Life is a succession of risks. Every day of our lives we face a variety of risks, from crossing the road to flying an aircraft, most of which we take calmly in our stride. We take risks individually and collectively as a society in our homes and in our working lives. To be in business is a risk in itself with many crucial factors affecting commercial success or failure, depending on decisions made by management.

Most people will have heard of Piper Alpha, Bhopal, Exxon Valdez and Brent Spar. Incidents such as these stay in the public memory for a very long time and can seriously damage the corporate image of those enterprises involved. So you can see that it is not merely a case of business loss or safety. It can also be a case of long-term loss of reputation.

Today, all enterprises operate under increasingly stringent conditions. Strict regulatory standards are imposed upon them and society expects management to meet those standards. This means that a company, as a matter of policy, must identify, acknowledge and control the risks which might arise from its operations.

Management responsibilities must not be left to chance

With increasing complexity and sophistication in business, these management responsibilities must not be left to chance-they have to be carried out in a considered and predetermined way and tested in a way which gives management reasonable assurance that people, the environment and the company’s reputation will not be harmed.

As time goes on, societies expectation, backed up by legislation and regulation, prescribing demonstrable control over these risks will become stronger. The overriding expectation of a company’s stakeholders (including government, society, customers, employees, suppliers and shareholders) is that management will ensure that the operations are carried out safely, responsibly and continuously.

The adoption of management models (they appear with increasing frequency!) cannot give absolute assurance that an accident or incident will never happen, or that an acceptable level of performance will be achieved. However, by setting out basic management and operational controls in a structured way, you can be assured the relevant risks will be identified, the potential impact reduced to an acceptable level and that continual overall improvement in performance can be made.

A business control model can be used as a mindset to create a structured means of control for every area of your objectives and responsibilities, your team and ultimately your business.

Senior management should clearly state the company’s commitment to dealing with risk

Senior management should clearly state the company’s commitment to dealing with risk as part of the overall business vision. This ‘promise’ should be well known throughout your company and to contractors, suppliers and customers…….that in itself will create additional opportunities to install your management ethos in those you do not directly control.


Every senior manager should have an overall understanding of business control and continuously demonstrate the implications of their management decisions at all levels of the business, that is to say all of their direct and indirect reports.

All managers should be individually committed and involved in making Business Control ‘come alive’ to demonstrate visible commitment to implementation and to continual improvement.

As a starting point for an effective business control framework, this should be a definite strategy with a clearly identifiable set of objectives and targets, which should be integrated within the business plan of the enterprise and each business process.

Make everyone responsible

You should ensure that all individuals, departments and teams are aware of their own responsibilities, authorities, accountabilities and key interfaces with respect to the control of risks and to achieve specified levels of performance, individually and collectively.

Here is a simple method. If something goes wrong in a company or department, one of the following Business Controls will be breaking down:

  • Policy
  • Review and Appraisal
  • Organisation
  • Procedures
  • Supervision

(PROPS for short).


The way to use this approach is from the bottom up…that is to say, from “Supervision”.

Several years ago, a ferry sank because the front door-loading doors had been left open. The initial finding had been that a sailor had not pressed a button to close the door BEFORE the ferry sailed.

However, this is what the structured approach demonstrated:

Supervision. The sailor had no direct manager and relied on the first officer on the bridge to let him know when to shut the ferry doors. Unfortunately, on this occasion, when he was buzzed with a signal to close the doors he had been asleep.

Procedures. The procedure was simple. The first officer pressed a button which rang a bell, indicating that the sailor should close the doors. There was no facility for the sailor to acknowledge that he’d heard the bell.

Organisation. The captain and first officer were always on the bridge and everyone else took orders directly from them.

Review and Appraisal. The procedures had never been reviewed and no-one had foreseen the risk of the doors being left open. The sailor had never been appraised and his feedback had never been sought.

Policy. The company’s policy was to turn the ferry around in no more than twenty minutes. That is to say from arrival, unloading, loading and sailing again. There was also a ban on shore leave because of short staffing. The sailor who should have pushed the button was asleep because he had been working continuously for more than 24 hours.

You can see from the above example that what at first appeared to be a lower level control failure (Supervision and Procedures) had its ROOT CAUSE in the higher level control of company POLICY.

If you feel that there is something going wrong in either your work (or personal!) life, you should adopt this structured approach to your thinking and very often you will find the solution in the most surprising place.

Finally, “Review and Appraisal” (above) applies to all the other Controls. That is to say, you should always be looking at ALL of your business controls in order to see where improvement can be made to minimise RISK.