Overview

Controls are processes or checks that are put in place to reduce or manage identified risks. There are some key concepts in relation to controls that are helpful to consider including the nature of the control and the impact of the control in reducing risk (likelihood, consequence or both).

Nature of Controls:

• Preventative: the control works by preventing a risk from occuring (e.g. access controls)
• Detective: the control works by detecting if some risk has occured (e.g. quality assurance checks)
• Corrective: the control works by correcting realised risks (e.g. employee training following an issue).

Impact of Controls:

• Likelihood: the control reduces the chances of a risk occuring (e.g. training employees in correct procedures)
• Consequence: the control reduces to impact of the risk when it occurs (e.g. insurance coverage).

In StartRisk this impact is assessed across both the likelihood and consequence independently. This mean you can be specific about the controls ability to mitigate the risk likelihood independently from the risk consequence.

Each risk should have a set of controls recorded that collectively result in the risk being within risk appetite. StartRisk will determine the residual risk level based on the identified impact of the controls recorded against the risk and their implementation status (i.e. planned vs. implemented).

Adding Controls

In StartRisk users can either add controls against a risk from the Risk Editor or from the Control Editor. The main difference is that controls added through the Risk Editor will be automatically linked to the selected risk while those created in the Control Editor will need to be linked to risks manually.

Risk Editor View: