top of page
Writer's pictureAnthony Peccia

Controls

Updated: Oct 29


Controls are processes executed by people or systems to ensure that potential losses are within the Risk Appetite by either reducing the frequency or severity of a potential loss.

Preventative controls reduce the frequency of losses and detective controls reduce the severity of the losses.


Some have created other categories of controls such as corrective controls. Corrective Controls are actions taken after an operational risk event has occurred. These additional "controls" are necessary when using an operational risk management framework that is not comprehensive. ECRG is comprehensive and in this framework, the after-the-event actions are part of Resilience. Controls help keep potential losses within the RA. Resilience is having the financial and operational resources in place to take action to rapidly recover after the event has occurred. For example, a credit card issuer may block a card after it detects a fraudulent transaction. This would be called a corrective control in noncomprehensive Risk management frameworks but a resilience action in the comprehensive ECRG framework.


At the end of the day, it is not labels that count. What counts is that there is a systematic comprehensive approach to guide the appropriate and adequate risk management action


Here are the most common controls:


Security Controls that regulate access and protect organizational resources from unauthorized use or harm.

Segregation Controls that divide responsibilities to prevent errors and fraud through collaborative execution and approval of tasks.

Monitoring Controls that ensure data and transaction accuracy through ongoing checking, matching, and oversight



Type

Control

Brief Explanation

Security

Access Entitlements

Management of user permissions to ensure individuals have appropriate access levels to systems and data based on their job roles, preventing unauthorized access.


Safeguarding Assets

Implementing measures to protect physical and digital assets from loss, theft, damage, or unauthorized use, including secure storage and access controls


Authorization and Approvals

Ensuring that transactions or actions are reviewed and sanctioned by personnel with the appropriate authority before execution to maintain control integrity.

Segregation

Segregation of Duties

Dividing tasks and responsibilities among different individuals or departments to reduce the risk of error or inappropriate actions, such as fraud or conflicts of interest.


Dual Control

A security measure requiring two authorized individuals to be present and in agreement before sensitive actions can be taken, enhancing control over critical processes. Two person rule.


Maker-Checker

A control principle where one individual (the maker) initiates a transaction, and a separate individual (the checker) reviews and approves it to prevent errors or fraud.

Monitoring

Verification & Validation

The process of checking or testing that data, transactions, or operations are accurate, complete, and valid before finalization or further processing.


Confirmations

Seeking acknowledgment from external parties (e.g., customers, counterparties) to validate the accuracy of records, transactions, or balances.


Reconciliations

Comparing two sets of records (e.g., internal records vs. external statements) to ensure they are consistent, identifying and resolving any discrepancies.


Reviews and Escalations

Regular examination of activities, transactions, or processes to ensure they comply with policies and stay within predefined limits. Issues are escalated to higher management when they exceed thresholds or present anomalies.



591 views75 comments

75 Comments


often there is not enough available data to do statistical analysis

Like

Between corrective controls and resilience actions, how can organizations ensure that post-event actions like recovery are strong enough to mitigate future risk events? Could you please give some examples where it would make a meaningful difference in managing operational risk?

Like
Replying to

in the ECRG framework, resiliency is not about mitigating future risk events, it is about what needs to happen after a future event materializes. Controls are about mitigating the impacts of events, to ensure, within a confidence level, that the losses are within the RA.

Like

I understand that preventative controls reduce the frequency of losses, and detective controls reduce the severity, but how do I determine when to prioritize one type over the other in a risk management framework?I am struggling with deciding whether to focus on preventing risks upfront or to implement stronger detective measures to mitigate impacts after an event occurs.

Like
Replying to

one should employ both where both exist or can be created. As with anything in business there are tradeoffs and policies specify/guide those tradeoffs to ensure consistency and uniformity across the organizing.

Like

Based on the Reconciliations description, how can the company organization enhance its reconciliation processes to ensure that discrepancies between internal records and external statements are identified and resolved more efficiently, thereby reducing the risk of financial misstatements or operational errors?

Like
Replying to

there are several vendors that offer Automated reconciliations systems. AI will also greatly enhance these controls.

Like

In traditional risk frameworks, corrective controls are critical for mitigating losses post-event. How does the ECRG framework integrate resilience measures effectively to replace what would typically be classified as corrective controls?

Like
Replying to

see response to Zhonglin Wan

Like
bottom of page