When a control is found to be ineffective, the primary objective is to remediate the deficiency by implementing corrective measures. PRMIA (Professional Risk Managers' International Association) guidance, aligned with best practices in risk governance, emphasizes a structured approach to handling control deficiencies. Below is a detailed breakdown based on PRMIA risk management principles:
Step 1: Identify and Assess the Ineffective Control
A control is deemed ineffective when it fails to mitigate the identified risks to an acceptable level.
The root cause of the failure must be determined through a Control Effectiveness Review (CER).
PRMIA recommends control testing and incident analysis to assess the severity of the control failure.
Step 2: Develop an Action Plan to Address the Control Deficiency
PRMIA best practices state that risk management should prioritize corrective actions rather than delaying remediation.
The organization must define an action plan to close the gap, which includes:
Revising or strengthening the control mechanisms.
Implementing new controls, if necessary.
Assigning responsibility for remediation to control owners.
Setting deadlines for resolution.
This step aligns with PRMIA's Risk Governance Framework, which emphasizes proactive risk management.
Step 3: Implement Corrective Measures and Monitor Progress
Once an action plan is designed, the organization should execute the corrective actions.
PRMIA's Risk Monitoring Guidelines require regular follow-ups and testing to ensure the control is functioning correctly.
The effectiveness of the remediation should be validated through post-implementation review and ongoing control testing.
Step 4: Re-Assess Risks and Control Effectiveness
Once corrective measures are in place, the organization should re-evaluate risks to confirm that the issue is resolved.
The risk assessment process should be updated to reflect the changes in the control environment.
Why the Other Options Are Incorrect?
Option A: "Risks should be re-assessed to determine if there is the appropriate level of control assessment." While risk re-assessment is a good practice, it does not directly address the ineffective control.
PRMIA guidelines prioritize closing the control gap first before reassessing risks.
Option C: "The controls should be re-assessed during the next cycle to determine if they are still ineffective." Waiting until the next assessment cycle delays remediation, which could expose the organization to unmitigated risks.
PRMIA risk frameworks recommend immediate corrective action when a control is found to be ineffective.
Option D: "Risks should be re-assessed to determine if there can be an exception for the level of control assessment." PRMIA does not support exceptions for ineffective controls unless there is a well-documented risk acceptance process.
A control failure should be remediated rather than seeking exceptions.
PRMIA Risk Reference Used:
PRMIA Risk Governance Framework - Defines the importance of immediate corrective actions for control failures.
PRMIA Risk Monitoring Guidelines - Stresses continuous monitoring and validation of controls.
PRMIA Risk Management Standards - Recommends a structured action plan for ineffective controls.
PRMIA Operational Risk Framework - Emphasizes the need to close control gaps to maintain a strong risk posture.
Final Conclusion:
According to PRMIA risk management best practices, when a control is found to be ineffective, the best course of action is to design and implement an action plan to remediate the issue (Option B). This approach ensures that the organization mitigates risk promptly and maintains a strong control environment.