Key takeaways
– Risk control is a subset of enterprise risk management focused on reducing the likelihood and/or impact of identified threats through specific techniques and controls.
– Common risk-control techniques include avoidance, loss prevention, loss reduction, separation, duplication, and diversification. These are often used together.
– A Risk and Control Matrix (RACM) is a practical tool to map risks to controls, assess control effectiveness, and prioritize remediation.
– Risk control cannot remove all risk; organizations must manage residual risk through appetite, transfer (insurance), or acceptance.
– Risk control supports corporate social responsibility (CSR) by reducing harms to people, the environment, and stakeholders while improving resilience.
Source: Adapted from Investopedia (Sabrina Jiang). Original
What is risk control?
Risk control is the set of methods an organization uses to identify potential loss exposures, evaluate them, and implement measures to reduce or eliminate those exposures. It uses results from risk assessments and is a core component of enterprise risk management (ERM), business continuity planning (BCP), and operational resilience programs.
How risk control works — the general process
1. Identify risks: catalog operational, financial, legal, strategic, reputational, IT/cyber, supply-chain, environmental, and human risks.
2. Assess risks: estimate likelihood and impact; prioritize using risk scoring or heat maps.
3. Select controls: choose appropriate control strategies (avoid, reduce, prevent, transfer, etc.).
4. Implement controls: deploy policies, technology, procedures, training, insurance, or physical changes.
5. Test and monitor: audit controls, run drills, measure KPIs, update controls as conditions change.
6. Review and improve: use incidents and near-misses to refine controls and assumptions.
Risk-control techniques and practical steps
1. Avoidance
– What it is: Remove exposure by stopping the activity that creates the risk.
– Practical steps:
• Identify processes/products with disproportionate risk relative to reward.
• Conduct cost-benefit analysis of discontinuation vs mitigation.
• Decide and document governance approval to cease the activity; communicate to stakeholders.
2. Loss prevention
– What it is: Reduce frequency of an adverse event.
– Practical steps:
• Implement preventive controls (e.g., access controls, employee screening, security patrols).
• Standardize procedures and training to reduce human error.
• Use inspections and preventive maintenance schedules.
3. Loss reduction
– What it is: Lessen severity when a risk event occurs.
– Practical steps:
• Install mitigations (sprinklers, firewalls, redundancy) that limit damage.
• Build incident response and crisis management plans with clear roles and playbooks.
• Perform tabletop exercises to sharpen response.
4. Separation
– What it is: Divide critical assets or functions so a single event cannot cripple the organization.
– Practical steps:
• Distribute inventory, production, and data centers geographically.
• Create segregation of duties in critical processes.
• Map single points of failure and plan physical and logical separation.
5. Duplication
– What it is: Provide backups so operations continue if primary systems fail.
– Practical steps:
• Implement hot/cold standby servers, data backups, and alternative suppliers.
• Regularly test failover systems and restore procedures.
• Use managed services for critical services with SLA guarantees.
6. Diversification
– What it is: Spread risk by having multiple revenue streams, suppliers, or markets.
– Practical steps:
• Evaluate concentration risks in customers, suppliers, products, and geographies.
• Develop alternative product lines or partnerships to reduce dependence.
• Use supplier qualification to maintain a tiered supplier base.
Using a Risk and Control Matrix (RACM) for effective risk management
A RACM helps translate high-level risks into actionable controls and priorities.
Practical steps to build and maintain a RACM:
1. Define scope: decide which processes, business units, or risks to include.
2. List risks: use risk-identification workshops and past incident data.
3. For each risk, document:
• Inherent risk rating (likelihood × impact before controls).
• Existing controls (policy, process, system).
• Control owner and control type (preventive, detective, corrective).
• Control effectiveness rating (e.g., effective, partially effective, ineffective).
• Residual risk rating (after controls).
• Actions and target dates to strengthen controls.
4. Rank risks by residual exposure and update the matrix regularly (quarterly at minimum).
5. Integrate RACM outputs into audits, training, and capital/resource allocation.
RACM example (simplified)
– Category: IT
– Risk: Ransomware attack
– Inherent risk: High likelihood / High impact
– Controls: Endpoint protection, segmented networks, daily backups, employee phishing training
– Control effectiveness: Moderate (gaps in patching)
– Residual risk: Medium
– Action plan: Implement centralized patch management; quarterly phishing simulations; test backup restores
Examples and lessons learned
– Sumitomo Electric: Following the Great East Japan earthquake, preexisting business continuity plans (BCPs) proved useful but incomplete; the company emphasized practical drills and ongoing plan improvement based on real disasters.
Lesson: BCPs must be realistic, tested with drills, and updated after incidents.
• British Petroleum (Deepwater Horizon): The 2010 spill led to massive financial and reputational losses and an extensive settlement. BP strengthened its safety culture, training, monitoring technology, and transparency.
Lesson: Major accidents highlight the need for strong safety controls, rigorous risk assessments, and accountability.
• Starbucks (supply-chain diversification): Starbucks sources coffee from multiple regions and invests in diversified supplier relationships and supplier development to reduce exposure to weather and political disruption.
Lesson: Supply-chain diversification and supplier risk management reduce concentration risk.
Ways to identify emerging risks (practical checklist)
– Horizon scanning: review geopolitical, macroeconomic, climate, and technological trends regularly.
– Stakeholder engagement: talk to suppliers, customers, regulators, and insurers for early signals.
– Data analytics: use internal performance data and external market data to detect anomalies.
– Scenario planning: run worst-case and plausible adverse scenarios (pandemic, cyber catastrophe, severe weather).
– Stress testing: quantify impacts on balance sheet, liquidity, and operations.
– Regulatory tracking: monitor proposed laws, standards, and enforcement trends.
– ESG monitoring: follow climate, labor, and community risks that could escalate rapidly.
How risk control differs from risk management
– Risk management is the broader discipline that includes risk identification, measurement, governance, appetite setting, reporting, and risk financing.
– Risk control is the tactical subset focused on implementing measures to prevent, reduce, transfer, or accept specific risks identified by the broader risk-management framework.
Can a company eliminate all its risks through risk control?
No. Some risks can be avoided or reduced, but residual risk always remains. Decisions must be made about which residual risks to:
– Accept (within the company’s risk appetite),
– Transfer (e.g., insure),
– Mitigate further, or
– Avoid entirely.
Practical governance includes documenting risk appetite, setting escalation thresholds, and maintaining contingency funds or insurance.
How risk control relates to corporate social responsibility (CSR)
– Risk control and CSR overlap where company activities can harm people, communities, or the environment.
– Strong risk controls reduce negative social and environmental impacts (e.g., safety systems, spill prevention, ethical sourcing).
– CSR commitments (transparency, stakeholder engagement, sustainability goals) can be framed as risk controls that reduce regulatory, reputational, and operational risks.
– Investors and stakeholders increasingly view effective risk control and CSR as indicators of long-term resilience.
Practical implementation checklist for starting or improving risk control
1. Establish governance: assign a risk owner, set reporting lines, and define risk appetite.
2. Map key processes and assets: identify dependencies and single points of failure.
3. Conduct focused risk assessments: prioritize top 10–20 risks by inherent exposure.
4. Build a RACM for prioritized risks and assign control owners.
5. Implement a risk monitoring cadence: dashboards, KPIs, and quarterly reviews.
6. Test controls: tabletop exercises, BCP drills, penetration testing, backup restores.
7. Train people: role-based training, leadership briefings, and incident simulations.
8. Insure appropriately: match insurance to residual risks after mitigation.
9. Capture lessons: after-action reviews and continuous improvement cycles.
10. Communicate: update boards, regulators, and stakeholders on risk posture and plans.
The bottom line
Risk control is a pragmatic, ongoing program of measures designed to reduce the probability and/or severity of losses that could derail a company’s objectives. By combining strategic planning (RACM, ERM), practical controls (technical and organizational), testing (drills and audits), and adaptive governance (appetite and monitoring), organizations can materially improve resilience — while recognizing that not all risks are eliminable.
Further reading (related topics)
– Enterprise risk management (ERM)
– Business continuity planning (BCP)
– Crisis management and incident response
– Supply-chain risk management
– ESG risk and sustainability reporting
Source and credits
Adapted from Investopedia: “Risk Control” by Sabrina Jiang —
Editor’s note: The following topics are reserved for upcoming updates and will be expanded with detailed examples and datasets.