7.4 What happens if an event is to be recorded but the risk isn’t currently in the system?

<< Click to Display Table of Contents >>

Navigation:  7EVENTS >

7.4 What happens if an event is to be recorded but the risk isn’t currently in the system?

 

It will not be possible to build a Risk Management system that contains all conceivable risks; the system will develop and evolve over time. This means that “events”, whether actual or “near misses” will be experienced that are not currently in the risk database; how are these to be treated? It is not good practice to allow the staff recording “events” to update the various Risk Profiles in the database; if this were to be allowed then you could have the situation where a function is comfortable with its internal control environment, its regular control testing shows no significant problems and all of a sudden their “Control Gap” increases significantly as a result of someone adding new risks; perhaps these risks prove on investigation not to be risks after all, or not risks relating to this function.

 

To cater for this situation, it is best to ensure that the document referred to above includes a statement to the effect that if an “event” cannot be clearly tied in to an existing identified risk, it needs to be reported to a senior person for review and possibly, formal inclusion in the relevant Risk Profile(s).

 

The final point to make on Event Recording is that it is not enough to merely have a system that records “events” and “near misses”. To be of real value the system needs to indicate which controls are available to mitigate the particular risk in question and how effective they were in doing so. One reason this is important is because if a series of “events” occur involving one particular risk and it is decided the level of such “events” is now at an unacceptable level; additional mitigating activity needs to be instituted. This can take one of two forms:

 

1.Design and install more controls; this is an expensive option

2.Improve the diligence with which existing controls are applied; this is a much cheaper option.

If you have not recorded how effective existing controls are, you cannot decide which option to choose.

 

Finally, there is one further benefit to be derived from the collection and analysis of event data and that is the ability to use such data in a predictive capacity. By using mathematical techniques such as the Monte Carlo simulation it is possible to use historical data to predict the value of likely losses in the future; this allows the business to perform a cost/benefit analysis to determine whether to invest in additional controls.