Risk Management Goals: Minimizing, Monitoring, and Controlling Risk
- Minimize or mitigate risk means finding ways to reduce, the impact or loss of a risk. Efforts to minimize the risk are performed before the risk is realized whereas mitigations take place afterward in order to remediate identified issues (such as conducting a root cause analysis and implementing a corrective action plan-based findings).
- Monitoring risk means tracking and evaluating both your organization’s actions and other party’s actions, tasks, procedures, and deliveries to ensure that a risk event does not happen at all, or if a risk event happens, the event is controlled to reduce its impact.
Monitoring can take many forms including ongoing evaluations, which are built into business processes, or independent evaluations, which are conducted periodically by a designated person or department. This includes third-party audits.
What This Means to You: Monitor Risk Using a Risk Register
The Risk Monitoring Template is one tool of many for conducting an independent evaluation as a snapshot in time to promptly address issues. A completed Risk Monitoring Template becomes your Risk Register.
- Controlling the risk means performing activities, following procedures, or using techniques to help ensure that the risk and associated loss does not happen. For example, one party would obligate the other party to follow laws, regulations, and internal policies to prevent the risk event from happening. The obligations would be included in the T&Cs. Your organization may have activities, policies, and procedures to help ensure that the risks are controlled, such as audit rights or adherence to a code of conduct.
An organization’s activities, policies, and procedures may be preventive or detective in nature. Preventive controls are designed to deter the occurrence of a risk event by implementing procedures to avoid them. For example, a supplier code of conduct is a preventative control measure. Detective controls are designed to identify a risk event that does happen and alert leadership about what has occurred so that the issues may be remediated (to the extent possible). Audit rights are detective controls in that they find potential invoicing errors for correction.