well-designed control testing program considers several key factors:

• Independence: testing should be performed by individuals not responsible for the control's operation.
• Design assessment: if a control's design is poor, test its design first before testing effectiveness.
• Scope: testing should focus first on the most critical controls.
• Frequency: automated controls require less frequent testing than manual ones.
• Sample size: the samples of controls tested depends on their uniformity (small samples for automated control, large samples for manual ones, even more so if performed by several different people)