The effectiveness of controls must be periodically reviewed.
This case study is intended to assist Commonwealth officials at Specialist and Executive levels understand:
- what is a control and how to measure control effectiveness
- practical tips to review and strengthen controls
This case study can be useful to entities wanting to take a structured approach to assessing control effectiveness.
This case study provides guidance for entities seeking to develop or formalise their approach to reviewing the effectiveness of controls, as modelled off the methods used by the Australian Financial Security Authority (AFSA). AFSA is an executive agency in the Attorney-General’s Portfolio responsible for Australia’s personal insolvency and personal property securities systems. AFSA’s management board recognised an opportunity to improve the agency’s risk management approach in order to embed more effective mitigation of risk at all levels of the agency. AFSA invested in a contemporary approach to risk management that focuses on utilising objective sources of evidence to verify the actual effectiveness of critical actions, activities and measures that help controlled key agency risks. This approach has been beneficial to AFSA as it has streamlined their enterprise risk reporting, and has created a proactive agency risk culture.
A control is something that regulates or modifies the realisation of, or response to, a risk. Controls take many forms, including any process, policy, device, practice or some other action which modifies risk. They can be preventative, detective or corrective in nature.
The realisation of a risk event is often a result of ineffective, poorly implemented or untested controls rather than unknown risks. The key to successfully managing risk is therefore to ensure controls are effective. Control effectiveness describes how well a control manages the risk it is meant to modify. Entities should periodically review control performance against its purpose and anticipated outcomes and determine whether the control remains suitable to support achieving the objectives of the entity.
Review and stocktake existing risk controls
AFSA reviewed its existing risk management framework and identified that it was largely compliance focused, and burdened staff through the completion of overly detailed and complicated risk registers. This created a culture where staff viewed risk management as a technical, paperwork driven activity that had little connection to their day-to-day work. Staff feedback identified that the risk management system was unnecessary complex, risk registers had a high potential for user error, and there was significant duplication of risks and controls across multiple registers. This meant that agency governance bodies could not have meaningful discussions regarding risk, and risk was not clearly linked with the entity’s Corporate Plan.
Evidence-based risk management
The agency decided to invest in a contemporary approach to risk management that instead focused on utilising objective sources of evidence to verify the actual effectiveness of critical actions, activities and measures that help control key agency risks. Whilst there may be numerous controls that can be applied against a risk, critical controls are the most important prevention, detection and mitigation controls. By focusing only on critical controls and ensuring that objective sources of evidence can be used to regularly verify their effectiveness, there is greater confidence that risks are actually effectively managed.
As a result, AFSA decommissioned its risk registers and replaced them with a series of critical control profiles and risk bowties. This approach uses high-level diagrams to summarise key risk information in an accessible form, and enables a quick visual analysis of control effectiveness and therefore risk exposure. The use of streamlined visual templates increases the focus on control effectiveness and identifies where further effort or investment can be targeted to address control gaps.
Ongoing review of control effectiveness
Each critical control is assigned to a control owner, who has the role of actively working across the agency to utilise objective sources of evidence to assess the effectiveness of their control. This enables AFSA to maintain ongoing board engagement with risk by utilising near misses, realised risks event or fictional yet plausible scenarios to drive a rolling program of risk walkthroughs, informed by evidence-based control effectiveness assessments. This process brings together the risk owner, control owners and board members to actively explore control gaps and current-state preparedness, and discuss areas for enhancement. AFSA has extended this approach across the agency and encourages staff to participate in similar conversations through risk forums. Theses forums have become valuable opportunities to provide assurance to the board that strong controls are in place while also creating opportunities for staff to identify areas of improvement.
This engagement has been critical to the success of AFSA’s approach, and it provides a clear line of sight between senior executives and the actual staff members undertaking the critical actions and activities that manage the risk. This is a level of transparency and confidence that can be difficult to achieve using other risk management approaches.