5 Mitigation through controls
Unlike actions, controls are a repeatable activity that, when designed and working correctly, maintain the level of the risk at its current level. However, when a control is not designed or operated correctly the level of risk will increase.
Controls and actions are therefore used in tandem: actions are used to reduce the risk level and controls are used to keep the risk at the new, lower level. Many risks never go away so the only way to keep the risk level within appetite is by using controls.
Not all controls are equal: they have different ‘strengths’ and operate on different parts of the risk. Some controls prevent the root causes from happening, whereas others reduce the consequence(s) once the event has occurred.