Purpose: To set the details of a control once attached to a risk.
To Access: Risk Management - Risk Evaluation (or Risk Review) - select a control - select Edit from the Risk Select Action dropdown list.
All controls attached to the selected risk are listed and you can switch to another control by clicking the Select link.
Data Fields:
Control Name: A short name to describe the control. Cannot be changed here. See Changing Master File Data.
Description of Control: A full description of the control mechanism or procedure. Cannot be changed here. See Changing Master File Data.
Control Number: A reference number for the control (optional). The control list is sorted according to the Control Number. If not entered, the list will be sorted according the oldest added item first.
Control Status: Select the status of the control from the dropdown list. If the Status is other than 'Implemented', the inherent risk will NOT be affected by the control.
Control Status Date: The data the control status was last changed.
Status Updated By: The person who last updated the control status, cannot be modified.
Control Category: Select a control category from the dropdown list.
Control Type: Select a type of control from the dropdown list.
Key Control: Tick if it is a key control.
Control Effectiveness: Select an appropriate control effectiveness level for the risk consequence and the risk likelihood from the dropdown list.
Ctrl Frequency (Control Execution Frequency): How often is the control executed.
Control Owner: The person who has the overall responsibility for the control.
Estimated Control Cost: (Optional) The annualised cost of the control.
Control Executed By: The person responsible for executing the control.
Comment - Any notes or comments on the control that are not captured elsewhere.
The effectiveness of the controls for a risk is combined using a statistical algorithm weighing the consequence and likelihood of the risk and the effectiveness of the control over the consequence and likelihood of the risk for each control to arrive at the overall control level for the risk which is shown on the Risk Evaluation screen.
If the Effectiveness of Control is not Very Effective, that means there is a residual risk after the control is applied. When this happens, the system will ask whether you want to accept the residual risk. If you accept the residual risk, you will be asked to enter the reason why you accept it. If you do not accept the residual risk, you should enter an action plan to further treat the risk until it becomes acceptable.
You may attach more controls to the risk by clicking the Attach Control button.
If there are incidents linked to this control, they will be displayed. You can view (but not modify) the incident if you are authorised to view the incident by clicking the Open link.
See also: