Please look and answer the questions in APA format.
Ask me to clarify anything.
Thank you!
1/ Hopkin presents a diagram of types of controls for hazard
risks (Figure 16.1, page 186). He then offers a description of
types of hazard controls in Tables 16.1 (p. 187) and 16.2 (p.
188). Select one of the control categories from Table 16.2 and
discuss how it contributes to risk control. Provide an example
from your experience that reflects the effectiveness of the
control you have selected. If you do not have such an example,
discuss its potential impact in general terms.
2/ Respond to my classmate’s post (two only)
3/ if the teacher asks any question related to the question, I
would like you to answer.
APA FORMAT
186
16
Risk control
techniques
types of controls
There are a range of controls that can be applied to hazard risks. The most convenient
classification system is to describe these controls as preventive, corrective, directive and
detective. This is the risk classification system suggested in the Orange Book. Table 16.1
provides a more detailed description of each of these four types of hazard controls.
In relation to hazard risks, the control options of preventive, corrective, directive
and detective (PCDD) represent a clear hierarchy of controls. The relationship
between these four types of controls and the dominant risk of response for different
levels of risks is illustrated on the risk matrix shown in Figure 16.1. Table 16.2 gives
examples of these four types of controls in relation to health and safety risks.
FIg URE 16.1
Types of controls for hazard risks
Impact
Transfer
risk to another party
Dominant type of control will be
Directive
Terminate
activity generating the risk
Dominant type of control will be
Preventive
Tolerate
risk and its likely impact
Dominant type of control will be
Detective
Treat
risk to reduce the likely
impact/exposure
Dominant type of control will be
Corrective
Likelihood
Risk control techniques
TAb LE 16.1
Description of types of hazard controls
1
Preventive
(terminate)
These controls are designed to limit the possibility of an
undesirable outcome being realized. The more important
it is to stop an undesirable outcome, then the more
important it is to implement appropriate preventive controls.
2
Corrective
(treat)
These controls are designed to limit the scope for loss
and reduce any undesirable outcomes that have been
realized. They may also provide a route of recourse to
achieve some recovery against loss or damage.
3
Directive
(transfer)
These controls are designed to ensure that a particular
outcome is achieved. They are based on giving directions
to people on how to ensure that losses do not occur.
They are important, but depend on people following
established safe systems of work.
4
Detective
(tolerate)
These controls are designed to identify occasions when
undesirable outcomes have been realized. Their effect is,
by definition, ‘after the event’ so they are only appropriate
when it is possible to accept that the loss or damage has
occurred.
Preventive controls are designed to limit the possibility of an undesirable hazard
event occurring. The majority of controls implemented in organizations in response
to hazard risks are preventive controls. For health and safety risks, preventive controls will include substituting a less hazardous material in the activity or enclosing
the activity so that employee exposure to dust or fumes is eliminated. Examples of
preventive controls for fraud risks are shown in Table 16.2.
Corrective controls are designed to correct undesirable circumstances and reduce
unacceptable risk exposures. Such controls provide a key method whereby the risk is
treated so that it becomes less likely to occur and/or the impact is much reduced. In
general terms, corrective controls are designed to correct the situation. For example,
machinery guards are corrective controls.
There has been debate about disaster recovery planning (DRP) and business
continuity planning (BCP) and whether they fit into the PCDD classification of the
different types of hazard risk controls. Some organizations consider DRP and BCP
to be directive controls, whereas others argue that they are corrective controls. An
alternative approach is to say that a DRP and BCP are concerned with crisis
management and cannot be easily classified as a PCCD type of control and should
be considered to be a fifth type of control.
In reality this argument, like so many other arguments about terminology, is not
helpful. When an organization is faced with a crisis, it will be in a much better position
to cope if plans have been considered and put in place before the crisis
187
Risk control techniques
TAb LE 16.2
Examples of the hierarchy of hazard controls
generic control
category
Hierarchy of controls for
health and safety risks
Hierarchy of controls
for fraud risks
Preventive
Elimination or removal of
the source of the hazard
Substitution of the hazard
with something less risky
Limits of authorization and
separation of duties
Pre-employment screening
of potential staff
Corrective
Engineering containment
using barriers or guards
Exposure reduction by job
rotation or limitation on
hours worked
Passwords or other access
controls
Staff rotation and regular
change of supervisors
Directive
Training and supervision
to enforce procedures
Personal protective
equipment and improved
welfare facilities
Accessible, detailed,
written systems and
procedures
Training to ensure
understanding of
procedures
Detective
Health monitoring to enquire
about potential symptoms
Health surveillance to find
early symptoms
Reconciliation, audit and
review by internal audit
Whistleblowing policy to
report (alleged) fraud
arises. Sometimes crisis management will involve the use of alternative facilities that
have been put in place before the crisis arose. It could be argued that these are
corrective controls.
In all cases, crisis management will involve directions to the involved parties as to
how they should behave if the crisis arises. It could be argued that these are directive
controls. Normally, detective controls relate to identification of circumstances where a
risk has materialized at a fairly low level with limited impact and consequences.
Clearly, DRP and BCP relate to circumstances where risks have materialized at crisis
level. Therefore, it is inappropriate to classify DRP and BCP as detective controls.
The bow-tie representation of the risk management process is a convenient way of
illustrating the role of the four types of controls. Preventive controls are relevant to
actions that are taken before the event occurs. The nature of detective controls means
that they relate to circumstances after the event has occurred. Corrective and directive
controls can be relevant to loss prevention, damage limitation and cost containment.
188
Risk control techniques
These are the three phases of loss control. The relevance of the types of controls
189
Risk control techniques
FIg URE 16.2
Bow-tie and types of controls
Impact
Financial
Fire
Earthquake
Break-in
Loss
prevention
Damage to
premises
Infrastructure
Cost
containment
Damage limitation
Reputational
Marketplace
Corrective
Directive
Detective
to the bow-tie presentation of the risk management process is shown in Figure 16.2.
For the sake of illustration, this figure uses the same hazard of damage to premises
as represented in Figure 11.2.
Directive controls are designed to ensure that a particular outcome is achieved.
In health and safety terms, directive controls would include instructions/directions
given to employees to follow, for example, in the use of personal protective equipment. Training in how to respond to a particular risk event and detailed instructions
and procedures are directive controls. Directive controls are also associated with
actions that must be taken in the event of a loss to limit the damage and contain the
costs.
Detective controls are designed to identify occasions when an undesirable
outcome has occurred. The control is intended to detect when these undesirable
events have happened, to ensure that the circumstances do not deteriorate further.
An example of detective controls in a project is undertaking a post-incident review.
There is a clear hierarchy of effectiveness of controls that is represented by the order
preventive, corrective, directive and finally detective. Preventive controls are clearly
the most effective, followed by controls that correct adverse circumstances. Providing
training and direction to staff is a weaker level of control, and detective controls only
confirm that an adverse event has occurred.
The importance of DRP and BCP should not be underestimated. They are both
methods of cost containment designed to ensure minimum disruption after a hazard
risk has materialized, so they are aligned with detective controls. However, DRP
and BCP do not conveniently fit into the PCDD classification system for controls,
190
Risk control techniques
191
because they are post-loss procedures. Some control classification systems include BCP
and DRP as a fifth category of control.
The example in the box below illustrates that an organization will use all four
types of control in order to build a robust set of risk responses. The road transport
company will make use of all four types of controls in order to reduce road traffic
accidents.
application of the 4ts
Take the example of a road transport company and the desire to reduce the number of
road traffic accidents per million miles driven, and the options for reducing this number.
The company can look at the preventive, corrective, directive and detective control
hierarchy and decide the following:
â—Â
The scope for introducing preventive controls includes review of vehicle routing and
realistic estimates on delivery schedules so that drivers do not need to drive dangerously
to arrive on time.
â—Â
The types of corrective controls that will be introduced include enhanced maintenance
procedures and improved arrangements for drivers to report vehicle defects.
â—Â
Enhanced directive controls will be based on defensive driver training and the provision of a
vehicle driver handbook with practical advice that is easy to understand and follow.
â—Â
Although some detective controls are already in place through the use of tachographs in
the vehicles, the company may decide to also introduce a routine review of drivers’
licences to check for penalty points.
Other controls that might be evaluated by the transport company include routine inspections of
vehicles to discover and report damage, and a review of fuel consumption to identify drivers with
an aggressive driving style. The company is then in a position to introduce structured and
measurable loss-control programmes to reduce the overall cost of running the fleet of vehicles.
Hazard risk zones
Although the 4Ts of hazard response can be illustrated on a simple risk matrix, such
as Figure 16.1, the options are not that clear cut. It can be seen that the tolerate and
terminate options meet at the centre of the risk matrix. It is not sensible to suggest
that a small increase in risk likelihood and potential impact would completely change
the approach of the organization to that particular risk.
Figure 16.3 provides a slightly more realistic analysis by providing a diagram that
builds on Figure 16.1. Figure 16.3 illustrates that there are three zones on the risk matrix,
as the cautious and concerned areas combine into a central zone. The comfort zone is
predominantly for low-likelihood/low-impact events. As can be seen, there is
Purchase answer to see full
attachment
