5 Entity Risk Profiling > 5.4 RISK & CONTROL EVALUATION

For the Entity being profiled, we now know:

•What can go wrong,

•Which of many corporate or organisational attributes are at risk if it does,

•How much of that attribute would be affected

•Which of several Strategic and Business Unit objectives is potentially at risk and to what degree,

•The likelihood of the risk event occurring should the controls prove deficient,

•The nature and number of controls available to mitigate each risk,

•The current effectiveness of those controls.

With our two lists – risks and controls - it would be nice if we were able to match one risk to one control and identify any shortfall. Unfortunately, real business life isn’t like that; which brings us to Facts of Business Life 6&7:

Fact 6

“All controls have a degree of effectiveness depending upon the risk they are addressing”

Fact 7

“It is quite usual for there to be more than one control required to fully mitigate a single risk”.

In other words, there is a “many-to-many” relationship between risks and controls. With this additional factor having to be built into an already complex situation the evaluation of the data is best handled by a system driven Matrix approach.