Global Risk Clinic
  • About
    • About us
    • Our advisors
  • GRC Academy© Courses
    • CERM – Copenhagen
    • CERM PS – Copenhagen
    • CERMP – Online
    • CERMP – Oman
  • Solutions
    • Risk Management
    • Governance
    • Compliance
    • Cyber Security
    • Digital Business Transformation
    • Thought Leaders
    • GRC Academy
    • Talent Recruitment
  • Maturity Test
  • Contact
0
Your cart is empty. Go to Shop.
riskMitigation

Risk Mitigation

Global Risk Clinic GRC News

Risk mitigation means making the direct (money lost) or indirect (e.g., reputational) impact of a risk less severe.
Risk is not inherently bad and risk-taking leads to rewards and often has a potential of success for a business. Risks should be mitigated to a level, which aligns with the overall strategy of the organization.
The ”guiding light” for the amount of residual (risk left when mitigation has been applied) an organization should take on should be described in a risk appetite from the board of directors.

Click here for more information about risk appetite

 

Risks can be accepted as is if they are within the risk appetite or mitigated in the following ways:


Avoided:
 Do not conduct the activity associated with the risk. If the risk of doing business in, for instance, a certain country or industry does not outweigh the reward, get out of the country or industry and focus on areas where the reward outweighs the risks.


Transferred:
 Move the risk out of your organization. If the risk seems to outweigh the reward or if the risk involves activity outside of your core area of business, the activity can be outsourced to another organization or insurance can be purchased to transfer the impact of a risk.


Controlled:
 A control is any activity, guideline, or system that minimizes the risk from occurring. A control can either be preventive or detective and manual or automated.

Implementing controls can either lower the likelihood of a risk occurring or the impact if the risk does occur.


Note: A control costs money and a risk can be over controlled. When designing a control environment, it is essential to see controls in the context of the entire value chain, and not just in the context of a single business area or process. In mature organizations conducting holistic risk assessments will often lead to cost savings and opportunities to be more efficient as too many controls are in place. A focus should be on having few but good key controls in place across value chains.

 

The following provides a guideline for how to categorize and describe controls.


Preventive and Detective Controls:
 Does the control prevent the risk from happening or detect the risk if it does occur. If cash is kept on a table a locked door is a preventive control and a camera is a detective control.


Manual or Automated Controls:
 Does the control happen as a manual step in a process or is the control automated in a system. If too many zeros are added to an amount this can be caught manually by having someone else review the data input or it can be caught by a system by having tolerance levels programmed.


Key Controls:
 A key control is relied upon to prevent the risk from occurring, or detect the risk when it has occurred.


General Controls:
 General controls are not specifically relied upon to minimize the risk, but contribute to the prevention or detection of the risk. Hiring good and honest people and having a good risk culture are examples of general controls which are important but not key to any specific risk.

 

Control Description

When describing controls, it is essential to use a uniform way of writing, which can be applied across the entire organization. The following is an example of how to write a control:

1. Who – The employee/area or system performing the control

2. Which – The “control word” e.g. alerts, approves, automatically, confirms, monitors, reconciles, reviews, tests, validates, verifies

3. What – The information the control is performed on

4. When – The trigger, timing and/or frequency of performing the control

5. Why – The outcome/reason for performing the control

6. Action – the action taken if the control catches an issue


Example of a control written in the above format:
 A trader reviews the daily trade report at the end of the day to ensure trading data is accurate and alert the broker and the back office for corrective actions if the data is inaccurate.



Tips:

Focus on enterprise risk management.

Unfortunately, most organizations come up with different ways to assess risk and describe controls depending on the areas involved. This leads to inefficiencies and lost opportunities in leveraging and aggregating information across the organization. If, for example, the head of audit and the Chief Risk Officer have different ways of describing key controls opportunities to work together and add value to the organization will be lost. Each organization should only have one way to manage risk.

Develop a one-page dashboard to report on and monitor risk on an ongoing basis.

Combine process development and maintenance with risk assessment. Successful risk mitigation involves assessing and implementing processes and controls at the same time.

Our advisors have experience developing risk management frameworks across the globe and can help you tailor a risk management framework suited for your organization.

 

Get in contact

Risk Appetite Framework GRC Relaunch

Related Posts

ManilaInt

GRC News

Global Trends in Risk Management

Relaunch

GRC News

GRC Relaunch

riskappetite

GRC News

Risk Appetite Framework

Categories

  • GRC News

Recent Posts

  • Global Trends in Risk Management
  • GRC Relaunch
  • Risk Mitigation
  • Risk Appetite Framework

Global Risk Clinic Aps

Address: Toldbodgade 2

CVR: 36489499

© GRC 2022

Terms and Conditions

Privacy policy

Cookie Policy

Cookies
This website uses cookies to improve your experience.
Accept Settings
Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT