Manage Tomorrow's Surprises Today

Steven Minsky

How to Effectively Monitor Risks and Controls: Testing vs. Metrics

Vote 0 Votes

Metric TrackingIn today's organizations, risk managers are tasked with the responsibility of effectively monitoring risk.  They need to know what to monitor and how to determine if mitigation activities are effectively preventing risks from materializing. Traditionally, organizations monitor activities through Control Testing, but this provides little more than a false sense of security for organizations.

A major weakness in just using Testing to monitor mitigation activities, is that testing usually tells you if an activity is internally being complied with, but not if the activity is actually adequately covering the risk or producing any business value.

In most organizations, controls are put in place to implicitly cover a risk, and soon after activities are put in place, everyone loses sight of the original purpose of the control in the first place.  It becomes an internal compliance activity, rather than a risk mitigation strategy.

A better way to monitor control effectiveness is through a formalized ERM process, where risks, mitigations, and monitoring activities are explicitly linked, and business metrics are leveraged to measure coverage through business results.

Collecting business metrics enables you to track the progress of your mitigation activities over time.  You can set targets and tolerance levels around these metrics causing warning signs to appear as metrics begin to move out of tolerance.  This allows you to take action before a negative outcome materializes.

Here's an example of this theory based on a real customer's situation.

A bank has an online banking system that goes down frequently and the subject matter expert on that system never seems to be available when there is an issue. The company then institutes a training program to cross-train more individuals. Often, organizations get caught up in testing the compliance or occurrence of the control, such as "Has every new IT hire completed the training within the first 6 months?" and lose sight of why the activity was implemented in the first place - in this case, to improve system uptime.

In this situation, once the bank began tracking the business metric of system uptime, they were able to see that there was no improvement from the control activity. The bank reinvestigated and realized that the system was going down during peak usage times, like lunch, when the subject matter expert was away from their desk.  The bank now can institute effective activities, like adding more memory to the system.

By tracking business metrics, organizations are able to more effectively mitigate existing risks and detect emerging risks long before they have significantly affected the organization.

To learn more about Risk Monitoring and Controls and other ERM best practices, download our eBook 5 Characteristics of the Best ERM Programs.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at

Recently Commented On

Monthly Archives