Measuring the value of controls

Residual risk is the risk remaining once controls have been successfully applied. Developing a clear understanding of the purpose and effectiveness of controls is critical to accurately assessing and measuring the residual risks. Conversely, accurately assessing and measuring residual risk is critical to measuring the value of controls.

The financial impact of fraud and corruption is commonly measured by the level of financial loss that might occur as the result of a single incident, or through cumulative losses from several incidents over a period of time. This where we consider the probability (the remaining chance of fraud or corruption taking place) and frequency (the number of incidents that can continue to be expected) of the residual risk.

An estimate of the potential cost of residual risk can be measured by multiplying the ongoing likelihood of the risk occurring with an estimated cost of the following impacts:

• Victim impact - Losses, damages or penalties, and/or lost income arising from risk events
• Business impact - Cost of the resolution of risk events, which varies in relation to the actions needed to limit the impact of negative events that occur. These include internal costs to restore a situation (for example, the costs of remediating a compromised account or a person’s identity)^xx

It is also important to consider the non-financial impacts of fraud or corruption when measuring residual risk. The IPSFF Guide to Understanding the Total Impacts of Fraud includes more information about the common impacts of fraud and corruption outlined on page 28 above.

This more accurate assessment and measurement of residual risk will deliver two key benefits:

1. It will help risk owners make better informed decisions about their risk tolerance^xxi
2. It will provide a baseline for measuring the value of fraud and corruption control, including the financial and non-financial benefits of developing additional controls, if needed.

The UK Government Fraud Prevention Standard, developed in conjunction with the Commonwealth Fraud Prevention Centre, summarises different methodologies that can be applied to calculate prevented fraud.^xxii