Risk management can be confusing for those unfamiliar with the territory. The terms used in enterprise risk management (ERM) can be similar, and their functions overlap at times. How can you better understand the nuance in the terminology, and how the terms relate to your overall risk management strategy? 

Here, we discuss the difference between risk control and risk management, and how both concepts should be integrated into your overall security program.

What is risk management versus risk control?

Risk controls and risk management are not separate concepts. Rather, risk management refers to the full process of identifying, preventing, and mitigating risks, while risk control is one of the tools under that risk management umbrella. Risk management is analyzing and attending to risks; risk control is the strategy by which you attempt to prevent it. 

The term “risk control” is also used in workplace health and safety procedures, as well as in data protection. In both fields, it refers to the process of risk analysis and identification and of reducing or eliminating risks as much as possible. In an ideal world your company would avoid risk entirely; but risk controls can also focus on preventing or reducing potential loss, and creating contingency plans within your business strategy when issues inevitably arise. 

Risk control strategy will differ from one company to the next depending on your needs and the policies you already have in place. Examples of controls can include testing, regular internal audits or inspections, and even your training program. Your risk assessment will determine which risks are present for your company and what controls should be created to protect your assets. 

Is risk control and internal control the same thing?

There are some industries where these two terms have different meanings. In banking, for example, “risk control” specifically refers to controls designed to protect transactions from financial risk. 

In most industries, however, “risk control” and “internal control” can be used interchangeably. Your risk control plan or internal control system will serve roughly the same purpose in your overall risk management structure. 

The Committee of Sponsoring Organizations (COSO) has created a framework that helps companies better understand internal controls. The COSO internal control framework can help to determine your risk management strategy and to develop a system of objectives and control activities that will work for your company. 

See also

Best Practice Guide: Using Automation to Transform Risk Management

How is risk control related to enterprise risk management?

Whereas traditional risk management is often focused on individual categories of risk within each business function, enterprise risk management seeks to address risks to the organization as a whole. An effective risk management strategy takes all of the pieces of the company into account. This more holistic approach to risk response will change the way your company’s controls function. 

Traditional risk management also places a focus on dealing with events that have already occurred (say, having an insurance policy to pay for damage from a flood or data breach), while ERM tries to address risks that may happen in the future and minimize the potential damage whenever possible. ERM also considers risks that aren’t protected by your insurance company. For example, you may be financially covered in the event of a workplace accident, but that money will not help repair the damage done to your SEO results. So the best ERM strategy is strong policy, procedure, and internal control to reduce workplace accidents in the first place.

How does this affect your controls? ERM is considered to be a more “risk-taking” form of management, which can be a competitive advantage: it allows you to grow your company while still exercising an appropriate amount of caution. ERM includes a focus on how identified risks relate to one another, and how residual risk may affect different departments. The more traditional “silo” approach may ignore how risks can manifest in unexpected ways, or miss certain risks altogether. 

If a risk has a very small chance of happening, ERM asks that you consider allocating prevention resources elsewhere. The same event could be a minor setback for IT but a disaster for PR. Allow your enterprise risk management program to dictate the controls you set for different levels of risk across departments. 

If you’re tracking your risk management process in a spreadsheet, knowing what risks each department faces can be difficult. An effective enterprise risk management program requires a system of organization that can’t be achieved with outdated methods. ZenGRC is an innovative platform that allows you to streamline your governance and compliance efforts from one centralized dashboard. Schedule a demo today and learn how ZenGRC can help your company succeed.

Driving Organizational Strategy
Adoption: ERM Checklist