Overview
Controls are processes or checks that are put in place to reduce or manage identified risks. There are some key concepts in relation to controls that are helpful to consider including the nature of the control and the impact of the control in reducing risk (likelihood, consequence or both).
Nature of Controls:
Preventative: the control works by preventing a risk from occurring (e.g. access controls)
Detective: the control works by detecting if some risk has occurred (e.g. quality assurance checks)
Corrective: the control works by correcting realised risks (e.g. employee training following an issue).
Impact of Controls:
Likelihood: the control reduces the chances of a risk occurring (e.g. training employees in correct procedures)
Consequence: the control reduces to impact of the risk when it occurs (e.g. insurance coverage).
In StartRisk this impact is assessed across both the likelihood and consequence independently. This mean you can be specific about the controls ability to mitigate the risk likelihood independently from the risk consequence.
Each risk should have a set of controls recorded that collectively result in the risk being within risk appetite. StartRisk will determine the residual risk level based on the identified impact of the controls recorded against the risk and their implementation status (i.e. planned vs. implemented).
Adding Controls
In StartRisk users can either add controls against a risk from the Risk Editor or from the Control Editor. The main difference is that controls added through the Risk Editor will be automatically linked to the selected risk while those created in the Control Editor will need to be linked to risks manually.
Risk Editor View:
Link Existing Controls:
From the Risk Editor you can choose to either ‘Link existing control’ which will allow you to search for an existing control and quickly link it to the risk. This is great to use if you already know that a control exists that is relevant to the risk.
Add Controls AI:
The Add Controls AI tool allows you to generate suggested controls for the specific risk your are considering or will recommend a control based on an idea that you input.
When you initially select the Add Controls AI tool it will automatically generate 4 control suggestions for you to consider. In doing so the AI tool will already be aware of the specific risk and any existing controls linked to the risk and won’t duplicate these.
If the recommendations aren’t quite right, you could select the ‘Show More’ button to generate another 4 suggestions or add in a control idea and hit the ‘Generate’ button to have the AI craft a specific control for you.
Control Editor View:
You can also add controls manually using the control editor. In this view you simply define the control title, description, status and linked risks yourself.
Getting Started with StartRisk - Adding Controls
Key Concepts
Preventive Controls: These are designed to prevent a risk from occurring by addressing its causes. Examples include policies, procedures, and physical barriers.
Detective Controls: These aim to identify and detect risks that have occurred or are occurring. Examples include audits, monitoring systems, and regular inspections.
Corrective Controls: Implemented to respond to and correct the effects of a risk event after it has occurred. Examples include contingency plans and backup systems.
Control Impact indicates if a control reduces the probability of a risk event, the impact of a risk event or both.
Likelihood-Focused Controls aim to reduce the probability of a risk event occurring. They are preventative in nature.
Consequence-Focused Controls are designed to lessen the impact or severity of a risk event should it occur. They are mitigative in nature.
Dual Impact Controls address both the likelihood and the consequences of a risk, providing a comprehensive risk management approach.