I have written before about controls that don’t control anything. Or at least, not the things they are meant to control.
I keep coming across them.
Checks that are time-and-energy-consuming that do not much reduce the risk of being circumvented or of whatever they were meant to prevent from happening.
Checks that duplicate other checks, usually where the data all comes from a common source, so if that is wrong it is all wrong. But consistent!
I recently visited a premises where the good old-fashioned signing-in book had been replaced by a computerised system. Even a slow writer like me could sign in before in a tenth of the time taken to do it on the touch-screen. Even my half-legible scrawl was nearer to my name than the on-screen version, where a character could easily be omitted or duplicated.
I was told that the main reason for the change was that the new system was to be used in the event of a fire to check who was in the building. I would have thought the best thing to rely on was the knowledge of individual managers as to who was in or out and what visitors were there.
My faith in the accuracy of computerised systems is low.
- How easily could an entry be duplicated, so they will be looking for two John Murrays, especially if one read ‘Jon Murry’.
- How easily could someone leave without logging out, especially if a group went out together and in a hurry.
- Do they have to print out all the names in the event of a fire so as to be able to check them?To err is human: to make a real mess you need a computer!
Do you need to review your risk control measures to see which ones are actually worth keeping?
Risk Management is NOT only about adding to your controls. Often it is the opposite.