Introduction
Risk controls are one of the most common processes that needs to be assessed during a risk assessment. Crest Advisory Africa (Pty) Ltd (hereinafter CAA), has been leading Board Risk Committees, Executive Risk Committees, Departmental Risk Committees and Operational Risk committees for over 25 years and the common mistake identified is the lack of an identifiable, systematic, repeatable and valid process in determining questions to be asked during the risk assessment facilitation process.
What is evident is that the audience around the table just list controls and depending on the list of controls the effectiveness of the control are assessed. Also, very limited companies are assessing the quality and effectiveness of the Risk Controls.
This in effect means that after listing the risk controls, the audience are having a thumb suck approach in determining the residual risk rating, with a likelihood and consequence measurement.
And this result ends up as being the Level of Risk (LoR) and the Level of Assurance (LoA) for the specific risk committee.
This approach is at minimum very mediocre and does not serve any of the mentioned committee with a sense of assurance, that could be validated, repeatable and concurred by an independent review.
P2ST2 Methodology in Risk Controls
What is the above? Well, the P2ST2 Methodology is derived from the ISO 31073:2022 standard. It addresses the controls to be listed and the capacity of the company in terms of:
P2ST2 | Title | Description |
---|---|---|
P | People Controls | People controls are everything addressing the people and human aspect in a company. From the structure / organisational chart, recruitment, the appointment of people within the structures, the competence (fit of the person to the purpose, function and company), training, skills assessment (pre and post) and continuous improvement of the people controls |
P | Process Controls | Processes are all the physical Policies, Strategies, Objectives, Plans, Manuals, Standard Operating Procedures (SOP), Service Level Agreements (SLA), Memorandums of Agreement (MoA), Memorandums of Understanding (MoU), Templates, Attendance Registers, Minutes of meetings, Agendas, etc. This is in line with a well-defined 4 Level Document Hierarchy as documented in a company’s Document Development and Control Procedure. |
S | System Controls | Systems are all physical systems enabling the company to enhance their internal controls with the physical data capturing of Human Resource Data, Supply Chain Data, Financial Management Data, Safety Management Data, Incident Management Data. The common denominator is that a person needs to capture this. And where humans are working, errors are occurring. |
T | Tools or equipment controls | Tools and Equipment is from facilities, offices, tables, air-conditioning, computers, server rooms, laptops, printers, pens, paper etc. Are the company resourced to drive the achieving of objectives? |
T | Technology Controls | Technology is different from Systems (see above). This is any advanced technology that automates the system inputs to Physical and Mathematical evidence. This is such as CCTV coverage of a site, equipped with Numberplate Recognition Software (NPR), Facial Recognition Software, movement activation software, etc. This is the drivers to digital transformation in any company, to have trusted and automated data that can drive decision making. |
Ask the questions during Risk Management Control Facilitation
The above methodology provides a fantastic guideline for any risk facilitation. From the Board level to Operational Level, everyone needs to ask the same question regarding the controls.
Categorise the controls into the P2ST2 Methodology by addressing each of the Contributing Factors (CF) listed under the Root Cause Analysis (RCA) of the risk register to analyse the CF during the Management Control (MC) analysis.
Here is an example of the P2ST2 in practice. The RCA CF-001 was: Fail to comply to procurement plan in terms of Project Delivery:

You can see that this one Contributing Factor (CF) has several dimensions to it and this needs to be understood by every audience. This also provides the specific committee with an excellent overview of the Level of Assurance (LoA) per CF.
Conclusion
This is one part of the risk assessment process. But this is a super important part of the risk assessment process to ensure that the Management Controls (MC) are not listed without evidence. Each and every MC must be randomly inspected through the Combined Assurance structure to determine the validity of the control.
In the following articles, we will address the validity process and Internal Control Effectiveness (ICE).