In risk management, organizations are expected to maintain a robust internal control system. Regulators demand it. Boards rely on it. Executives are held accountable for it. But few organizations can confidently answer a simple question:
Which of our controls genuinely reduce risk, and which simply add cost and complexity?
Controls should exist to modify risk: reducing the likelihood of an event, limiting its impact, or both. If we cannot measure that effect, we cannot know whether a control is justified, whether it should be strengthened, or whether it should be retired.
This blog explores how to shift the conversation from compliance effort to measurable return. We examine how to assess the marginal value of controls, where common measurement approaches fall short, and how more advanced modelling techniques, such as building digital twins, can help organizations optimize their control portfolios rather than simply expand them.
Want to know more about controls? Protecht’s controls eBook is your guide to creating a fit-for-purpose controls framework: Download now
The control perception problem
Controls may be seen as a hindrance or a cost center. They may get wrapped up into a group of activities that need to be done to pass an audit. That is a major part of the problem.
Controls are treated as tasks to perform, not as mechanisms that change outcomes.
In isolation, they look like tasks that don’t provide business value.
Shifting the lens moves the conversation from “How much does this control cost?” to “How much risk does this control reduce?”.
A control adds value because it measurably reduces exposure.
The goal isn’t more controls; it’s knowing which portfolio of controls gives us the best return on investment (ROI).
Measuring controls
Controls are (or should be) implemented to modify risk. This is usually to reduce the likelihood or frequency of a risk occurring, or to reduce the impact if it were to occur. Therefore, consistently measuring the value of controls must relate to the way we measure risk.
Let’s start with a basic formula for measuring risk.
Frequency x impact = Expected value of risk (EV)
This simplified formula is naturally flawed; risk is a distribution. The EV might not be a possible outcome at all, and two risks with the same EV may have very different shapes. We’ll revisit these flaws, but this is a natural starting point if moving from purely qualitative approaches like risk matrices, which don’t help with measuring controls.
Let’s assume you’ve calculated the EV of the risk with the control already in place. What would the EV of the risk look like if you removed the control? Would the frequency increase, or would the impact change? The EV of the control is the difference between these two states – it’s the risk exposure with the control versus without it.
If you also know the cost of the control, you can calculate the net benefit and ROI of the control. You now have a method for comparison. The ROI of controls can even be compared to ROI of opportunities.
|
Aside: Does inherent versus residual matter? You can avoid the inherent versus residual debate. When thinking about controls ROI, it’s more important to consider the marginal value of each control. What would happen if I remove a control? What would happen if I add one? |
The caveats
Insurance is a reactive control used by nearly all organizations. In some cases, it is mandatory. It will often have low or even negative ROI based on expected value. But insurance typically isn’t there to reduce average impact: it helps organizations survive severe but plausible impacts (tail risk) and preserves capital.
The EV or ROI calculation works for controls that reduce the ‘body’ of the risk distribution, but it doesn’t work here. The easiest way to address this is simply to acknowledge these controls as separate and assess them alongside existing resilience capabilities.
There’s one other caveat: marginal value works for one control at a time, and the effect of multiple controls may not be additive. This doesn’t matter if you maintain a decision focus; what are you contemplating doing with these controls? Sometimes you might want to consider the effect of changing multiple controls at once: adding multiple, replacing one with another, or removing multiple. Simply consider the EV of the risk now, and the EV of the risk if you were to proceed with the change. Compare against relative costs, and you will generate an ROI for your decision.
Harnessing digital twins
Digital twins are living models of real-world systems, processes or assets. The real power comes from forecasting ahead based on the current state, while also considering ‘what if’ scenarios.
Let’s start with a tangible example.
|
Digital twin example: Major road bridge. A major bridge may include hundreds or thousands of sensors that detect temperature, vibrations, wind speed, load, traffic flow and more. Sensors provide real-time telemetry updates on the status of the bridge to keep the twin up to date. Predictive analytics may provide advance notice of unacceptable conditions. Specific scenarios can also be run: if additional barriers were implemented, would the impact of accidents change? If you forecast a change to the maintenance schedule, how does this modify frequent but minor issues? |
The ultimate scenario would be to have a complete replica of the organization, including its systems, assets, data, ability to simulate customer and employee behaviors, and more. This would be supported by simulations with potential variations in outcomes based on complex interactions.
While not impossible, this is likely beyond reach for many in the short term.
Taking a step back from that utopia and applying a risk lens, an alternative model might include:
- A complete risk profile
- Causes and effects of risks are fully articulated (such as a risk bow tie) and quantified
- Existing controls mapped to specific causes or events, and their effect on risk quantified
- Identification of potential controls and their effects (potentially proposed by AI).
This would enable a strong optimization model. It would identify the combination of controls (existing or proposed) that provide the best ROI, allowing over-control to get corrected while gaps in causal pathways are addressed. An efficient frontier can highlight different configurations for different budget levels and whether they meet pre-defined tolerance levels.
If you are already starting from a strong data foundation and have fully mapped risks, you may be on your way to building out this type of model. The challenge is that it can be difficult to bring everyone on the journey and have every risk and control mapped this way, which can undermine the optimization.
Don’t be perfect
As the saying goes, perfection is the enemy of good. Building digital twins or better models of our organizations is not an overnight process. While you build towards them, applying some simple improvements to the way you measure controls can provide much quicker insights. For your existing controls, consider capturing:
- Their cost
- Its marginal value (EV of the related risks with and without the control)
- For reactive controls, how much it reduces extreme impacts.
The immediate benefit from moving from no or qualitative assessment of controls is clarity. Putting a value on a control forces everyone to be clear on exactly what a control does (or is meant to do). Control descriptions re-align from vague intent to clear objectives. Control owners and operators stop seeing controls as activities to perform, and as enablers of value.
If you want to move from compliance-driven control activity to measurable, decision-ready optimization, Protecht provides the integrated risk, control and analytics foundation to make it possible.
Request a demo to see how you can measure control effectiveness, model risk exposure, and turn your controls framework into a source of measurable ROI:
