Writing a correct control measure
Describing good controls in your Risk and Control Matrix (RCM) sometimes feels like building a puzzle without a picture on the box: you have all the pieces, but you keep searching for the right combination.
For the further professionalization of risk management, a clear and consistent description of control measures is essential. With the increasing complexity of legislative frameworks and best practices, this approach helps in the accurate and effective documentation of control measures.
But what truly makes a control measure description effective?
With the 5W's and 1H method, you lay the foundation for a strong description, ensuring risks remain manageable and processes are steered more effectively.
Need help with your control measures?
Our consultants are happy to help you.
Who: Roles and Responsibilities
Describe the responsible officials for the control measure.
This is essential for “accountability.” Determine who executes the control measure, who performs the monitoring and assessment, and where the escalation lines are in case of deviations.
What: The core activities of the management measures
Describe which processes, analyses, and actions are performed to mitigate the risk.
List which systems or data flows are involved and explain what specific actions are expected, such as verification, approval, or reporting.
Why (Purpose and Risk Management)
Determine which risk needs to be managed, and link the control measure to concrete, identified risks, such as fraud prevention, data quality, or operational integrity.
The objective must be precise and measurable so that all stakeholders understand the impact and the management measure can be applied in a targeted manner. It is not always possible to apply this practically. If this is the case, indicate a direction based on ‘professional judgment’.
When: Frequency and timing
The frequency of the control measure must be aligned with the nature of the risk.
For high risks, frequent monitoring is often necessary, for example daily, while less urgent matters are adequately controlled with semi-annual or annual evaluations. Also indicate the timing of each step, such as weekly reports or monthly evaluations.
Clearly explain why this frequency is appropriate for the risk and how it aligns with other control mechanisms.
Where: Accessibility and storage of management measure data
Document where the control measure takes place and where the necessary documentation is stored.
This can involve a specific software application, a secure drive, or a shared system. This makes the management measure traceable and consistent. This way, everyone within the organization knows where to find the data for audits, compliance, or daily operations.
How: Implementation and Evidence
Describe the implementation method and what criteria determine if the control measure is effective.
What documentation or evidence needs to be recorded? This can range from approval logs and audit trails to sign-off sheets and reports.
This provides an objective and measurable control measure, and makes it easy to prove at an audit that all steps have been completed.
Clearly document for consistency and control.
A crucial part of a good description of a control measure is the method of documentation. Clear and systematic recording ensures that everyone works with the same structure and can interpret data directly. Therefore, our advice is: always start with the basics, namely ‘Who’ and ‘What’.
Describe the control measure as concisely as possible.
Keeping the control measure as short as possible improves readability. We advise using multiple iterations for this.
A quick, superficial approach may seem efficient, but ultimately causes more work and frustration.
Therefore, invest time in a thorough and clear control measure description. This creates a solid foundation for ongoing risk management and ensures your organization is truly in control.