written by Mónica María Jiménez, On January 04, 2024
For proper risk management in organizations, it is important to carry out four main actions: identify risks, measure or assess risks, treat risks, and monitor risks and the management performed.
There are different ways to treat risks: accept them, transfer them, mitigate them, or eliminate them. Note that the latter option implies eliminating the process or risk factor that may generate the risk.
This article will focus on risk mitigation through controls: why they are important, what types of controls exist, and what aspects you should consider for their proper design, execution, and robustness.
Controls: usefulness and types
In general, controls are measures that are designed and implemented to reduce or mitigate the probability or impact of risks, i.e., on the one hand, they help to prevent the risks to which the organization is exposed from materializing and, on the other hand, if risks do occur, they serve to reduce the impact or consequences generated by them.
There are three main types of controls: preventive, detective, and corrective.
- Preventive: are those that serve to reduce the probability of occurrence or modify the cause of the risk. They are implemented before a risk event occurs. In other words, they serve to avoid/prevent the risk.
- Detective: these types of controls are used to detect inconsistencies or generate early warnings that something is wrong.
- Corrective: these are implemented to mitigate the impact caused by the materialization of the risk. They are executed during or after the risk occurs.
Design, execution, and robustness of controls
Before defining and designing the controls for risk mitigation, remember that you must assess or qualify the risks in terms of their probability and impact. Doing so will allow you to know their criticality and prioritize the risks and the controls to be implemented based on this.
Once you have clarity on the different inherent risks, you can create the controls that will help you mitigate them. To do so, take into account the following:
- Name of the control.
- Rating of the control design.
- Rating of control execution.
- Description of the control.
The qualification of the design and execution of the control is to know how solid it is, that is, how strong the control is to protect the organization against the occurrence of the risk or the impact it would cause if it materializes.
To qualify the control design, it is important to consider criteria such as:
- Type of control: Corrective - Detective - Preventive.
- Type of execution: Manual - Combined - Automatic.
- Is the control executed frequently? Yes - No.
- Is the control documented? Documented - Partially documented - Not documented.
- Does the control have evidence?: Yes - No.
- Does the control have associated responsible persons?: Yes - No.
The rating of these criteria, based on weights and percentages, allows you to describe how the control is designed and, based on this, to obtain an assessment of the soundness of the control.
And to qualify for the execution of the control, you must keep in mind criteria such as:
- Have any events occurred? Yes - No.
- Is the design of the control effective? Yes - No.
- Is the evidence effective?: Yes - No.
These criteria allow you to evaluate the control when it is already being executed. You will know if the control is being executed as expected, in other words, if the control you designed and implemented is really effective: it meets or does not meet its mitigation objective.
It is important to know that when the strength of a control is low, the percentage of risk mitigation or containment will surely be low; on the other hand, if it has a high strength, the probability of effectiveness of that control will be higher.
Thus, both the design and execution of the control are key to determining the soundness of the controls you implement in your organization to prevent the materialization of risks or to mitigate their impacts if they occur.
And remember that once you apply the controls, you will obtain the residual risk, which is the level of risk that remains after treating them. In Pirani, you can quickly and easily create effective controls to prevent and mitigate the risks to which your organization is exposed (operational, LAFT risks, information security, regulatory compliance, etc.).
Create your account now and start managing risks in our Free plan, which, among other things, allows you to identify and create processes, identify and evaluate risks in their frequency and impact, define controls for the prevention and mitigation of risks, and perform continuous monitoring of the management you perform to make timely and informed decisions.
About Us → 
Leave us your comments