Defining a Base Control

Estimated reading: 4 minutes

This article defines what base controls are, describes how to set them up in the system, and shows where they’re used in a risk assessment worksheet and bowtie.

What is a base control?

Base Controls are a basic level of control that is needed to mitigate a risk. These are standardized, global terms, typically defined during implementation, for common controls that are used throughout Operational Risk, across all sites and locations. There may be many different ways to refer to the same thing, and base controls are a way to establish a common language for types of controls, and simplify/standardize their data entry and tracking/reporting, to ensure that the same ones—with the same associated information—are used throughout the organization. They are essentially an organization’s library of its key controls. A few examples of base controls are a permit-to-work system, a contractor management system, and a fire protection system.

Base controls are used during risk analysis, in risk assessment worksheets and bowties. And if your organization conducts risk verification activities (in addition to basic risk analysis), base controls must be associated with performance standards; this association allows verification activities to update active bowties in which the base controls are used.

If you later modify base controls, those changes can affect the performance standards and the risk assessment worksheets and bowties that reference them.

Note: Remember that the term your organization uses to identify base controls may differ (defined upon system setup in Administration > Terminology). They’re also commonly referred to as global controls or critical controls, for example. In addition, your organization determines (upon system setup) which items are included, and required, in base control definition.

Defining a new base control

1. Select Control Verifications > Base Controls > Add to get started.
2. Define identifying information, or Primary Details, for the base control, including Name and Description.
3. Select a Type/Factor (defined in Administration > Tag Setup > Types/Factors) to categorize base controls for reporting purposes.
4. Select a Strategy (defined in Administration > Editor > Lookups > Control Strategy Settings) that describes how the control reduces risk.
5. Select a Category to indicate whether this is a critical or non-critical control. A critical control is crucial to preventing an event or mitigating the consequences. The absence or failure of a critical control would significantly increase the risk despite the existence of other controls. A base control must be defined as a critical control in order to be used in the verification process in Operational Risk.
6. Select an Assessment Type to indicate whether effectiveness for this control will be expressed qualitatively (using terms like “Needs to improve” or “strong”), quantitatively (using a number value instead), or according to the outcome of a control verification activity.
7. For qualitative Assessment Types, select how effective you consider the base control to be (Effectiveness, defined in Administration > Editor > Lookups).
8. For quantitative base controls, you can select how control effectiveness is numerically expressed and the appropriate accompanying value (Define Control Effectiveness in terms of), once you’ve saved your base control. These (hard-coded) options are standard ways to mathematically state the effectiveness of a control. (Defaults are defined in Configuration Editor > Register Polices > Controls.)
9. Select a Performance Standard with which this base control will be linked.
10. Select the current Status of the control (defined in Administration > Editor > Lookups).
11. Add any necessary Attachments, and then Save the new base control.