the importance of Soft Controls

Codifying and understanding the control environment is critical to developing and opining on the organization’s risk profile. “Hard” controls are perhaps the easiest to understand. For example, they frequently thought in the context of their ability to drive effective and efficient operations, compliance with laws and regulations, and the dependability and accuracy of financial reporting.

“Soft” controls are a little more ambiguous to decipher and interpret. Most experts agree soft controls are among the most important management elements. Moreover, boards of directors, regulators, and executive committees look to management to protect the organization from unwanted exposures. This necessitates (as also addressed by COSO) a more thorough review of “soft” controls that significant component of abstract subjects like:

  • Employee conduct or how employees handle themselves, particularly in relation to customers
  • Management’s philosophy and operating style
  • The comprehension and sustainable management of risk
  • Employee motivation (e.g., behaviors and performance management)
  • People’s integrity and ethics
  • Communication, escalation, and sharing of information

The financial and non-financial implications of not addressing these topics can be considerable including lost shareholder value, reputation damage, litigation, fines, and customer distrust. Losses can easily surmount the tens to hundreds of millions. Given the potential severity of loss, one would expect that soft controls would receive more attention in any GRC implementation. However, many organizations struggle to identify, assess, evaluate, and monitor soft controls. The BWise® GRC solution can assist an organization with its soft controls by integrating them into the risk management, audit, and business activities.


  • The integrated GRC software solution made up of various risk management components can assist with the capture, assessment, analysis, and testing of an organization’s controls. Controls can be linked to risks, evaluated for their effectiveness, tied to action plans, monitored in real-time through dashboards, and summarized for reporting. Control testing can also be done on- or offline and results can be captured in work papers. This forms the basis for an audit trail that can be referenced and used to substantiate findings.
  • The capability to align to business activities. For example, BWise process management can be used to manage the organization’s policies and procedures. It can facilitate the understanding of policies, procedures, and ethical standards by employees through advanced training. BWise also provides a configurable and flexible open assessment component that can be used to survey employees on procedures and standards.
  • A best practice approach for Soft Control Testing . This approach is an integrated part of the BWise GRC platform. It provides an organization a method to quickly start testing soft controls or serve as a point of reference.

Contact us for more information about Soft Control Testing.

Scroll up