Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Risk management

7 Human factors as a controls weakness

When designing a control it is often important to think about the factors that could affect it working correctly or how the control could be bypassed or circumvented.

As with other areas of risk management mentioned previously, human factors can impact control operation. Controls that require people can often be less effective if people are:

  • not trained correctly
  • tired
  • under the influence of drugs or alcohol
  • over-worked
  • distracted.

For this reason there is an increasing trend to automate controls. In fact, in many high-hazard industries there is a control hierarchy, where automated and human controls combine. In such industries mathematical models and calculations are often performed (and required by regulators) to demonstrate that the controls reduce the probability of the risk down to a level that is ‘as low as reasonably practicable’ (ALARP).

Activity 3 Managing risk

Timing: Allow approximately 10 minutes

Consider how manage risks are managed through controls.

Recall the special process organisation example. The action plan is complete but how is the risk maintained? You have already completed the six control items for:

  • machine health monitoring
  • quarterly emergency response exercise
  • shop-floor IT audit.

Now it is your opportunity to complete this for operator maintenance training.

Table 4 Operator maintenance training

InformationMachine monitorsExercisesIT auditTraining
Why does the control exist?To provide monitoring of the maintenance status of all shop floor machines.To provide the organisation management assurance that the organisation can respond in an emergency.To ensure all devices within the shop floor meet the current IT security standards.
To use this interactive functionality a free OU account is required. Sign in or register.
Who owns the control?Head of maintenanceHead of health and safety Head of IT
To use this interactive functionality a free OU account is required. Sign in or register.
What does the control do?For connected machines it provides a warning indicator in the maintenance office of any machine that is outside its specified maintenance parameters. Operatives in this area must then attend this machine and resolve the issue highlighted in line with the maintenance policy and instructions for that machine.Exercise the organisation emergency response plans to ensure that employees and processes act as expected. Any issues found should lead to a rectification plan to fix the issues.Audit undertaken by members of the IT team to understand what devices are within the shop floor and whether they are currently up to date with IT security standards. Non-compliant items are either rectified or quarantined.
To use this interactive functionality a free OU account is required. Sign in or register.
When?Continuous monitoringOne exercise per quarter, each in a different part of the organisation.Normally annual but may be on an ad hoc in response to an incident.
To use this interactive functionality a free OU account is required. Sign in or register.
How?The machines’ alerts are either hard-wired or connect via Wi-Fi to terminals in the maintenance office. When an issue is detected it sounds an alarm and sends an alert to team members.A member of the H&S team launches the exercise and records how the organisation responds against what is planned.Normally done remotely by the IT department, however for some older hardware this may require a physical audit.
To use this interactive functionality a free OU account is required. Sign in or register.
What happens if errors or omissions are identified?Operatives from the maintenance team should rectify issues.The H&S department provide a report to the organisation management team highlighting any issues encountered. This provides recommendations that the organisation management ensure are implemented.Non-compliant items are either ‘fixed’, quarantined to decide next steps or removed depending on the item, its business criticality and severity of the issue found.
To use this interactive functionality a free OU account is required. Sign in or register.
Levels of toleranceMachines are classified by their criticality to the process. Each level of criticality has an associated level of response and maintenance, for example some low-criticality machines do not require an immediate response.Recommendations are classified as major and minor. It may be acceptable for some minor recommendations to be left open.All hardware in use must meet the required standard, there is no allowance for non-compliant hardware.
To use this interactive functionality a free OU account is required. Sign in or register.
How is a control evidenced?The system is documented within the IT department’s manual. Work carried out in response to alerts is shown in the Maintenance department’s job log.All exercises are documented with the H&S department.IT documents the audit and their findings. The business area document follow up remediation with IT.
To use this interactive functionality a free OU account is required. Sign in or register.
Words: 0
Interactive feature not available in single page view (see it in standard view).

Now take a look at the following videos, looking at controls and actions working in tandem, and mitigating controls.

Download this video clip.Video player: Video 2 Controls and actions working in tandem
Skip transcript: Video 2 Controls and actions working in tandem

Transcript: Video 2 Controls and actions working in tandem

We have now looked individually at how actions and controls treat or mitigate risk. However, this is not the complete picture. To effectively mitigate risk, both actions and controls must be used together systematically to achieve the best outcome for an organisation.
To explain this, let's look again at the probability impact diagram, PID. As previously discussed, every risk has a place or risk level on the PID, which is a combination of its probability of occurring and its impact to the organisation. If we assess that we need to treat the risk, we can take an action that will reduce the impact of the risk, or we can take an action, which will reduce the probability of the risk.
In either case, we arrive at a new risk level that is either a low probability of the risk occurring or a lower impact if the risk should occur. We may choose to take both actions or have an action that reduces both probability and impact. In such cases, we will need to understand where the new risk level is for the combined actions.
At this stage, let's keep this simple and remember that any action gives us a new risk level. However, over time, the new risk level can erode. Changes made by the action can be reversed. And the risk level can ultimately drift back to its original position.
It is at this point where controls come into play. Controls are the repeatable activities that ensure that actions that have been implemented are sustained. Controls prevent the reversal of good practise by preventing organisations from deviating from solutions that they have created to prevent unwanted risk from occurring or reoccurring.
Let's use a real life example to illustrate this. Consider the risk of fire in your work environment, whether it be an office, shop, factory, or other location. There'll be a gross and current assessment of the risk of fire where you work. If you work in a location that holds stock or inventory, these items may alter the assessment of the fire risk.
Large quantities of certain materials will support the rapid spread of a fire with the potential to increase the overall size of the fire and the impact of that fire. The loss of large quantities of inventory in a fire could also have a cash impact on the business, especially if not all of the stock was covered by an insurance claim. A company might then, in an attempt to reduce its fire risk, set stock levels and work down access until it had reached those targets.
Alternatively, a workplace may use flammable materials in various locations. These materials will support a source of ignition that otherwise would not result in a fire. To reduce likelihood of flammable materials coming into contact with a source of ignition, the workplace management undertake, an action to review all flammable materials to see if alternatives can be used. In doing so and removing some flammable materials, the probability of fire is reduced. Both of our actions will result in a new risk level but without any controls.
If no one is monitoring the stock levels to check if they are in line with what was agreed, then these levels may increase. For example, if a large order is won, holding more stock may be one way the company chooses to meet demand. Similarly, if no one is checking the materials used in the processes, it is possible that new flammable materials are brought into the workplace, perhaps because the new materials are not achieving the desired results or insufficient design of the process has taken place.
In either case, the risk could move from what the planned actions had achieved to a new risk level, and importantly, often without the company's awareness that this has taken place. However, with controls, this situation is avoided. A stock control process, which flags when the stock levels are likely to exceed, set limits, and provide some efforts to get back in control will stop stock from exceeding set levels.
An approval-and-change process for all processes or activities carried out in the workplace controls what flammables are allowed in the workplace and defines how these are managed. We should maintain a probability of ammunition source and the flammable coming into contact and the desired level for the workplace. Hence, actions are necessary to reach the desired level of risk. But controls are equally important in ensuring that the risk remains at that set level.
End transcript: Video 2 Controls and actions working in tandem
Video 2 Controls and actions working in tandem
Interactive feature not available in single page view (see it in standard view).
Download this video clip.Video player: Video 3 Mitigating controls
Skip transcript: Video 3 Mitigating controls

Transcript: Video 3 Mitigating controls

90% of risk in any organisation are known risks. They're not new things. They're known risks. And at some point in the past, they will have been- the risk would have materialised, and something bad would have happened, and some control will have been developed in order to mitigate that risk.
So your internal control framework, at whatever level it is, whether it's high-level controls or operational controls- they're all there for a reason.
So an internal control is just a repeatable action or activity, something that happens over and over again. So a great example of that, for me, would be when I- a long time ago now, when I was a student, I worked in a soap factory. And one of the things that the soap factory had to do was to make sure that there weren't any defective bits of soap.
They started off by employing some unfortunate lady or gentleman who had to physically look at each bar of soap and check that they were actually of the right size and colour. What they did to test whether that was working at one point is some ingenious person put a piece of coal on the production line to see whether the person would spot the piece of coal from the piece of soap. And they couldn't, because they'd been looking at that many bits of soap. They'd gone soap blind, if you like.
What they then did is they put in place something that was more robust to stop bits of coal getting mixed up with their soap. So for me, an internal control is something that takes a repeatable action to make sure you achieve your objective. So in my soap example, you're not getting pieces of coal in your shower in the morning. You're using pieces of soap.
Internal controls are a vital part of risk management, and they ensure that our risk levels are accurately assessed and remain in control, ultimately. Action plans are all good and well for reducing the level of risk, but actually monitoring the level of risk is what controls are there for. If our controls fail, our risk level may increase beyond what we think is acceptable. And controls themselves are generally a repeatable action that you will continue to do maybe month by month. They could be automated, or they could be a human-type control.
So internal controls are important because in essence, whatever you're trying to achieve is a journey. You're trying to get to the end goal, the finish line. And you'll travel a road to get there. Now, sometimes that road will be bumpy. Sometimes it will be smooth. Sometimes it will be wide. Sometimes it'll be twisty and turny.
But you've got to go across the road. You've got to get- that's how you get to the end result. And what internal controls are- internal controls are the signposts that say slow down here, bends ahead. The safety barriers are the side that stop you driving off.
Now, that's not to say that, in essence, you might drive right instead of left, you might drive too fast or too slow and do yourself an injury of some sort. But what they do do is they will get you there. The reality of it is no internal control is perfect. They have a wide remit they have to cover anyway. But if you follow those, you will get to the end result, which is the important thing.
End transcript: Video 3 Mitigating controls
Video 3 Mitigating controls
Interactive feature not available in single page view (see it in standard view).

Take your learning further371

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses372.

If you are new to university level study, we offer two introductory routes to our qualifications. Find out Where to take your learning next?373 You could either choose to start with an Access courses374or an open box module, which allows you to count your previous learning towards an Open University qualification.

Not ready for University study then browse over 1000 free courses on OpenLearn375 and sign up to our newsletter376 to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371