In this blog, we discuss how control design is a key part of your risk management process.
We have noticed a trend that has caused some concern. Many organizations are testing controls to see how well they work. However, they are not paying enough attention to design testing. An essential part of the risk management process is ensuring the controls established by management are operating effectively. But focusing on control design is just as important, if not more so.
If a control is not well-written and designed to mitigate risk, it may not be effective. Even if the control is working properly, it still may not be effective. It takes proper evaluation, change management, and commitment to alter, test, and improve design of controls over time.
Control Design Case Study: Before
Let’s take a real-world example of implementing control design improvements related to user access reviews:
- Risk: Users’ access rights are inappropriate based on their job responsibilities, leading to data misuse or modifications, both intentional and unintentional.
- Control in Place: On an annual basis, risk managers review users’ access to all key systems to ensure that access is appropriate.
On the surface, this control seems to be properly designed to mitigate the risk of inappropriate access to key systems. Let’s add more context to the situation:
- Fact: 85 percent of the users of key systems participate in a rotational program. This program allows them to switch departments and business units every quarter. It gives them valuable exposure to different areas of the company.
This fact changes the situation of our control designed to mitigate the risk. If users frequently change departments, the system administrator will likely need to adjust their access to important systems accordingly.
Case Study Example: After
Even the best change management, provisioning, and deprovisioning programs miss items from time to time. But having the proper mitigating controls in place helps reduce risk to a more acceptable level.
Considering the additional facts learned above, we should change our control design to read as follows:
- New Control Verbiage: On a quarterly basis, managers review users’ access to all key systems to ensure access is appropriate.
While the above example is a simple one, it does a great job of demonstrating the importance of designing specific controls. Organizations should perform careful process walkthroughs to gain understanding of how their business operates. Evaluate what your risks really are, and which controls could help mitigate those risks.
After designing your controls correctly, you can proceed to test their effectiveness. However, make sure not to overlook the importance of the control design phase. In a changing world where risks are increasing, companies will be glad they carefully considered these control design issues.