Assessing controls

After a risk is assessed and an inherent risk score is available, the next step is to evaluate how effectively associated controls reduce that risk. This process calculates the residual risk, helping you determine your organization’s exposure after applying mitigation.

Use control assessments in Risk Manager to:

Measure the effectiveness of mitigation strategies
Evaluate whether existing controls reduce risk to acceptable levels
Identify gaps or areas where improvements are needed
Support decisions about introducing new or enhanced controls

Residual Risk = Inherent Risk – Control Effectiveness

Assess the control

You can assess a control by analyzing its effectiveness and moving it through the workflow to the Approved status.

Control assessments can be initiated directly in Risk Manager, after the control has been associated with a specific risk.

Example

Scenario

You’ve already assessed the risk: Supply Chain Disruption and linked it to the control: Dual-Sourcing Strategy.

You now want to evaluate how effective that control is in mitigating the risk.

Process

Open the control in Risk Manager, initiate the assessment workflow, move the control to Approved status after evaluation.

For detailed steps, see Working with controls

After the control's effectiveness is assessed, Risk Manager automatically recalculates the residual risk score using:

The existing inherent risk score.
The control’s effectiveness rating.

This provides an accurate view of the residual risk and exposure after mitigation.

Result

You have successfully completed both the risk and control assessments. Your residual risk score now reflects your organization’s risk exposure after mitigation, as managed through Risk Manager.