Protecht’s eleven part complimentary webinar series focusing on a comprehensive deep dive into Workplace Health and Safety (WHS), kicked off on 23 July 2020. Click here to join the upcoming remaining live sessions in this series.
In the 8th Webinar in the series we looked at the importance of Controls Design and Controls Assurance for WHS.
There are 5 Objectives of Controls Design and Assurance:
1. Design an optimal set of controls to achieve a risk level "As Low As Reasonably Practicable" (ALARP)
2. Design controls with optimal cost benefit. This also achieves lower risk.
3. Provide reasonable assurance as to the design and operating effectiveness of our current controls.
4. Identify control gaps and control weaknesses so that they can be remediated.
5. Comply with regulatory requirements.
In the ISO 31000 standard, controls design and assurance are primarily covered by process steps 6. Risk Treatment and step 7. Monitoring and Review. In the ISO 45001 standard, controls assurance is covered by section 8. Operations, in particular section 8.1.2 The Elimination of Hazards, and section 9. Performance Evaluation, in particular section 9.1.1 Monitoring, Measurement, Analysis and Performance Evaluation.
As we have discussed in previous Webinars, we are passionate about integrating WHS into the overall Enterprise Risk Management (ERM) process. The WHS controls process falls under the ERM Controls Assurance process.
In our first poll, we were interested to find out if our Webinar participants had a formal ongoing controls assurance program in place. We asked 'Do you have a formal ongoing controls assurance program in place over your WHS critical controls?'
It is reassuring to see that nearly half of our webinar participants do have a formal program in place over WHS Critical Controls.
In the webinar we explored the importance of controls design to enable it to achieve the control objectives. The design of the control is crucial.
Control design effectiveness assessment assesses the degree to which a control's design allows it to meet the control objective(s). A control can never be better than how it is designed!
The starting point is to articulate the control objective. At Protecht we have developed the following guidance in order to articulate a control objective. The control of ear protection has been used as an example.
In our second poll we asked 'Do you formally record the control objectives of your critical controls?'
When considering Treatment Effectiveness methods in Risk Management, we consider the following 7 possible responses to a Risk:
If we relate this methodology to the WHS Hierarchy of Controls, "Elimination" at the top of the hierarchy is not a control but equivalent to avoidance. Next, "Substitution" is not a control but reflects transformation of the risk. Controls are reflected more in the Administrative, Engineering and PPE parts of the hierarchy.
Using Bow Tie Analysis, a concept that we have explored throughout this webinar series, we can identify our control types and the impact of the controls on likelihood and impact. This helps us to determine our control objectives and ensures that it is more proactive, as we know "prevention is better than cure."
Once we are happy with the design of our controls, we need to provide ongoing controls assurance that the controls are working effectively.
In Risk Management, we often use the 5 by 5 Risk Matrix to assess the effectiveness of controls. We can also use Bow Tie Analysis again to assess our controls effectiveness, individually or as a group covering all controls related to the risk.
At Protecht we follow a particular methodology to ensure control effectiveness. We recommend doing design effectiveness testing first, then operational effectiveness and combining them for an overall effectiveness rating.
With this in mind in our third poll we asked 'Do you test Design and Operating effectiveness separately and then combine them for an overall effectiveness rating?'
As explored in previous webinars, Protecht is passionate about dynamic monitoring and reporting. This provides an an integrated, dynamic view of our controls. With that in mind, we were interested to find out how our Webinar participants are currently 'using automated continuous monitoring of controls?'
These results are promising, I encourage more of you to start using more automated and continuous monitoring of your controls, this monitoring will allow for aggregation and more insight in your reporting.
In the webinar we looked at some examples of aggregated and proactive reporting, the ultimate being the Protecht Risk in Motion reporting and for WHS Safety in Motion reporting. In the 10th & 11th Webinar of this series we will be exploring these dynamic visualisations in more detail.
I was interested to know how the webinar participants are currently recording and reporting on Controls Assurance testing:
As we have explored through this series, at Protecht we are passionate about integrating WHS with Enterprise Risk Management (ERM) to give a true consolidated organisational view of risk. These results whilst encouraging show that we have some way to go in developing a strong, integrated and efficient and effective controls assurance process.
In our next webinar we will continue our deep dive into WHS by looking at WHS Compliance and Compliance Risk Management.
To access the recording of the previous webinars and to save your spot for the upcoming webinars click the image below:
Get the latest thought leadership on risk, compliance, health and safety and internal audit industry trends, challenges, methodologies, and insights. You will receive notifications directly in your inbox once a month.
