Introduction
Over the years of Risk Training, Advisory and Consulting, one specific challenge that stood out for me is that risk registers are not using a methodology to effectively measure their controls and the effectiveness of their controls listed under the Management Controls (MC) section of the risk registers.
This is a real dilemma and a risk managers conundrum in validating the information documented in one of the highest documents a company, department of operational section can have. To address a risk that is specifically addressing the Objective of the Company, on whichever level the risk register is, you must have performance in mind and without verifiable, repeatable and validated information, how can one provide the Assurance to the leadership.
If you cannot quantify a risk and the listed Management Controls, you cannot provide a Level of Assurance (LoA) to anyone. The result of the risk assessment process is then reasonably nullified, and the owner of the risk register / risk owner is relying on Fear, Uncertainty and Doubt (FUD) to convince the leadership to accept the status quo.
For me as a Chief Executive Officer (CEO), where I need to account to my Board of Directors regarding the performance of my company, this would be totally unacceptable. This is especially where annual increases as well as performance bonusses are under discussion.
Internal Control Effectiveness (ICE) Methodology in Risk Controls
What is Internal Control Effectiveness or as well call it the ICE measurement. Every standard in the world is addressing some sort of ICE, from very weak models to very strong models.
Example 1: The 30% Increment ICE Matrix:
Here is one of the models out in the market. This is the 30% Increment ICE Matrix:

As per the table above, this is for very immature companies. This is where the ICE Criteria is so wide that the measurement actually does not provide any assurance. Look at the example of a 60% effectiveness versus a 61% effectiveness. This is 1% but has a totally different meaning in terms of the Effectiveness Factor, which is changing from Partially adequate to Adequate. This is fundamentally wrong and does not support driving the objectives of a company and making that company relevant in the current global economy.
Example 2: No Percentage / 25% Increment ICE Matrix
This matrix below indicates the Treatment rating, the Effectiveness Naming Convention, the description, no percentage for measurement and then a Treatment of the effectiveness rating. This could be interpreted that it is 0%, 25%, 50%, 70% and 90%.
But if this is not explicitly indicated, it will be interpreted as per the inherent knowledgebase of the incumbent. Which leave much to be desired.

Various other examples could be documented here as we have encountered them in the business environment. The Internal Control Effectiveness (ICE) Matrix is one of the most important criteria pillars of the modern risk management environments.
Without a strong verifiable, repeatable and validated criterion, the results will lack the trust and accountability a CEO is expecting from their employees.
Create the best possible ICE Criteria possible
Over the years and the CAA extensive exposure to risk environments, we have developed the following ICE Criteria to be used when measuring Management Risk Controls. The table below provides a guide to a more effective ICE development. This makes provision for smaller increments of 10% each level, the definition can be changed to enhance your process, but the most important is the Percentage effectiveness.
This is your measuring scale for the effectiveness of the controls. Below the ICE matrix is the risk acceptance as a minimum standard for risk treatment. Everything below a 69% performance, must be treated. This is to drive Very good to Excellent Control Effectiveness throughout the company.

Conclusion
This is one part of the risk assessment and risk evaluation process. The ICE factor is an extremely important part of the performance of the company. Your Risk assessments is the result of your Objective barometer of the company. If your measurement is mediocre, your achievements will be as well.
These articles is steadily proceeding through the structure of a Risk Register and how to optimise the risk management process as a trusted process within the Strategic Management ecosystem of any company.