6 Control effectiveness
Control effectiveness must be tested in two dimensions:
- Is the control designed effectively?
- Is the control operating effectively?
It is important to make sure that the control is still working in the way that was originally intended. Because of this it is good practice to have assurance over controls. This is where people check that the control is designed and is operating as intended. It is also good practice to periodically review incidents (risks that have occurred) to see whether there are any other root causes that have occurred or haven’t previously been identified, and whether the controls really are operating as intended. If control weaknesses are found then a higher level of risk than expected is being taken. This activity can be seen as testing control effectiveness.
A control must firstly be designed to be effective, in that its phases should act as intended on the root cause, the event or the consequence. If the control is not designed correctly then even if operated effectively it cannot effectively manage the risk. For example, if a fire alarm only has smoke detectors fitted on one side of a building, it will fail to detect a fire on the other side of a building as a result of control design.
If designed correctly then the control must be operated effectively. The control in its operation in the organisation, deployed as per the design, provides the required action on the root cause, the event or the consequence to be effective in operation. In the case of the fire alarm, if smoke detectors were fitted but were disconnected from the electricity supply or had their batteries removed then they would fail to operate in the event of a fire.
To test effectiveness the organisation must seek to answer two questions: have the controls been designed effectively, and is the organisation operating these controls effectively?
More mature organisations will understand the cost of running and assuring a control and be able to compare it to the reduction in risk and incidents. They are then able to perform a cost–benefit analysis for their controls.