… which would be improved by
Maximised use of preventative controls
The control trigger and operation of controls should be as early in the process as viable with the intention of prevention.
Controls should not be post process completion unless low risk.
Clarity of accountability and appropriate checking
Checking should be minimised with sample checks driven by risk appetite and in support assurance of the process.
Capability issues should be tackled at source, equipping the right resources with the training and support needed to empower them to deliver the customer outcomes.
Clear control articulation
Assessing if controls are operating effectively should be carried out on a regular basis. It is essential that controls are documented including the rationale for why a control is needed, in clear SMART (specific, Measurable, Achievable, Relevant, Time Orientated) language agnostic of the process knowledge. This allows resources to operate the controls but also supports impartial review of the controls aligned with risk appetite.
Regular review of control environment
Regular review outside of the processing team linked to risk appetite will result in a current and fit for purpose model. Understanding where controls sit in a given process or journey, the risk they aim to mitigate, and the effectiveness of the controls allows gaps to be addressed and duplication to be removed.
Controls should be designed to be durable and withstand reasonable predicted change rather than addressing short term issues.
Maximise use of automation
Manual controls should be a last resort where IT and automated options are not possible or financially viable.
Where manual controls are required – operators must be competent, with clear understanding of the control required. They should be evidenced through MI and documented audit trail. Single points of dependency and cover (holiday / sickness) should be built into operational plans.