Whiteboard Series: Categories of Controls
Posted on February 28, 2023 | in Operational Risk
Controls are any policies, procedures, systems, resources, or activities put in place to reduce the consequence or likelihood of a risk.
Note: the higher the inherent risk level, the more effective your controls will need to be.
We often talk about three main categories of controls: preventative, mitigative, and detective.
Preventative controls reduce the likelihood of a risk occurring. A security fence, a pressure relief valve, a policy we require employees to follow, or a training program are all example of preventative controls.
Mitigative controls act to reduce the consequences should the risk event occur. They include actions such as response and recovery. For example, a company’s emergency response and business continuity plans.
Detective controls tell you that an accident or unsafe activity has happened or monitor how well other controls are working. For example, security cameras, chemical monitors and alarms, or audit and review.
Some controls can have multiple functions. For example, the deterrent effects of security cameras can also make them preventative.
To be effective, controls must be robust, specific, and regularly monitored.
Clearly define and record the ownership and implementation responsibilities in your risk profiles.