Risk has become a popular topic and the questions that come with that is how does one address risk and then continue to monitor those risks. In other words, you have created your risk matrix, but what is next? This article will address those questions by explaining the linkage between risks and controls. The four main questions that will be answered are:
- What is the link between risk and controls?
- How do I map controls to my risk matrix?
- Are there other ways to mitigate risks besides controls?
- How do I monitor risks going forward?
What Are Risks & Controls?
To start and before we get into addressing risks, one needs to ensure they have an understanding of risk and how to create a risk matrix. Last year, we published an article that discusses risk matrices – it details when, how, and why to use a risk matrix. This article will discuss the next steps in addressing and monitoring risks.
A risk is any threat or uncertainty of an organization that could have an outcome that is not what was expected. The outcome could affect the organization negatively and, in some cases, positively. Risks can vary across the organization for different departments. Once risks are identified they are then compiled into a risk matrix.
A control is a set of procedures that are put into place to address the risks of an organization. Controls are clearly defined and measurable. They prevent or detect errors by monitoring data, processes, people, and/or compliance with regulations.
What Is the Link Between Risk & Controls?
Now that we have defined what a risk is and what a control is, we can get into the linkage between the two. Controls may be used to address the risks that are identified by the organization. Controls are one way to provide an avenue to limit risks and harm to the organization. No organization is completely absent of risk or harm due to having controls in place, however, controls are a way to limit the likelihood of impact.
To break it down in simple terms, the following is an example of a risk that is mapped to a control:
- Risk – Weaknesses that could lead to a breach or incident are not detected in a timely manner.
- Control – The organization monitors for system security weaknesses using a tool that automatically detects application errors.
In this example, the control reduces the risk that weaknesses could lead to a breach in a system by monitoring for those breaches automatically with a tool. It may take many controls to mitigate the risk. Many risks can be linked to one control and many controls can be linked to one risk; it is not always one-for-one.
The COVID-19 pandemic brought a whole new set of risks to organizations. The pandemic has likely affected your organization, whether it be the industry, regulations, or financially. It is important to identify the risks and, ultimately the controls around those new risks. By performing a mapping, an organization will see where they may have gaps with unaddressed risk.
How Do I Implement Controls in Risk Management?
- Knowledge is Key: It is important to start with a baseline knowledge of what controls are currently in place within the organization. One will need to understand what risks exist as well as controls. Controls may, and probably are, present but may be undocumented. A meeting with different departments within the organization to discuss processes may lead to the identification of controls.
- Data Gathering: Once controls have been identified, data will need to be gathered for those controls. The details of the controls will need to be understood to be successful in mapping the controls to the risk. The questions of who, what, where, and how of the control will need to be addressed in this step.
- Identify Frameworks and/or Regulations to Be Followed: Depending on the organization’s industry, there may be frameworks and/or regulations that may need to be followed. For example, your organization may require to be SOC 2 certified, and it is important to understand what risks and controls will need to be present to become SOC 2 certified.
- Adopt a Framework: Once the controls are identified, it is important to adopt a controls framework and map the controls to risks.
Are There Other Ways to Mitigate Risks Besides Controls?
Controls are not the only way to mitigate risks in your risk matrix. There are some other ways to lessen or mitigate those risks as listed below.
What Are the Most Common Risk Monitoring Techniques?
- Avoidance – When the organization avoids the risk/situation altogether.
- Acceptance – The organization will determine to accept that they have a risk and do nothing further.
- Reduction – The organization puts controls in place to reduce the risk.
- Transference – The organization will contract with a third party to transfer the risk to them.
For risks in your organization, you will also attempt to mitigate them with one of these strategies.
What Is Next After I Address Risk?
Now that you have built your risk control matrix and mapped controls to those risks (or determined another method of mitigating risk is desirable), you will now monitor those risks. It is important for an organization to do this as factors are ever-changing, that lead to new risks. It is possible to have residual risk even after mapping mitigating efforts, therefore, a plan for those residual risks will also need to be determined.
It is important to continually monitor and update risks. This can be done through regular meetings within the organization to discuss possible risks, data analytics, internal audits, etc. periodic updates to the risk matrix are important to keep your organization safe from potential harm.
To sum it up, we discussed what risks and controls are and how they are linked, how to map controls to your risks, what other factors can be used to lessen risk, and the importance of monitoring risks after the mapping process. Analyzing and monitoring risks aids your organization in protecting its assets. For more information regarding how Linford & Company may assist your organization with its risk needs, check our related organizational auditing services:
Jessica Kiel joined Linford & Company, LLP in 2023 and she came with over twelve years of experience in internal controls, SOX, controls over Financial Reporting (ICFR), SOC1, SOC 2, Third Party Assurance, and attestations/examinations based on PCAOB or AICPA standards. Jessica began her career with Deloitte in 2011 where she served in a leadership role for the last eight years. Jessica graduated from Southern Illinois University-Carbondale with a Bachelor’s of Science in Accounting and a Masters of Accounting.