Monitor risks and controls – DP Risk Assessments

In the last blog we looked at Controls & Conflict in DP Risk Assessments, and how to handle the reality that you may get pushback from the project team or from elsewhere in the organisation.  You can read it by clicking here. Today we’re looking at how and when to monitor risks and controls.

Once you’ve assessed the risks, either as part of a Data Protection Impact Assessment (DPIA), or a “normal” risk assessment as part of the new project or policy, and you’ve agreed on the controls that the organisation will put in place to try and ensure the risk doesn’t materialise or that it doesn’t go too crazy, you will probably be thinking ‘well what now’?

You may be sitting back in your chair, happy in the knowledge that through your advice and determination, your organisation has put appropriate controls in place, so it’s ‘job done’.

That lovely little bubble is now about to burst as it is important that you now monitor those controls and understand:

  • Are they controlling the risk effectively?
  • Are they overkill?
  • Could/should they be improved?

Your burning question is probably ‘will it ever end – do I have to monitor risks and controls forever?!’

In simple terms, how often you do it, and for how long, will be based on the risk and how long the risk needs to be controlled. So, for example, if it’s a short-term thing, you don’t need to have the control and monitoring in place forever, but if it’s an ongoing risk, you do I’m afraid!

Once you’ve got your head round this, you may now be wondering how on earth do you plan for that?

If we look at stand-alone projects, the key is to build it into the project management process. If the risk and controls will exist post-project end, then the maintenance should be built into “business as usual”, in whatever way your organisation does that.

In the case of ongoing risks and controls, the risks should be on the organisation’s risk register, or at the very least on team level registers, that are regularly reviewed.

All controls can be monitored at the same intervals, or you can carry out the reviews more or less frequently, depending on the risk scores and how much of a difference the control is – or should be! – making.

An example of this; if you have a very high risk but you’ve managed to identify and implement a control that brings the residual risk level down to almost zero, you might want to keep a closer eye on that control, because if it fails, the risk scores goes right back to the high level again!

My advice is that monitoring timetables should be built into your organisation’s regular audit review timetable. How this might look is that it’s in the DPO/DP lead’s work plan, or your internal audit team’s audit plan for the year, or on the agenda of your Audit & Risk Committee meetings. In some cases it may be a combination of some or all of these.

In the next blog post we’ll have an overview of the whole risk assessment process that we’ve covered over the last few weeks. To get an alert email when a new blog is posted, join our newsletter by clicking here.

You can read the previous risk-related posts here:

Did you know we have a YouTube channel too? Find video versions of the blogs here.

And if you ever want a quick chat about data protection issues – risk assessments, DPIAs, or anything else – you don’t need to be an existing client, and you can book a FREE 15 minute call or book and pay for longer at an introductory rate. Click here for more details.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *