The more important each control is (i.e. the bigger the level of risk reduction it achieves) the more important it is to have assurance. Assurance of controls should look at both the design (does the control, as designed, reduce the probability or impact of the risk?) and also the operation (is the control operating in the way the design intended?), to confirm that both are effective.
There is a ‘many to many’ relationship between risks and controls. This means that each risk could have several controls related to that risk, but also one control may mitigate several risks. Controls are often embedded in processes. Organisations often get assurance over their controls by auditing their processes. When identifying their key controls, organisation should also consider situations where they are reliant on a single control.
Activity 2 Risk/control matrix
One way to manage the ‘many to many’ relationship is by using a risk/control matrix.
Click on the interactive to start selecting your answers from the drop-down options.