How the control (or a particular group of interrelated controls) exerts its modifying effect on the mechanisms by which events and resulting consequences can occur The extent of the modification. The expected reliability of the control (i.e. to what extent can it be relied upon to function as intended or assumed). Availability of the control in practice (i.e. is the control only in place for some of the time or in particular circumstances). Whether there are other (overlapping) controls that exert the same or similar modifying effect.
Definition of intrinsic versus residual risk 2 Intrinsic Risk Residual Risk What: The level of risk assessed for a risk in The level of risk assessed for a risk in the absence of the presence of controls. controls that modify the likelihood or consequence of the risk. How The difference Carried forward into used: between Intrinsic risk evaluation and and Residual risk levels indicates the treatment. significance of reliance on risk controls. Included in Risk Register. The total risk reduction benefit of all controls operating on a risk is the difference between intrinsic and residual risks The relative extent of modifying risk by a control is its contribution to the total risk reduction as evidenced in a Bow tie diagram.
The impact of controls and the control rating system Effective controls change the inherent risk to a lower level Ineffective controls do not change the inherent risk To be effective a control must be both reliable and available. A control rating system measures effectiveness of controls. Source: Maintaining an Entity’s Risk Profile, ComCover Information Sheet, 2016 8 3
Prioritising risk controls Understanding control effectiveness and inherent risk means we can identify three categories of risks: – Insufficiently controlled (weak controls and high risk) – Control critical (adequate controls and high risk) – Potential over control (adequate controls and low risk) 8 4
The Bow tie diagram – causes and consequences together The Bow tie diagram links together FTA (on left) and ETA (on right). More than one independent control on an event mechanism path increases reliability (i.e. “overlapping control”). 8 5
Uses of the Bow tie diagram 8 6 Bow tie diagrams are used in risk assessment, and later in the risk management process to design risk treatments, either to provide additional controls, or to enhance, replace or improve existing controls. Unlike FTA and ETA alone, Bow tie diagrams reveal the complete set of path(s) through which an event with consequences can occur (left hand side) and the range of consequences which could result (right hand side) including documenting the complete set of controls pre- and post- event and how they are related to each other.
You've reached the end of your free preview.
Want to read all 133 pages?
- Spring '18
- risk principles