1INTRODUCTION > 1.1 Eight Facts of Business Life

Any system designed to meaningfully evaluate and consistently report on the standard of an organisation’s control environment must be capable of dealing with the “Eight Facts of Business Life”. These detail the complex interactions and the many-to-many relationships that exist between risks and controls, they are at the heart of CGC’s philosophy on Risk Management:

•Control cannot be evaluated unless you understand the risks

•Risks affect many different aspects of an organisation’s activities and some are more important than others

•The quantity/size/value/volume of the attribute at risk varies depending upon the type of exposure

•If there were no controls in place it does not follow that all risks would occur – i.e., there are degrees of probability

•Preventative controls are more effective than detective controls

•All controls have a degree of effectiveness depending upon the risks they address

•It is common to require more than one control in order to fully mitigate a single risk

•The effectiveness of the control is impacted by the thoroughness in which a control is applied

Although it is difficult for trained professionals, such as Internal Auditors or Risk Managers, to handle the aforementioned complex interactions, it is more difficult for untrained staff to do so, as they are sometimes expected to do in some Control Risk Self-Assessment (CRSA) systems.