Thanks for the vid. Question. Is training a control? Or is the monitoring of training completion a control or both? Keen to hear you’re thoughts. Moreover ‘reactive’ controls as a type is interesting. I usually think of preventative, detective and corrective controls. All of which could be implemented in reaction (and therefore reactive?) to an issue or risk.
Training is a control because employee awareness limits the likelihood of a risk materialising. People can't manage risks they don't know about. Monitoring is training completion is part of oversight, it's how you check to see if the control is being implemented and works effectively. With respect to reactive think damage control or damage limitation. In the event of a risk event materialising we still have an obligation to limit the damage. Preventative and Detective are about trying to stop the risk from happening in the first place. Corrective for me is part of reactive.
Not directly related to the topic but Please also clarify who is responsible for managing compliance risk. Does the compliance officer design the controls for business or advice?
Compliance risk is owned by the business, they are responsible for implementing controls and effectively managing the risks. Compliance doesn't own the risk, we advise management about the risks and how to effectively manage them e.g. the best controls to have in place.
