Risk vs Control in Risk Management: A Paradigm Shift

I (almost) fell off my chair the first time I heard how much a former employer spent every year on control and regulatory compliance improvements. Despite pouring in a colossal amount of money, over a billion, the firm was still crippled with issues and barely held onto its regulatory licence.

If money is not the issue, then what is?

Financial firms often struggle to find the right balance in the debate of risk vs control. In my experience, the immediate response from executives, chief compliance officers, chief risk officers, and auditors is to add more controls to ensure regulatory compliance or address any incident.

Understanding the dynamic between risk and control is key to managing risks and compliance effectively, rather than simply adding more controls, complexity, and more risks and costs.

But adding controls to meet regulatory expectations or reduce risks is not always the best solution. More controls can mean higher costs and complexity, which often create new risks. This approach can also weaken risk oversight and do little to improve risk culture. Quickly, this turns into a costly vicious circle.

Managing Inherent Risk: Why Relying on More Controls Alone Misses the Point

An internal auditor told me once that I should be focusing on reducing risk through controls and they did not see the value of removing or reducing the inherent risks.

This comment is an excellent illustration of the strong heuristic at play in both 2nd Line of Defence and 3rd Line of Defence. To maintain a firm’s risk profile at an acceptable level, these functions tend to revert to more controls.

But what if the risks should not be there in the first place? What if the risks are a direct consequence of a sub-optimal operating model and/or end-to-end process set up? Of broken processes?

I strongly believe there is limited, if any at all, value in fixing or adding controls on top of broken or fragmented processes.

A more holistic and strategic approach to optimise the risk profile is required. It must consider:

• both inherent risk levels and the adequacy and effectiveness of controls, as both levers must be used to bring the risk to a desirable level

• the financial trade-off between investing in simplified and scalable processes versus maintaining the ‘process status quo’ by adding more controls

What is a Risk Control? Key Difference in Risk vs Control

Risk control refers to the measures and activities an organisation uses to reduce the chance of a risk happening or limit its impact if it does. Policies, procedures, and other internal controls fall under this category.

But risk management is broader than just risk control. It is about understanding the uncertainties that could affect the organisation’s goals and deciding how best to deal with them. Risk controls are just one way to manage risks, alongside other actions like transferring, accepting, or even avoiding risks altogether.

This difference is key. When organisations rely too much on controls alone, they can miss the bigger picture. True risk management requires looking beyond checklists to see how risks connect to decisions, strategy, and culture. It is an ongoing effort that demands learning and adaptation, not just more controls.

Process Automation vs. Re-engineering

Firms get exposed to non-financial risks through “WHAT” they do (for example, managing client money) and “HOW”they do it (for example, fragmented, complex, and manual end-to-end operating models and process set-ups). From experience, up to 80 to 90 percent of non-financial risks can be driven by the “HOW”, especially in processes that have grown and layered organically over time.

In this context, automating such activities only embeds the existing weaknesses. Worse, it gives a false sense of security to management who might believe they have solved the problem until something goes wrong.

A first principle analysis reveals that most non-financial risks in processes are not random. They are byproducts of layered complexity and fragmented decisions. Re-engineering based on these first principles eliminates unnecessary steps and clarifies the purpose of each control. Automation then becomes a tool to scale these cleaner processes, not to hide underlying weaknesses.

Instead, I strongly advocate judging the quality of a process based on the risks it inherently generates, like fraud or data privacy concerns in a payroll process. From there, the aim should be to eliminate any other risks or, at the very least, reduce them to a benign level. This requires simplifying what people do through business operation re-engineering and then automation. Here, I am talking about process excellence, six sigma.

Ultimately, the process and control environment will be optimised to enable employees to spend most of their time on the “WHAT” rather than the “HOW”.

The Business Case for End-to-End Process Reengineering

Re-engineering the end-to-end process environment is difficult and complex. It requires people to change what they do. Some employees may not have a job at the end of this journey, and funding the change can be costly in the short term. In contrast, adding more controls often yields faster results and is usually much easier to implement.

Re-engineering based on first principles does more than reduce costs. It helps identify and remove the layered complexity that can obscure true risk and weaken the resilience of business operations.

Broadly, process re-engineering should lead to reduced:

1. operating costs

2. need for future build (cost avoidance)

3. future losses

Here is a list of a few considerations to build an effective business case:

• Number of steps and teams involved in any end-to-end activity, and the resulting hand-offs between teams

• Time spent on data manipulation and transfer, as multiple touchpoints increase the chance of errors

• Time spent on reconciliation due to manual data processing versus value-add activities

• Potential financial losses or other impacts (regulatory, reputational) if something goes wrong

• Ability to scale volumes and activities based on current setup versus future needs

Re-engineering these processes lays the groundwork for a more agile, resilient, and efficient risk management framework that can adapt to future challenges.

Getting it Right: Balancing Risk vs Control in Financial Firms

This is about striking the right balance across investment costs, scalability, agility, efficiency and resiliency. For example, building safeguards allowing human intervention in a process might be desirable despite potential higher costs to enable constant learning / improvements and ultimately establish a resilient platform.

Effective management of inherent risks with a strong focus on eliminating risks arising from the “HOW” is a very attractive business proposition. It has an immediate upfront cost and whilst the benefits won’t always justify the investment, very often, it will. This is especially true for processes that have grown organically over time and now create more risk than value. At some point, management needs to step back and ask:

Frequently Asked Questions (FAQs) – Understanding the Risk vs Control Dynamic

1️⃣ What is the difference between risk vs control in managing business operations?

The debate of risk vs control is central to risk management. Risk control refers to the measures an organisation implements to reduce potential risks and their impact on business operations. In contrast, risk management is broader. It includes identifying, assessing, and prioritising risks, as well as developing risk management strategies to address them. Effective risk management requires a balance between using controls and continuously analysing and addressing the underlying risk factors.

2️⃣ How can financial firms identify and assess inherent and residual risks?

Financial firms use a risk management framework to identify and assess inherent and residual risks. Inherent risk is the level of risk present before any controls are applied, while residual risk is the level that remains after controls are implemented. This process involves risk analysis to evaluate the potential impact of identified risks on business operations. Regular assessments help ensure that risk controls remain effective and aligned with evolving business needs.

3️⃣ Why is adding more controls not always the best way to mitigate risks?

While implementing controls can help mitigate risks, simply adding more controls does not guarantee better outcomes. More controls can increase complexity, costs, and even create new risks. Instead, it is crucial to understand the dynamic between risk vs control and ensure that any new controls directly address the identified risks without adding unnecessary burden. Holistic risk management strategies focus on streamlining business operations to reduce potential risks rather than just layering on more controls.

4️⃣ What are some effective risk management strategies beyond adding controls?

Effective risk management strategies go beyond adding controls. They include:

• Identifying potential risks early through real-time monitoring and risk analysis

• Re-engineering business processes to eliminate or reduce inherent risk factors

• Using technological advancements to simplify workflows and reduce manual errors

• Creating a risk-aware culture that continuously assesses risks and adapts strategies as needed

5️⃣ How does process re-engineering fit into risk management frameworks?

Process re-engineering can be a critical part of a risk management framework. Instead of relying solely on implementing controls, process re-engineering addresses the root causes of risk by simplifying workflows, removing redundancies, and reducing manual interventions. This approach helps in identifying potential risks more clearly and creates an operating environment that is more resilient to changes and disruptions.

6️⃣ How can real-time data help in assessing and managing risks?

Real-time data and monitoring tools provide valuable insights for identifying and assessing risks as they emerge. With real-time updates, organisations can detect issues faster, understand the potential impact of risks, and make more informed decisions. Real-time analysis strengthens the risk management framework by enabling continuous improvement and faster response to new risk factors.