182

Risk treatment 16
controls for
hazard risks

Types of controls
There are a range of controls that can be applied to hazard risks. The most conveni-
ent classification system is to describe these controls as preventive, corrective, direc-
tive and detective. This is the risk classification system suggested in The Orange
Book and is outlined in Table 16.1.

Table 16.1 Description of types of hazard controls

1 Preventive These controls are designed to limit the possibility of an

(terminate) undesirable outcome being realized. The more important it is
to stop an undesirable outcome, then the more important it is
to implement appropriate preventive controls.

2 Corrective (treat) These controls are designed to limit the scope for loss and
reduce any undesirable outcomes that have been realized.
They may also provide a route of recourse to achieve some
recovery against loss or damage.

3 Directive (transfer) These controls are designed to ensure that a particular

outcome is achieved. They are based on giving directions to
people on how to ensure that losses do not occur. They are
important, but depend on people following established safe
systems of work.

4 Detective (tolerate) These controls are designed to identify occasions when

undesirable outcomes have been realized. Their effect is, by
definition, ‘after the event’ so they are only appropriate when
it is possible to accept that the loss or damage has occurred.
 Risk treatment controls for hazard risks 183

In relation to hazard risks, the control options of preventive, corrective, directive and
detective (PCDD) represent a clear hierarchy of controls. The relationship between
these four types of controls and the dominant risk of response for different levels of
risks is illustrated on the risk matrix shown in Figure 15.1. Table 16.2 gives exam-
ples of these four types of controls in relation to health and safety risks.
Preventive controls are designed to limit the possibility of an undesirable hazard
event occurring. The majority of controls implemented in organizations in response
to hazard risks are preventive controls. For health and safety risks, preventive con-
trols will include substituting a less hazardous material in the activity or enclosing
the activity so that employee exposure to dust or fumes is eliminated.
Corrective controls are designed to correct undesirable circumstances and reduce
unacceptable risk exposures. Such controls provide a key method whereby the risk is
treated so that it becomes less likely to occur and/or the impact is much reduced. In
general terms, corrective controls are designed to correct the situation. For example,
machinery guards are corrective controls.
Directive controls are designed to ensure that a particular outcome is achieved. In
health and safety terms, directive controls would include instructions/directions given
to employees to follow, for example, in the use of personal protective equipment.
Training in how to respond to a particular risk event and detailed instructions and

Table 16.2 Examples of the hierarchy of hazard controls

Generic control Hierarchy of controls for health Hierarchy of controls for fraud
category and safety risks risks

Preventive Elimination or removal of the Limits of authorization and

source of the hazard separation of duties
Substitution of the hazard with Pre-employment screening of
something less risky potential staff
Corrective Engineering containment using Use of insurance to recover any
barriers or guards losses
Exposure reduction by job Continuous back-up systems
rotation or limitation on hours
worked
Directive Training and supervision to Accessible, detailed, written
enforce procedures systems and procedures
Personal protective equipment Training to ensure understanding
and improved welfare facilities of procedures
Detective Health monitoring to enquire Reconciliation, audit and review
about potential symptoms by internal audit
Health surveillance to find early Whistleblowing policy to report
symptoms (alleged) fraud
184 Risk response

procedures are directive controls. Directive controls are also associated with actions
that must be taken in the event of a loss to limit the damage and contain the costs.
Detective controls are designed to identify occasions when an undesirable out-
come has occurred. The control is intended to detect when these undesirable events
have happened, to ensure that the circumstances do not deteriorate further. An ex-
ample of detective controls in a project is undertaking a post-incident review.
The bow-tie representation of the risk management process is a convenient way of
illustrating the role of the four types of controls. The relevance of the types of controls
to the bow-tie presentation of the risk management process is shown in Figure 16.1.
For the sake of illustration, this figure uses the same hazard of damage to premises as
represented in Figure 11.2. There is a clear hierarchy of effectiveness of controls that is
represented by the order preventive, corrective, directive and finally detective.
Disaster recovery planning (DRP) and business continuity planning (BCP) can be seen
as both directive and corrective. Since they are concerned with crisis management they
cannot be easily classified as a PCDD type of control and could be considered to be a
fifth type of control. In all cases, crisis management will involve directions to the involved
parties as to how they should behave if the crisis arises. It could be argued that these are
directive controls. Normally, detective controls relate to identification of circumstances
where a risk has materialized at a fairly low level with limited impact and consequences.
Clearly, DRP and BCP relate to circumstances where risks have materialized at crisis
level. Therefore, it is inappropriate to classify DRP and BCP as detective controls.

Figure 16.1 Bow-tie and types of controls

Risk source Impact

Flood Financial

Fire Infrastructure
Loss Damage to Cost
prevention premises containment
Earthquake Reputational

Break-in Damage limitation Marketplace

Preventive

Corrective

Directive

Detective
 Risk treatment controls for hazard risks 185

Table 16.3 Application of PCDD

Control type Example action

Preventive Review of vehicle routing and realistic estimates on delivery schedules

so that drivers do not need to drive dangerously to arrive on time
Corrective Enhanced maintenance procedures and improved arrangements for
drivers to report vehicle defects
Directive Defensive driver training and the provision of a vehicle driver handbook
with practical advice that is easy to understand and follow
Detective Routine review of drivers’ licences to check for penalty points, routine
inspections of vehicles to discover and report damage, review of fuel
consumption to identify drivers with an aggressive driving style

Hazard risk zones

Although the 4Ts of hazard response can be illustrated on a simple risk matrix, the
options are not that clear cut. A small increase in risk likelihood and potential im-
pact would not completely change the approach of the organization to a particular
risk. Figure 16.2 demonstrates an analysis that illustrates that the ‘cautious’ and
‘concerned’ areas fall within the boundaries of acceptability – or tolerances. The
comfort zone is predominantly for low-likelihood/low-impact events. As can be seen,
there is a level of potential impact that will always be within the comfort zone.
Likewise, there is a level of risk likelihood that is always considered to be so low that
it will not happen.
However, as risk likelihood and potential impact increase, a point is reached
where judgement is required as to whether the risk is above the lower tolerance line
and within the tolerance limits for the organization. Judgement is required within
the cautious zone and actions will usually be taken to treat and/or transfer the risks
within that zone. The line that divides the cautious zone and the concerned zone
represents the risk appetite of the organization. The cautious zone and the concerned
zone together illustrate the acceptable variability of the level of risk and can be con-
sidered to be the tolerance of the organization to acceptable variability or volatility
in the level of that particular risk.
As the risk likelihood and potential impact further increase, the upper tolerance
line is reached. When the risk gets above this line, the organization will consider
those risks to be critical, as they are outside tolerance limits and will wish to termi-
nate exposure to them. In certain circumstances, the organization will not be able to
terminate these risks, either because they may represent a business imperative or
because they are associated with a high-risk/high-reward strategy that the board has
adopted.
186 Risk response

Figure 16.2 Hazard risk zones

Appetite
Impact line

Critical zone
Dominant response
will be
Concerned zone terminate
Dominant response
will be
transfer

Upper
tolerance line

Lower
tolerance line Cautious zone
Dominant response
will be
treat

Comfort zone
Dominant response
will be
tolerate

Likelihood

Preventive controls
These are the most important type of risk controls, and all organizations will use
preventive controls to treat certain types of risks. Prevention or elimination of all
risks is not possible on a cost-effective basis, nor may it be desirable for the future of
the organization and the continuation of certain activities.
Examples of preventive controls include the separation of duties, whereby no one
person has authority to act without the consent of another when paying an invoice,
or the use of barriers or guards on machinery. In health and safety terms, preventive
controls include the elimination or removal of the hazard and providing a less risky
substitute. For example, a hazardous chemical used in a cleaning operation may be
substituted with a less harmful alternative.
The advantage of preventive controls is that they eliminate the hazard, so that no
further consideration of it is required. In reality, this may not be a cost-effective op-
tion and may not be possible for operational reasons. The disadvantages of preventive
 Risk treatment controls for hazard risks 187

controls are that beneficial activities may be eliminated and either outsourced or re-
placed with something less effective and efficient.
Health and safety practitioners refer to the elimination of hazardous activities ‘so
far as is reasonably practicable’. Achieving something so far as is reasonably practi-
cable involves the balance between cost in terms of time, trouble and money against
the benefit in terms of the reduction in the level of risk that is achieved.

Corrective controls
Corrective controls are the next option after it has been decided that preventive con-
trols are not technically feasible, operationally desirable or cost-effective. Corrective
controls will ‘repair’ or correct things after an event occurs but need to be put in place
prior to the event. They are capable of producing an entirely satisfactory result, whereby
the current level of risk is reduced to within the risk appetite of the organization.
Examples of corrective controls would be software patches on operating systems,
new employee policies or taking disciplinary action.
The advantage of many corrective controls is that they can be simple and cost-
effective. Nor do they require the elimination or replacement of existing practices
and procedures. The controls can be implemented within the framework of existing
activities. The disadvantage of some corrective controls is that the marginal benefits
that are achieved may be difficult to quantify or confirm as cost-effective.
Corrective controls can be over-engineered, and their cost can be disproportion-
ate to the benefit that is achieved. Very often, corrective controls are put in place
because of regulatory requirements and it is for the organization to ensure that the
appropriate level of corrective control is achieved in order to comply with the mini-
mum requirements of legislation.
The design and implementation of corrective controls is often the cause of consid-
erable discussion and potential disagreement. For example, fitting sprinklers as a
corrective control that will activate in case of fire will often be viewed as inappropri-
ate in computer rooms where water would damage records. In such circumstances
more expensive suppression systems may be considered and factored into a cost/
benefit calculation.

Directive controls
Organizations will be familiar with the directive controls, because staff will need
to be advised of the correct way of undertaking specific tasks. Where tasks involve
a level of risk, documented procedures, together with information, training and
instruction, can be seen as directive controls. Therefore, directive controls are
likely to be in place for most risks, regardless of whether other types of controls
also exist.
188 Risk response

An example of directive controls is the requirement to wear personal protective

equipment when undertaking potentially dangerous activities. Staff will need to be
trained in the correct use of the equipment and a level of supervision will be required
in order to ensure that it is used correctly.
The advantage of directive controls is that the risk control requirements can be
explained during a normal training and instruction session provided for staff.
However, directive controls, especially in relation to health and safety risks, repre-
sent a low level of control that may require constant supervision in order to ensure
that the correct procedures are being followed.
Directive controls will always be a component in the overall approach to risk
control adopted by any organization but, on their own, they represent an insecure
and unreliable method of risk control. There is a danger that procedures are not
implemented in practice. By developing procedures, the organization acknowledges
the risks exist and this imposes on it a duty to ensure the procedures are imple-
mented, otherwise the organization will be unable to defend itself by claiming that it
was not aware of the risks.
Contracts, including insurance policies, are also a form of directive control, as
they may require certain conditions to be met, such as the use of five-lever mortice
deadlocks in theft policy.
Generally, directive controls will be the first response to an unexpected event if it
occurs. Instead of a preventive control, it is often easier to implement procedures to
reduce the risk by direction, especially if it is a safety risk. This immediate response
will then allow corrective controls to be designed and implemented as the new set of
circumstances becomes clear and/or stabilizes.

Detective controls
As suggested in the title, detective controls are those procedures that identify when
the hazard has materialized. This means they will come into play after the event has
materialized, but can be justified in certain circumstances if other controls are unable
to completely eliminate the risk.
Examples of detective controls include the extensive use of testing during a health
crisis, stocktaking to ensure that goods have not been removed without authoriza-
tion, or bank reconciliation exercises to detect unauthorized transactions. Post-
implementation reviews will detect lessons learned from projects that can be applied
in future. Detective controls are closely related to review and monitoring exercises
undertaken as part of the risk management process.
The advantage of detective controls is that they are often simple to administer and
they will provide an early warning that other risk control measures have broken
down. The disadvantage of detective controls is that the risk will already have mate-
rialized before it is detected.
 Risk treatment controls for hazard risks 189

For example, detection of fraud is often only possible after the fraud has taken
place, but there are considerable advantages in detecting it early, so that the nature
and scale of the fraud may be reduced. The next box discusses introducing new fi-
nancial controls in a charity.

Financial controls for charities

Financial controls will reduce the risk of error and fraud, and their implementation
should enhance the element of trust required from donors. They should be discussed
and approved by the trustees to ensure their support before implementing any new
controls. Controls can then be implemented, noting who is responsible for each
control. By making someone accountable for a financial control, it is more likely to
be effective.
Controls are only good if they are relevant; therefore, you need to ensure that you
routinely review your controls to see if they are still effective. As things change, you
need to think about making changes to your controls as your organization evolves.
It can be hard to make changes to existing controls, but assessing why the controls
are no longer valid and how new controls can help the organization will help you in
putting the changes into place.

Cost of risk controls

When considering the cost of implementation of controls, attention needs to be paid
to the change in the level of risk by applying that control measure. This involves a
review of the change from the inherent level of a risk (with no control measures in
place) to the current level of risk (taking account of the control measures currently
in place).
Figure 16.3 provides an illustration of the control effect or control vector when
controls are put in place. When considering the inherent, intermediate (when more
than one control is in place) and target risk levels, the organization should be aware
of the cost involved in implementing controls. The cost of the control measures
should be considered to be part of the total cost of risk for the organization. The
organization can then evaluate whether the controls in place are cost-effective.
In Figure 16.3, a series of lines are drawn for Risk A to represent the effect of each
individual risk control measure. The longer the line, the greater the effect of the con-
trol. It is also the case that the longer the line, the greater the control effort, in terms
of management time, effort and money. For Risk A, three controls (Controls A1, A2
190 Risk response

and A3) are required to get to the target level of risk. For Risk B, only one control is
required (Control B1) and this demonstrates that much more effort is needed to
maintain Risk A at the target level of risk. Management and internal audit need to
be aware of this, so that they can ensure that all of the controls (especially for Risk
A) are operating in an effective and efficient manner.
A simple diagram like Figure 16.3 provides an illustration of the distance between
the inherent and current level of the risk. If a lower target level of risk is established,
additional control effort will be required in moving the level of risk from the current
to a new target level (not shown in the figure). This simple illustration of control
effort is important, and demonstrates that there is value in undertaking a risk assess-
ment at the inherent level of risk (if this is possible), so that the required control ef-
fort can be clearly identified and illustrated.
If a calculation is undertaken of the risk exposure at the original level and a fur-
ther calculation is undertaken of the risk exposure at the new level, the overall ben-
efit of each control can be measured. Consideration of the cost of each control can
then be undertaken, so that a cost–benefit analysis of individual controls may be
completed. This will be an important exercise for the organization to undertake, so
that cost-effective risk control priorities may be established.

Figure 16.3 Illustration of control effect

Impact

Intermediate A1
Inherent
risk A
Control A2 Control A1

Intermediate A2

Control A3 Inherent
risk B

Control B1
Current A and B

Likelihood
 Risk treatment controls for hazard risks 191

Risk treatment is sometimes referred to as risk response or risk control, and it in-
cludes the selection and implementation of actions to reduce risk likelihood and risk
impact. The examples in the sections below cover the main hazard risks that are
likely to be of concern to an organization. In each case, the section sets out to de-
scribe what can go wrong in relation to the hazard, and the considerations and the
issues that need to be evaluated. The control options that are available in relation to
that particular risk are considered, followed by consideration of the controls that are
necessary and appropriate.
Table 16.2 provides examples of the four types of controls described in Chapter
16 as applied to two types of hazard risks. The examples of fraud and health and
safety are selected, so that the application of different types of controls to these two
hazards can be illustrated. For other hazard risks, a similar generic approach can be
taken and the types of controls that are possible can be listed, using the format of
preventive, corrective, directive and detective controls.
When selecting and implementing controls, it is important to ensure that cost-
effective controls are selected. Figure 16.4 plots increasing the level of control

Figure 16.4 Cost-effective controls

Increasing
cost

Potential Total cost of

loss risk
Cost of
controls

Judgement
required

Further controls
Cost-effective not cost-effective
controls

Improving
control
192 Risk response

(horizontal axis) against the increasing cost of controls (vertical axis). By adding the
total cost of controls and the equivalent potential loss for each level of control, the
figure illustrates that there is an optimum level of control that represents the lowest
combined cost as a sum of the cost of control and the level of potential losses.
It can be seen in Figure 16.4 that a significant reduction in potential loss is
achieved with the introduction of low-cost controls. This section of the diagram is
labelled ‘Cost-effective controls’. The centre section of the diagram illustrates that
spending more on controls achieves a reduction in the net cost of risk up to a certain
point. In this segment, judgement is required on whether to spend the additional sum
on controls. On the right-hand side of the diagram, spending more on controls
achieves only a marginal reduction in potential loss. In this segment, further controls
are not cost-effective.