In this blog, we discuss how control design is a key part of your risk management process.
We have noticed a trend that has caused some concern. We are seeing organizations place great focus on testing the operating effectiveness of controls but not as much on design testing. While an essential part of the risk management process is ensuring the controls established by management are operating effectively, focusing on the design of those controls is just as important, if not more important.
If a control is not well-written and designed to mitigate the identified risk, it could be useless — even in a situation where it is operating effectively. Let’s take a real-world example related to user access reviews:
- Risk: Users’ access rights are inappropriate based on their job responsibilities, leading to data misuse or modifications, both intentional and unintentional.
- Control in Place: On an annual basis, managers review users’ access to all key systems to ensure access is appropriate.
On the surface, this control seems to be properly designed to mitigate the risk of inappropriate access to key systems. Let’s add more context to the situation:
- Additional Fact: 85 percent of the users of key systems are in a rotational program in which they switch departments and business units on a quarterly basis to gain exposure to different areas of the company.
This fact changes the situation of our control being designed to mitigate the risk. If these users change departments that frequently, their access to key systems most likely needs to be changed as well. In our experience, even the best change management, provisioning, and deprovisioning programs miss items from time to time.
Having the proper mitigating controls in place helps reduce the risk of these situations to an acceptable level. Considering the additional facts, we should change our control design to read as follows:
- New Control Verbiage: On a quarterly basis, managers review users’ access to all key systems to ensure access is appropriate.
The above example is a simple one, but it does a great job of demonstrating the importance of designing specific controls. Organizations should perform proper process walkthroughs to gain an understanding of how their business operates, what their risks really are, and what controls could mitigate those risks.
Once you design your controls properly, you can move on to testing their operating effectiveness, but do not let the design phase slip through the cracks. In a world where the risk landscape is growing and evolving every second, companies will be happy they thought through these control design issues in the right way.