Internal Control Effectiveness (ICE) Methodology in Risk Controls

Over the years of Risk Training, Advisory and Consulting, one specific challenge that stood out for me is that risk registers are not using a methodology to effectively measure their controls and the effectiveness of their controls listed under the Management Controls (MC) section of the risk registers

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.
ISO Training Courses

Introduction

Over the years of Risk Training, Advisory and Consulting, one specific challenge that stood out for me is that risk registers are not using a methodology to effectively measure their controls and the effectiveness of their controls listed under the Management Controls (MC) section of the risk registers.

This is a real dilemma and a risk managers conundrum in validating the information documented in one of the highest documents a company, department of operational section can have. To address a risk that is specifically addressing the Objective of the Company, on whichever level the risk register is, you must have performance in mind and without verifiable, repeatable and validated information, how can one provide the Assurance to the leadership.

If you cannot quantify a risk and the listed Management Controls, you cannot provide a Level of Assurance (LoA) to anyone. The result of the risk assessment process is then reasonably nullified, and the owner of the risk register / risk owner is relying on Fear, Uncertainty and Doubt (FUD) to convince the leadership to accept the status quo.

For me as a Chief Executive Officer (CEO), where I need to account to my Board of Directors regarding the performance of my company, this would be totally unacceptable. This is especially where annual increases as well as performance bonusses are under discussion.

Internal Control Effectiveness (ICE) Methodology in Risk Controls

What is Internal Control Effectiveness or as well call it the ICE measurement. Every standard in the world is addressing some sort of ICE, from very weak models to very strong models.

Example 1: The 30% Increment ICE Matrix:

Here is one of the models out in the market. This is the 30% Increment ICE Matrix:

As per the table above, this is for very immature companies. This is where the ICE Criteria is so wide that the measurement actually does not provide any assurance. Look at the example of a 60% effectiveness versus a 61% effectiveness. This is 1% but has a totally different meaning in terms of the Effectiveness Factor, which is changing from Partially adequate to Adequate. This is fundamentally wrong and does not support driving the objectives of a company and making that company relevant in the current global economy.

Example 2: No Percentage / 25% Increment ICE Matrix

This matrix below indicates the Treatment rating, the Effectiveness Naming Convention, the description, no percentage for measurement and then a Treatment of the effectiveness rating. This could be interpreted that it is 0%, 25%, 50%, 70% and 90%.

But if this is not explicitly indicated, it will be interpreted as per the inherent knowledgebase of the incumbent. Which leave much to be desired.

Various other examples could be documented here as we have encountered them in the business environment. The Internal Control Effectiveness (ICE) Matrix is one of the most important criteria pillars of the modern risk management environments.

Without a strong verifiable, repeatable and validated criterion, the results will lack the trust and accountability a CEO is expecting from their employees.

Create the best possible ICE Criteria possible

Over the years and the CAA extensive exposure to risk environments, we have developed the following ICE Criteria to be used when measuring Management Risk Controls. The table below provides a guide to a more effective ICE development. This makes provision for smaller increments of 10% each level, the definition can be changed to enhance your process, but the most important is the Percentage effectiveness.

This is your measuring scale for the effectiveness of the controls. Below the ICE matrix is the risk acceptance as a minimum standard for risk treatment. Everything below a 69% performance, must be treated. This is to drive Very good to Excellent Control Effectiveness throughout the company.

Conclusion

This is one part of the risk assessment and risk evaluation process. The ICE factor is an extremely important part of the performance of the company. Your Risk assessments is the result of your Objective barometer of the company. If your measurement is mediocre, your achievements will be as well.

These articles is steadily proceeding through the structure of a Risk Register and how to optimise the risk management process as a trusted process within the Strategic Management ecosystem of any company.

Comments

Leave a Reply

More Quality Articles

Strategic Risk Assessment: Navigating ISO/IEC 27001:2022 and ISO 31000:2018

Strategic risk assessment is a critical component of an organization’s risk management framework.

What is a Combined Assurance Matrix?

Unlock the power of effective risk management with a Combined Assurance Matrix (CAM)!

10 Reasons to Acquiring the ISOLTX GRC-A Software System

Discover how the ISOLTX GRC-A Software System can enhance operational efficiency, streamline compliance, and foster collaboration among your…

Unlocking Success: How Internal Audit Strengthens Risk Management for Strategic Goals

Internal Audit verifies and enhances Risk Management’s role in achieving strategic objectives.

Conducting Internal Context Analysis: A Guide to ISO/IEC 27001 and ISO 31000 Integration

Internal context analysis is crucial for effective risk management and information security in organizations.

Continuous Evolution: Implementing Continual Improvement in Your ISMS

Continual improvement is a fundamental principle of effective Information Security Management Systems (ISMS).

Driving Continuous Improvement: Implementing Management Review for Effective ISMS Performance

Management review is a critical process within the performance phase of an Information Security Management System (ISMS).

Ensuring Compliance and Continuous Improvement: Implementing Internal Audits in ISMS Performance

Internal audits are a critical component of the performance phase in the management of an Information Security Management System (ISMS).
Receive our latest news

Subscribe To Our Newsletter

Get notified about GRC-A training, advisory, auditing and software.