Be wary of over-relying on internal controls — even the best ones can fail and raise new risks.
When the Control Becomes the Risk
Blogs Laura Soileau, CIA, CRMA, CPA Feb 05, 2020
A few weeks ago, I woke up at 3:30 in the morning with my home smoke alarm blaring. Between my child and my dog, I'm not sure who was more afraid. My child made it down the stairs in record time, while my dog was clearly panicked. Although we soon determined this was a false alarm, no matter what my husband and I tried, we couldn't cancel the alarm.
Calling the alarm service company's help desk also didn't help, because they did not see that the alarm had been activated. Infuriatingly, the blaring of the alarm continued for nearly 15 minutes until we finally were able to shut off the alarm. At last we were in the clear and everyone was back in bed — until it started again about an hour later. This time it lasted much longer.
Needless to say, we scheduled a technician to come to our home as quickly as the security company could find someone available to troubleshoot and fix the problem. In the meantime, we also adjusted our plans to go out of town until the alarm was repaired.
Fortunately, since then our smoke alarm has not activated again. However, reflecting on this situation has me thinking about risks, controls, and our tendency to sometimes over-rely on controls and the residual risk factor.
In our situation, knowing that our home alarm system would alert us — and the alarm monitoring company and appropriate authorities — of potential danger gave my family and me the peace of mind to sleep more soundly at night. The impact of the risk to our safety was mitigated by our home security system. However, when the system malfunctioned, we realized there were certain situations in which our expected control did not always work as anticipated.
In this particular situation, it felt as if our control had now become our risk. Because we were not able to rely on the system to operate properly, until the technician was able to correct the issue, we viewed any activation of the alarm as a false alarm. While the sound of the alarm blaring was highly annoying, each time it activated via malfunction, we found that we ignored the typical steps to be followed upon hearing the alarm.
Further, since that recent experience, my child and my dog have become sensitive to loud noises. Each time the microwave or the coffee pot beeps, my child is quick to ask, "What's that noise?" followed by "I'm scared."
Sometimes it is easy to jump straight to residual risk, placing less emphasis on the inherent risk. However, whether it is the controls that we rely on in our personal lives or those that are implemented in our organizations, there is still a risk that controls may not always operate effectively. They may not work even when procedures and operating guides are followed consistently and controls are tested periodically. System glitches, malfunctions, and operator errors can all lead to issues.
My home security alarm situation was a good reminder of the importance of keeping our eyes and ears open to the risk around us, ensuring that we don't rely extensively on controls, and considering the inherent risk of any situation.