Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Risk management

6 Control effectiveness

Control effectiveness must be tested in two dimensions:

  • Is the control designed effectively?
  • Is the control operating effectively?

It is important to make sure that the control is still working in the way that was originally intended. Because of this it is good practice to have assurance over controls. This is where people check that the control is designed and is operating as intended. It is also good practice to periodically review incidents (risks that have occurred) to see whether there are any other root causes that have occurred or haven’t previously been identified, and whether the controls really are operating as intended. If control weaknesses are found then a higher level of risk than expected is being taken. This activity can be seen as testing control effectiveness.

A control must firstly be designed to be effective, in that its phases should act as intended on the root cause, the event or the consequence. If the control is not designed correctly then even if operated effectively it cannot effectively manage the risk. For example, if a fire alarm only has smoke detectors fitted on one side of a building, it will fail to detect a fire on the other side of a building as a result of control design.

If designed correctly then the control must be operated effectively. The control in its operation in the organisation, deployed as per the design, provides the required action on the root cause, the event or the consequence to be effective in operation. In the case of the fire alarm, if smoke detectors were fitted but were disconnected from the electricity supply or had their batteries removed then they would fail to operate in the event of a fire.

To test effectiveness the organisation must seek to answer two questions: have the controls been designed effectively, and is the organisation operating these controls effectively?

More mature organisations will understand the cost of running and assuring a control and be able to compare it to the reduction in risk and incidents. They are then able to perform a cost–benefit analysis for their controls.


Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371