Controls are processes executed by people or systems to ensure that potential losses are within the Risk Appetite by either reducing the frequency or severity of a potential loss.
Preventative controls reduce the frequency of losses and detective controls reduce the severity of the losses.
Some have created other categories of controls such as corrective controls. Corrective Controls are actions taken after an operational risk event has occurred. These additional "controls" are necessary when using an operational risk management framework that is not comprehensive. ECRG is comprehensive and in this framework, the after-the-event actions are part of Resilience. Controls help keep potential losses within the RA. Resilience is having the financial and operational resources in place to take action to rapidly recover after the event has occurred. For example, a credit card issuer may block a card after it detects a fraudulent transaction. This would be called a corrective control in noncomprehensive Risk management frameworks but a resilience action in the comprehensive ECRG framework.
At the end of the day, it is not labels that count. What counts is that there is a systematic comprehensive approach to guide the appropriate and adequate risk management action
Here are the most common controls:
Security Controls that regulate access and protect organizational resources from unauthorized use or harm. |
Segregation Controls that divide responsibilities to prevent errors and fraud through collaborative execution and approval of tasks. |
Monitoring Controls that ensure data and transaction accuracy through ongoing checking, matching, and oversight |
Type | Control | Brief Explanation |
Security | Access Entitlements | Management of user permissions to ensure individuals have appropriate access levels to systems and data based on their job roles, preventing unauthorized access. |
Safeguarding Assets | Implementing measures to protect physical and digital assets from loss, theft, damage, or unauthorized use, including secure storage and access controls | |
Authorization and Approvals | Ensuring that transactions or actions are reviewed and sanctioned by personnel with the appropriate authority before execution to maintain control integrity. | |
Segregation | Segregation of Duties | Dividing tasks and responsibilities among different individuals or departments to reduce the risk of error or inappropriate actions, such as fraud or conflicts of interest. |
Dual Control | A security measure requiring two authorized individuals to be present and in agreement before sensitive actions can be taken, enhancing control over critical processes. Two person rule. | |
Maker-Checker | A control principle where one individual (the maker) initiates a transaction, and a separate individual (the checker) reviews and approves it to prevent errors or fraud. | |
Monitoring | Verification & Validation | The process of checking or testing that data, transactions, or operations are accurate, complete, and valid before finalization or further processing. |
Confirmations | Seeking acknowledgment from external parties (e.g., customers, counterparties) to validate the accuracy of records, transactions, or balances. | |
Reconciliations | Comparing two sets of records (e.g., internal records vs. external statements) to ensure they are consistent, identifying and resolving any discrepancies. | |
Reviews and Escalations | Regular examination of activities, transactions, or processes to ensure they comply with policies and stay within predefined limits. Issues are escalated to higher management when they exceed thresholds or present anomalies. |
often there is not enough available data to do statistical analysis
Between corrective controls and resilience actions, how can organizations ensure that post-event actions like recovery are strong enough to mitigate future risk events? Could you please give some examples where it would make a meaningful difference in managing operational risk?
I understand that preventative controls reduce the frequency of losses, and detective controls reduce the severity, but how do I determine when to prioritize one type over the other in a risk management framework?I am struggling with deciding whether to focus on preventing risks upfront or to implement stronger detective measures to mitigate impacts after an event occurs.
Based on the Reconciliations description, how can the company organization enhance its reconciliation processes to ensure that discrepancies between internal records and external statements are identified and resolved more efficiently, thereby reducing the risk of financial misstatements or operational errors?
In traditional risk frameworks, corrective controls are critical for mitigating losses post-event. How does the ECRG framework integrate resilience measures effectively to replace what would typically be classified as corrective controls?