The term “controls,” originally used in the GRC (Governance, Risk, Compliance) domain to describe mechanisms for managing risks and ensuring compliance, is now applied more broadly to strategic planning. In this context, controls act as standard responses to specific situations. In this article, we’ll share best practices for setting up controls, their practical use, and organizing libraries of controls.
Library of GRC Controls. Introduction
In essence, a “control” is a response or prevention mechanism used to manage risk and ensure compliance.
From the automation perspective, a control might be as simple as an action plan with aligned progress metrics or as complex as a hierarchical set of controls and sub-controls, each with its own set of metrics, risk estimations, mitigation plans, contextual dependencies, and owners.
Controls have specific application areas, defining when certain controls should be activated.
Controls have specific components:
- Conditions that trigger the control.
- Internal mechanics to ensure the control works properly (progress metrics, supporting documentation, responsible persons).
- The results of applying a control are recorded for accountability and to provide inputs for a learning loop.
Let’s explore some practical tools to apply controls to the GRC aspect of strategic planning.
Setting Up Controls
At the initial stage, our goal is to properly map the past experiences of the management team into controls or formal response mechanisms.
Identifying the Rationale of the Control
The basics of identifying a control include giving it a meaningful name and explaining its purpose in the description. Linking a control to previous events or regulatory requirements that led to its creation is also valuable.
In BSC Designer:
- Use the Add button to create a new item.
- Identify the control via the name and description fields.
- Cross-link the control with relevant past goals, events, or regulatory requirements.
Additional Properties of a Control
Organizations follow their own standards of control definition, implying specific properties for controls or associated action plans.
In BSC Designer:
- Define required properties of controls via custom fields.
- The new fields will be available for controls, metrics, and initiatives.
Owner of Control – Automation Control Communications
Most controls require some level of human intervention. Even if a control is expected to execute successfully, it’s good to have someone oversee it. For example, software maintainability controls may automate updates, but an IT specialist is needed to resolve conflicts if an update fails.
In BSC Designer:
- Add responsible persons for the control as users; assign the person to a team.
- Assign the person or team as the owner of the control via the Owner field.
Use Metrics for Controls
A control is well-defined when at least two metrics are clearly specified:
- The efficiency metric.
- The effectiveness metric.
The efficiency metric ensures the control is implemented according to established standards, while the effectiveness metric ensures the control achieves the desired results.
For example, in incident reporting:
- The efficiency metric might be the “% of personnel trained in incident reporting.”
- The effectiveness metric might be “the number of incidents reported” or “% of incidents not communicated properly.”
In BSC Designer:
- Use the Add button to add metrics inside the Control item.
- Adjust the metric type on the Context tab: the efficiency metric is a leading metric, and the effectiveness metric is a lagging one.
Schedule Periodic Updates
More complex controls require time for application and need periodic revision. For example, the effectiveness of incident reporting training needs regular validation.
In BSC Designer:
- Use the Update Interval setting of the indicator to schedule regular revisions.
Add Action Plans
Applying controls involves following specific prevention or response actions, similar to classical project management with due dates, budgets, and responsible persons. Additionally, we can track the status and progress of the action plan.
In BSC Designer:
- Use the Initiative tool to add action plans to the controls.
- Align risks and efficiency metrics with the initiative.
- Assign an owner to the initiative; the person will receive notifications when the status changes.
Upload Supporting Documentation
More complex controls require supporting documentation, such as policies and procedures. Link to the relevant documents or upload them to the control.
In BSC Designer:
- Documents can be added to all items of the control, including initiatives.
Cross-Link with Other Controls
Controls do not exist in isolation. Establish necessary contextual connections between various controls, goals, risks, and events.
In BSC Designer:
- Copy and paste items between scorecards.
- When prompted, use the connection by context option to link two items.
Using Controls
The general logic of using a control involves responsible persons who will be:
- Following established action plans.
- Uploading evidence.
- Updating metrics.
- Noting any findings along the way.
In BSC Designer:
- To update a metric, select a new date in the internal calendar and change its state on the Data tab.
- Use the comment button next to the Value field to note important findings.
- Upload evidence via the document upload function for controls, goals, metrics, or initiatives (see how to create indicators to track evidence).
Visualize Dashboards
Create visual representations of controls and their states. Track the evolution of metrics over time, the state of risks, and risk mitigation plans.
In BSC Designer:
- Switch to the Dashboard tab.
- Add relevant charts, including Gantt charts for initiatives, risk diagrams, and diagrams listing controls and their states.
Reusing Controls: Catalog/Library of Controls
For repetitive controls, create a library of controls. In the case of a certain event, you can easily deploy a control by copying it from the library.
In BSC Designer:
- Create a scorecard dedicated to controls.
- Use a hierarchical structure to organize controls.
- When needed, copy the control to the active scorecard.
Example structure:
Library of GRC Controls. Practical Example of Using a Control
Let’s discuss a practical example. Consider the control activated when an employee leaves the company.
Controls Library
In the controls library, I have an HR section where one of the controls is “Employee left company.” This control has three action plans:
- Disable logins.
- Redirect emails.
- Contact customers.
It also has two efficiency metrics:
- Logins disabled (binary).
- Percentage of customers notified.
Events Scorecard
I have a scorecard named “HR events” where relevant HR events are logged. The scorecard is organized by event type.
Applying the Control
Here are the steps to follow when an employee leaves the company:
- Create a new event in the Events scorecard, e.g., “Alex left company.”
- Copy and paste the appropriate control from the controls library to the Events scorecard.
- The person responsible for the control will be automatically notified about new action plans created.
- Upload evidence (screenshots) that the logins were disabled.
- Notify customers and update the “% of customers notified” indicator.
- Update the status of the action plans to “In review.”
More Examples
You can find more examples of using controls in articles about:
What's next?- Sign up for a free account at BSC Designer to access the scorecard templates, including 'Library of GRC Controls' discussed in this article.
- Follow our
Strategy Deployment System to align stakeholders, strategic ambitions, and business frameworks into a comprehensive strategy.
Strategy Deployment SystemMore About Strategic Planning
Alexis is the CEO of BSC Designer. With over 20 years of experience in strategic planning, he assists organizations in articulating and executing their strategies. He is the author of ‘10 Step KPIs System‘ and ‘5 Step Strategy Deployment System‘, and has written over 100 articles on the topics of strategy and performance.