Any framework that is followed will give structure to management's decision making processes. It will force managers to at least acknowledge issues they should consider. Risk Management is all about judgement and considering the issues. It is not a proscribed check every box function as compliance is. Any control followed to the end, no matter how poorly conceived is better than something that sits in the drawer which provides insight to no one.
If one just does the tick the box exercise, then the former case is worse as it gives a false assurance that the risk has been treated, whereas the latter can be picked up by the checker that things have not been implemented. If the system includes a review mechanism, then both cases could be detected, but one can argue that the review process may not be implemented timely. Anyway, simple answer is neither is acceptable.
None is acceptable. Design and implementation of controls require resources – time, human capital, finance etc. There is no benefit to the organization if these resources are not efficiently utilized. It comes with additional risk of giving management the impression that the risk has been addressed when it is not.
A risk is a risk whether you have controls in place to mitigate that risk or not. I.o.w you will have a devestating effect on your organisation anyway. I agree that it is not acceptable to have a poorly designed control in place, but then it is also identified as such in the statement. It is still better to have something in place than nothing. The statement did not refer to the control not being effective, merely stated that it is poorly designed (which leaves room for improvement - which is a constant). I absolutely agree that it is unacceptable for a well-designed control to be ignored but then it also indicates that the risk is not mitigated.
As someone trained in economics, I would answer, "it depends".
There's a quote from General Patton, "A good plan violently executed now is better than a perfect plan executed next week." Read more at http://www.brainyquote.com/quotes/quotes/g/georgespa138200.html#H0v... The question is whether the "poorly designed control" is so poor that it is potentially destructive, versus just being perhaps irritating or inconvenient to implement and practice. Is it comparable to a merely "good" plan, or is it worse than that?
I suppose a control could be so poorly designed that it creates more problems than it solves, but in most cases we'll probably find that there are controls that are "mediocre" in that they don't control the real risk as well as we'd like, and they are difficult or costly to implement. In this case, a "mediocre" control may still be better than no control, depending on the nature of the risk.
Both are not acceptable since the risk is identiofied. If the risk is not identified, it's not possible to talk about not designed control. At least, it uncceptable to not design control for an identified risk (following its evolution requiredo a control) , even inoffensif it is. Any control become poorly designed as the context is nerver stable. So the matter is why not continiously improve controls.
The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.
For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!
Comments
A good process is one which is systemically implemented and has a long view target; with feedback for corrections at every step of the way.
Any framework that is followed will give structure to management's decision making processes. It will force managers to at least acknowledge issues they should consider. Risk Management is all about judgement and considering the issues. It is not a proscribed check every box function as compliance is. Any control followed to the end, no matter how poorly conceived is better than something that sits in the drawer which provides insight to no one.
Richard Ellis, PMP PRM
http://www.linkedin.com/in/richardellis86
As long as the one is only poorly designed and not badly designed then I would agree.
Is the control is not in management?
If I pull the pin off a grenade and then don't throw it...
None is acceptable. Design and implementation of
controls require resources – time, human capital, finance etc. There is no
benefit to the organization if these resources are not efficiently utilized. It
comes with additional risk of giving management the impression that the risk
has been addressed when it is not.
A risk is a risk whether you have controls in place to mitigate that risk or not. I.o.w you will have a devestating effect on your organisation anyway. I agree that it is not acceptable to have a poorly designed control in place, but then it is also identified as such in the statement. It is still better to have something in place than nothing. The statement did not refer to the control not being effective, merely stated that it is poorly designed (which leaves room for improvement - which is a constant). I absolutely agree that it is unacceptable for a well-designed control to be ignored but then it also indicates that the risk is not mitigated.
As someone trained in economics, I would answer, "it depends".
There's a quote from General Patton, "A good plan violently executed now is better than a perfect plan executed next week."
Read more at http://www.brainyquote.com/quotes/quotes/g/georgespa138200.html#H0v... The question is whether the "poorly designed control" is so poor that it is potentially destructive, versus just being perhaps irritating or inconvenient to implement and practice. Is it comparable to a merely "good" plan, or is it worse than that?
I suppose a control could be so poorly designed that it creates more problems than it solves, but in most cases we'll probably find that there are controls that are "mediocre" in that they don't control the real risk as well as we'd like, and they are difficult or costly to implement. In this case, a "mediocre" control may still be better than no control, depending on the nature of the risk.
Hello!
Both are not acceptable since the risk is identiofied. If the risk is not identified, it's not possible to talk about not designed control. At least, it uncceptable to not design control for an identified risk (following its evolution requiredo a control) , even inoffensif it is. Any control become poorly designed as the context is nerver stable. So the matter is why not continiously improve controls.