Risk control is a proactive, systematic process used to identify, evaluate, and manage potential threats, aiming to reduce the likelihood or impact of negative events on an organization. It follows risk assessment, employing methods like elimination, mitigation, or transfer to ensure operational stability. 

Key Aspects of Risk Control

• Proactive Approach: Unlike risk management, which covers the entire strategy (identification to monitoring), risk control focuses specifically on taking action to mitigate risks that have already been identified.

• Categories of Controls:

  • Preventative: Stops risks from happening (e.g., training, firewalls).

  • Detective: Identifies risks that have already occurred (e.g., audit trails, security alerts).

  • Corrective: Fixes the aftermath of a risk incident.

  • Directive: Policies or guidelines instructing employees on actions.

• Hierarchy of Control (Most to Least Effective):

• Elimination: Physically remove the hazard.

• Substitution: Replace the hazard.

• Engineering Controls: Isolate people from the hazard.

• Administrative Controls: Change the way people work.

• Personal Protective Equipment (PPE): Protect the worker with gear. 

Common Risk Control Methods

• Avoidance: Choosing not to engage in high-risk activities.

• Loss Prevention/Reduction: Implementing protocols to minimize potential losses.

• Separation/Duplication: Isolating critical functions or backing up data.

• Transfer/Sharing: Using insurance or outsourcing to shift risk to a third party. 

Investopedia

Risk Control vs. Risk Management

• Risk Management: The overall process of identification, assessment, and prioritizing risks.

• Risk Control: The implementation of specific methods to neutralize or reduce those prioritized risks. 

Effective Control Characteristics

Controls are most effective when they are integrated into daily operations, address the root causes, and are continuously monitored for effectiveness. 

-- Google AI --

The control environment is the foundation for the entire internal control system. It provides the discipline and structure as well as the climate which influences the overall quality of internal control. It has overall influences on how strategy and objectives are established, and control activities are structured.

Having set clear objectives and established an effective control environment, an assessment of the risks facing the entity as it seeks to achieve its mission and objectives provides the basis for developing an appropriate response to risk.

The major strategy for mitigating risk is through internal control activities.

Control activities can be preventive and/or detective. Corrective actions are a necessary complement to internal control activities in order to achieve the objectives. Control activities and corrective actions should provide value for money. Their cost should not exceed the benefit resulting from them (cost effectiveness).

Effective information and communication is vital for an entity to run and control its operations. Entity management needs access to relevant, complete, reliable, correct and timely communication related to internal as well as external events.

Information is needed throughout the entity to achieve its objectives.

Finally, since internal control is a dynamic process that has to be adapted continuously to the risks and changes an organisation faces, monitoring of the internal control system is necessary to help ensure that internal control remains tuned to the changed objectives, environment, resources and risks.

Control Environment

The control environment sets the tone of an organisation, influencing the control consciousness of its staff. It is the foundation for all other components of internal control, providing discipline and structure.

Elements of the control environment are:

(1) the personal and professional integrity and ethical values of management and staff, including a supportive attitude toward internal control at all times throughout the organisation;

(2) commitment to competence;

(3) the “tone at the top” (i.e. management’s philosophy and operating style);

(4) organisational structure;

(5) human resource policies and practices.

The best-known institution involved in the development (and gradual refinement) of Enterprise Risk Management methodologies was COSO (the Committee of Sponsoring Organizations of the Treadway Commission). The standard method for assessing risks in an enterprise was as follows:

--Individuals risks are identified based on an analysis of an organisation’s external –and internal environment. Risk identification is based on the requirements of strategic objectives, and then specifically an analysis of the impact of events or conditions in the environment that may prevent the achievement of objectives, or cause the organisation to suffer losses in the process of pursuing the objectives.

--These risks are then assessed on a scale of 5-1, in terms of the likelihood that it will mature, and the impact if it does. A judgement of 5 is associated with high risk, and 1 with little risk. If the risk judgement for likelihood is then multiply with that allocated for impact, an inherent risk level is calculated (e.g., if likelihood is assessed as 3, and impact as 4, the inherent risk level will be 3x4 = 12 [or, alternatively, 3+4 = 7]).

Inherent risk is one side of the risk assessment coin; the other is the effectiveness of risk controls.

Performance is directly linked to the capacity of the executing organisation to mitigate risks (that is, performance must match capacity). Performance is determined by the opportunities and threats from the organisation’s strategic environment (that is, external conditions and events that demand certain outcomes, but, simultaneously, put limits on what can be achieved). The performance capacity of an organisation is determined by the quality and quantity of its structures, systems, processes and resources (essentially its risk mitigating controls).

The principle is that organisations are not powerlessly exposed to the risks facing it; strategies, organisational arrangements, systems, processes and resources integrated into, and synergised through the governance and management applications, allows the organisation to pro-actively pursue opportunities (which is the opposite of risk) and to mitigate risks.

What we want to achieve through the application of Enterprise Risk Management, is to assess, prioritise and mitigate strategic risks (from the external environment, impacting on performance) by strengthening internal capacity (that is, the internal, or operating environment) (or then, put differently, by mitigating operating risks). The focus is not necessarily on internal (or even audit) controls, but on optimising the performance –versus capacity relationship, which will improve organisational performance, and (over the long-term) longevity (going concern status).

The question then becomes: Which criteria must be considered when risks impacting on the performance of the organisation are identified, scrutinised and assesses?

Recent recommendations of COSO have refined the risk assessment model to add the element of velocity. The following elements were added in recent times:

--Vulnerability; referring to the level of exposure to risk that the organisation must endure (and can afford to absorb).

--Velocity; referring to the capacity of an organisation to respond to the governance, -management, -and organisational demands for review and adaptation resulting from risks.

If these elements are accepted as determinants of inherent risk, the assessment methodology explained above will change; it will now be applied as follows: Likelihood (/5) + (or X) Impact (/5) + (or X) Vulnerability (/5) + (or X) Velocity (/5).

In this model, which focuses on an integration of performance and capacity (rather than internal controls) these four determinants of inherent risk levels do not necessarily warrant the same weight in the calculation equation used to determine inherent risk; e.g. likelihood may enjoy a weight of 30%, impact 30%, vulnerability 20% and velocity 20%). It is then appropriate to refine the calculations by adding the stated determinants for inherent risk, and (furthermore) is to apply the principle to the assessment of the efficiency of organisation controls as well.

The current standard theory is that effective risk controls mitigate inherent risk levels. For instance, if inherent risk is 20 (out of a maximum inherent risk level of 25 [likelihood /5 x impact /5]), highly effective risk controls will mitigate the level to only 2 (because the effectiveness of controls will mitigate the risk by 90% and therefore leaves only 10% -which is 2).

We assess inherent risk based on the determinants explained above. The question then becomes: Can we apply the same argument (assessment methodology) to risk controls? We suggest that it can indeed be done, and then according to the following method:

--Control effectiveness is a result; the “value produced” by a preceding process that include determinants such as the design of controls, the resources loaded to those controls, the economy with which resources (such as experts and analysts) operate these controls the efficiency with which the risk controls are operated.

The argument is that –

--the design of controls (whether it is present in the organisation, and whether it is well structured) –loading of resources to these controls (considering quality and quantity) –

--the economy (“internal rate of return”) with which these resources have been procured and maintained –

--the efficiency (productivity) with which the controls are operated (system-and processes dimensions thereof) –

--determine its ultimate effectiveness (and that internal risk mitigating controls must subsequently be assessed as such).

It is generally accepted in management sciences that value-for-money is composed of a chain of inter-related value-adding interventions; starting with the manner in which resources are obtained to enable activity (the right quality and quantity at the most beneficial price [or terms]); followed by the way in which these resources are utilised and applied to ensure optimal productivity (efficiency); resulting in cost-effective goal-achievement (effectiveness).

For me the main advantage of this methodology, is that implies a direct (and comparable) comparison between risks and the effectiveness of controls available to mitigate it; both are assessed on the same judgement scale (5-1).

The core requirements for organisational risk controls are that it must (1) mitigate the likelihood that a risk may mature, (2) the impact if it does (or both). If the expanded methodology explained above is applied, is also implies that risk controls must mitigate the (3) vulnerability of the organisation to risk, and (4) the difficult-to-control velocity resulting from imminent (high-level) inherent risks.

In order to effectively mitigate inherent risk, it is necessary to “unpack” the controls to be used for that purpose.

--Assessing the design of these controls provide a scientific check on whether it is structurally and organisationally adequately established and operationalised to effectively mitigate inherent risk.

--The loading of resources to these controls analyse whether the required expertise, but also the quantity and quality of other resources are available to effectively mitigate inherent risk.

--Assessing the economy of controls provide an indication of whether the best possible use is made of resources incorporated into controls to mitigate inherent risk.

--Assessing the efficiency of resources, structures, systems and processes of controls provide a scientific perspective on the level of productivity secured when inherent risks are mitigated.

Another important consideration with the application of a risk assessment, is the risk threshold. The risk threshold is the level what which an organisation can absorb risks.

Two issues are considered when determining risk threshold level; namely risk attitude and risk tolerance. Risk attitude refers to the “culture” towards risk in the organisation, and risk tolerance to its systemic capacity to “take on” risk. If the risk threshold level can be accurately determined, and then on the same values-scale as that of inherent risk and control effectiveness, it adds another dimension that enriches the analysis process and produce enhanced information for decision-making (and risk response).