Risk control
Risk control is the process of identifying potential risks and implementing strategies to reduce the likelihood of those risks occurring or to minimize their impact. It involves methods such as avoidance, reduction, transfer, and acceptance of risk.
c. 1950s
3
Definitions
General Business and Project Management
In the context of general business and project management, risk control, often called risk mitigation or risk treatment, refers to the process of developing and implementing strategies to manage identified risks. The goal is to modify a risk to bring it within an acceptable level.
The primary strategies involved are:
- Avoidance: Eliminating the risk by deciding not to start or continue with the activity that gives rise to the risk. For example, canceling a project in a politically unstable region.
- Reduction (Mitigation): Taking actions to reduce the likelihood or impact of the risk. For instance, installing a sprinkler system to reduce the potential damage from a fire.
- Transfer (Sharing): Shifting the financial impact of a risk to a third party. The most common example is purchasing insurance. Outsourcing a specific function can also be a form of risk transfer.
- Acceptance: Acknowledging a risk and making a deliberate decision not to take any action, often because the cost of mitigation outweighs the potential loss. This is also known as risk retention.
Cybersecurity and IT
In cybersecurity and information technology, risk control refers to the safeguards or countermeasures implemented to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. These controls are often categorized by their function.
Key categories include:
- Preventive Controls: Designed to prevent an incident from occurring. Examples include firewalls, access control lists, and security awareness training.
- Detective Controls: Used to identify and report the occurrence of an incident. Examples are intrusion detection systems (IDS), security audits, and log monitoring.
- Corrective Controls: Implemented to fix systems and restore data after an incident has occurred. Examples include disaster recovery plans and data backup restoration.
- Administrative Controls: Policies, procedures, and standards that define how an organization manages risk. Examples include security policies and hiring procedures.
- Technical Controls: Security measures that are implemented and executed by computer systems. Examples include encryption and authentication mechanisms.
- Physical Controls: Measures that protect the physical environment where systems are located, such as locks, security guards, and fire suppression systems.
Finance and Insurance
In finance and insurance, risk control involves techniques used to minimize the potential for financial loss. It is a core component of managing investment portfolios and underwriting policies. The focus is on protecting assets and ensuring financial stability.
Common financial risk control methods include:
- Diversification: Spreading investments across various financial instruments, industries, and other categories to reduce the impact of a poor performance in any single asset.
- Hedging: Making an investment to reduce the risk of adverse price movements in an asset. For example, using futures contracts to lock in a price.
- Asset Allocation: A strategy that aims to balance risk and reward by apportioning a portfolio's assets according to an individual's goals, risk tolerance, and investment horizon.
- Insurance: A contractual agreement where one party agrees to compensate another for specified losses, transferring the risk of loss to the insurer.
Origin & History
Etymology
The term combines 'Risk', from the 17th-century Italian 'risco' meaning 'danger' or 'hazard', and 'Control', from the Old French 'contrerole', meaning 'a duplicate register used for verification'. The combined meaning implies the process of verifying and managing potential dangers.
Historical Context
The concept of managing risk is ancient, seen in early maritime trade where merchants would distribute cargo across multiple ships to mitigate the risk of a total loss from a single shipwreck. However, the formalization of **risk control** as a distinct discipline began in the mid-20th century, particularly within the insurance and engineering fields. In the 1950s and 1960s, the rise of complex engineering projects, such as in the aerospace and nuclear industries, necessitated a more structured approach to identifying and mitigating potential failures. This led to the development of techniques like Failure Mode and Effects Analysis (FMEA). During the latter half of the 20th century, these principles were adopted into business and project management. The focus expanded from purely technical or financial risks to include operational, strategic, and compliance risks. The development of international standards, such as the ISO 31000 family on Risk Management, provided a globally recognized framework for organizations to implement comprehensive **risk treatment** strategies.
Usage Examples
In project management, implementing a robust risk control plan is essential for keeping the project on schedule and within budget.
The company's cybersecurity policy mandates multi-factor authentication as a key risk control to protect sensitive data.
As a form of risk mitigation, the investment firm diversified its portfolio across various asset classes to reduce the impact of market volatility.
Purchasing liability insurance is a common countermeasure used to transfer the financial consequences of potential lawsuits.
Frequently Asked Questions
What are the four primary strategies for risk control?
The four primary strategies for risk control are:
- Avoidance: Eliminating the risk by not engaging in the activity that creates it.
- Reduction (Mitigation): Implementing measures to lower the probability or impact of a risk.
- Transfer (Sharing): Shifting the financial burden of a risk to another party, such as through insurance.
- Acceptance: Consciously deciding to retain the risk without taking action, typically when the cost of control is greater than the potential loss.
In cybersecurity, what is the difference between a preventive and a detective control?
A preventive control is proactive; it aims to stop a security incident before it happens. A firewall blocking unauthorized access is a classic example. A detective control is reactive; it is designed to identify and alert that an incident has occurred or is in progress. An intrusion detection system that flags suspicious network activity is a detective control.
Why is risk acceptance considered a form of risk control?
Risk acceptance is considered a form of risk control because it is an active, deliberate, and informed decision. It is not the same as ignoring a risk. The process involves assessing the risk and concluding that the potential loss is acceptable or that the cost of any other control strategy is disproportionate to the risk's impact. This conscious decision-making process is a way of managing and controlling the organization's overall risk exposure.