TRADE

TRADING SKILLS RISK MANAGEMENT

Risk Control: What It Is, How It Works,

Example
By WILL KENTON Updated May 04, 2023
Reviewed by JULIUS MANSA

Investopedia / Sabrina Jiang

What Is Risk Control?

Risk control is the set of methods by which firms evaluate potential losses and
take action to reduce or eliminate such threats. It is a technique that utilizes
findings from risk assessments, which involve identifying potential risk factors
in a company's operations, such as technical and non-technical aspects of the
business, financial policies and other issues that may affect the well-being of
the firm.

Risk control also implements proactive changes to reduce risk Ad in these areas.
Risk control thus helps companies limit loss. Risk control is a key component of
a company's enterprise risk management (ERM) protocol.

KEY TAKEAWAYS
Risk control is the set of methods by which firms evaluate potential
losses and take action to reduce or eliminate such threats. It is a
technique that utilizes findings from risk assessments.
The goal is to identify and reduce potential risk factors in a company's
operations, such as technical and non-technical aspects of the
business, financial policies and other issues that may affect the well-
being of the firm.
Risk control methods include avoidance, loss prevention, loss
reduction, separation, duplication, and diversification.
How Risk Control Works
TRADE
Modern businesses face a diverse collection of obstacles, competitors, and
potential dangers. Risk control is a plan-based business strategy that aims to
identify, assess, and prepare for any dangers, hazards, and other potentials for
disaster—both physical and figurative—that may interfere with an
organization's operations and objectives. The core concepts of risk control
include:

Avoidance is the best method of loss control. For example, after discovering
that a chemical used in manufacturing a company’s goods is dangerous for
the workers, a factory owner finds a safe substitute chemical to protect the
workers’ health. Avoidance, however, is not always possible.
Loss prevention accepts a risk but attempts to minimize the loss rather than
eliminate it. For example, inventory stored in a warehouse is susceptible to
theft. Since there is no way to avoid it, a loss prevention program is put in
place. The program includes patrolling security guards, video cameras and
secured storage facilities. Insurance is another example of risk prevention
that is outsourced to a third party by contract.
Loss reduction accepts the risk and seeks to limit losses when a threat
occurs. For example, a company storing flammable material in a warehouse
installs state-of-the-art water sprinklers for minimizing damage in case of
fire.
Separation involves dispersing key assets so that catastrophic events at one
location affect the business only at that location. If all assets were in the
same place, the business would face more serious issues. For Ad
example, a
company utilizes a geographically diverse workforce so that production may
continue when issues arise at one warehouse.

Duplication involves creating a backup plan, often by using technology. For

example, because information system server failure would stop a company’s
operations, a backup server is readily available in case the primary server
fails.
 Diversification allocates business resources for creating multiple lines of
TRADE
business offering a variety of products or services in different industries. A
significant revenue loss from one line will not result in irreparable harm to
the company’s bottom line. For example, in addition to serving food, a
restaurant has grocery stores carry its line of salad dressings, marinades,
and sauces.

No one risk control technique will be a golden bullet to keep a company free
from potential harm. In practice, these techniques are used in tandem with
others to varying degrees and will change as the corporation grows, as the
economy changes, and as the competitive landscape shifts.

Utilizing a Risk and Control Matrix (RACM) for Effective Risk

Management
A Risk and Control Matrix (RACM) is a valuable tool used by organizations to
better understand and optimize their risk profiles. It is a structured approach
that helps companies identify, assess, and manage risks by mapping the
relationships between potential risks and the corresponding control measures
implemented to mitigate them. The RACM allows organizations to visualize and
evaluate the effectiveness of their risk control strategies and make data-driven
decisions to enhance their risk management practices.

Ad

The RACM typically includes the following components:

Risk identification: The matrix lists all the potential risks an organization
may face, often categorized by business areas, processes, or functions.
Risk assessment: Each identified risk is assessed based on its likelihood of
occurrence and potential impact on the organization. This assessment helps
prioritize risks and focus resources on the most critical areas.
Control measures: For each risk, the matrix outlines the specific control
measures implemented to mitigate or reduce the likelihood and impact of
 the risk. These measures can include policies, procedures, systems, or other
TRADE
mechanisms designed to manage the risk.
Control effectiveness: The RACM evaluates the effectiveness of each control
measure, taking into account factors such as the level of compliance, the
adequacy of the control design, and the control's ability to detect or prevent
the risk from materializing.
Action plans: Based on the assessment of control effectiveness, the matrix
may include action plans for improving risk control measures or addressing
identified gaps in the organization's risk management practices.

By creating and maintaining an up-to-date RACM, organizations can gain a

comprehensive understanding of their risk landscape and the effectiveness of
their risk control measures. This information can inform strategic decision-
making, guide resource allocation, and support continuous improvement in risk
management practices.

RCAM Example

Example of a Hypothetical RCAM

Business Risk Likelihood Impact Risk Control Con

Area Description Rating Measure Effe

Finance Fraudulent Medium High High Implement Effe

transactions strong access
controls

Ad
Regular audits Effe
and
reconciliations

HR Employee Low High Medium Secure storage Effe

data breach and
encryption of
data

Employee Part
training on effe
data privacy
practices

Operations Supply chain High High High Diversify Effe

disruption suppliers and
sources

Maintain Effe
inventory
safety stock
Example of a Hypothetical RCAM TRADE

Business Risk Likelihood Impact Risk Control Con

Area Description Rating Measure Effe

IT Cybersecurity High High High Regular Effe

attacks security
updates and
patches

Employee Part
training on effe
cybersecurity
practices

This RCAM example outlines different risk categories, such as Finance, HR,
Operations, and IT, and includes specific risks within each category. The
likelihood and impact of each risk are assessed, leading to an overall risk rating.
Control measures are then listed, along with an evaluation of their
effectiveness. Finally, action plans are proposed to enhance risk control
measures or address identified gaps in risk management.

Ad

Keep in mind that this is just a simplified example, and an actual RACM for an
organization would likely be more detailed and cover a broader range of risks
and controls.

Examples of Risk Control

Sumitomo Electric and Disaster Resilience
As part of Sumitomo Electric’s risk management efforts, the company
developed business continuity plans (BCPs) in fiscal 2008 as a means of
ensuring that core business activities could continue in the event of a disaster.
The BCPs played a role in responding to issues caused by the Great East Japan
TRADE
earthquake that occurred in March 2011. Because the quake caused massive
damage on an unprecedented scale, far surpassing the damage assumed in the
BCPs, some areas of the plans did not reach their goals.

Based on lessons learned from the company’s response to the earthquake,

executives continue promoting practical drills and training programs,
confirming the effectiveness of the plans and improving them as needed. [1]

British Petroleum Oil Spill

British Petroleum (BP) has implemented several risk control measures following
the Deepwater Horizon oil spill in 2010, which was one of the largest
environmental disasters in history. As a result of the spill, BP was subject to a
$20.8 billion settlement with the U.S. government and five Gulf states in 2015.
[2]
The company has since strengthened its risk management approach to
prevent similar incidents in the future. [3]

Ad

BP has focused on improving its safety culture, including conducting regular

safety training and drills for employees, investing in advanced technology for
better monitoring and control of drilling operations, and implementing rigorous
safety standards across its global operations. The company has also adopted a
systematic approach to risk assessment and management, which involves
identifying, evaluating, and prioritizing risks and developing tailored risk
control strategies to mitigate potential impacts. [4]

Moreover, BP has increased its efforts to promote transparency and stakeholder

engagement. The company now publishes an annual sustainability report that
provides detailed information on its safety, environmental, and social
performance, as well as its progress in implementing risk control measures. [5]
This openness allows stakeholders to hold the company accountable for its
actions and fosters a culture of continuous improvement in risk management.
 TRADE

Starbucks' Supply Chain

Starbucks, a leading global coffee retailer, has implemented various risk control
measures to manage its supply chain risks. The company sources coffee beans
from multiple regions worldwide, making it vulnerable to fluctuations in supply
and potential disruptions due to weather, political instability, or other
unforeseen events. [6]

To address these risks, Starbucks has adopted a diversified sourcing strategy,

which involves procuring coffee beans from a wide range of suppliers across
different regions. [7] This approach helps the company reduce its reliance on
any single supplier or region, ensuring a steady supply of raw materials and
minimizing the impact of potential disruptions. [8]

Furthermore, Starbucks has established a comprehensive set of Ad

supply chain
standards, known as the Coffee and Farmer Equity (C.A.F.E.) Practices. These
standards cover various aspects of coffee production, including quality,
environmental sustainability, and social responsibility. By working closely with
its suppliers and conducting regular audits, Starbucks can ensure compliance
with these standards, thereby minimizing the risk of reputational damage and
potential supply chain disruptions. [9]

In addition, Starbucks uses advanced supply chain management software to

monitor its global supply chain in real-time, enabling the company to identify
potential risks early and take appropriate action to mitigate them. [10] This
proactive approach to risk control has helped Starbucks maintain its reputation
for high-quality coffee and build a resilient, sustainable supply chain that
supports its continued growth.

How Does Risk Control Differ from Risk Management?

Risk control is a subset of risk management. While risk management is the
overarching process of identifying, assessing, and prioritizing risks to an
organization, risk control focuses specifically on implementing strategies to
TRADE
mitigate or eliminate the identified risks. Risk management typically involves
the development of an overall risk management plan, whereas risk control
addresses the techniques and tactics employed to minimize potential losses
and protect the organization.
Can a Company Eliminate All of Its Risks Through Risk Control?
No, it is not possible to eliminate all risks completely. Risk control aims to
minimize and manage risks, but it cannot remove them entirely. Some risks are
inherent in the business environment or the nature of the industry, while others
may arise from unforeseen circumstances. The goal of risk control is to reduce
the likelihood and potential impact of risks on the organization, helping to build
resilience and maintain stability in the face of uncertainty.

How Can Companies Identify Emerging Risks?

Emerging risks can be challenging to identify, as they often involve novel or
rapidly changing situations. Companies can employ various strategies to detect
and monitor emerging risks, such as:

Keeping up-to-date on industry trends, news, and research to identify

potential risks on the horizon.
Engaging in scenario planning to consider possible future developments and
their implications for the organization.
Utilizing big data analytics and artificial intelligence tools to analyze large
datasets and identify patterns or trends that may signal emerging risks.
Encouraging a culture of open communication and collaboration, enabling
employees to share insights and concerns about potential risks.
Establishing a dedicated risk management team responsible for monitoring
and responding to emerging risks.

How Does Risk Control Relate to Corporate Social

Responsibility?
Risk control and corporate social responsibility (CSR) are interconnected in
several ways. By implementing risk control measures, companies can minimize
potential harm to stakeholders, such as employees, customers, and the
environment. This proactive approach to risk management aligns with the
principles of CSR, which emphasize the importance of ethical and Ad sustainable
business practices. Additionally, effective risk control can help protect a
company's reputation and maintain public trust, which are crucial aspects of
CSR. In short, risk control is an essential component of a comprehensive CSR
strategy, as it helps companies meet their social, environmental, and ethical
obligations while ensuring long-term success and sustainability.

The Bottom Line

Risk control is a critical part of modern business management, enabling
companies to identify, assess, and mitigate potential hazards and threats to
their operations and objectives. By implementing a combination of risk control
techniques, such as avoidance, loss prevention, loss reduction, separation,
duplication, and diversification, businesses can minimize their exposure to risks
and enhance their resilience. Real-world examples, such as British Petroleum's
post-Deepwater Horizon safety measures and Starbucks' supply chain
management strategies, demonstrate the importance and effectiveness of
robust risk control measures. As the business environment continues to evolve,
companies must remain vigilant and adaptive in their risk control efforts to
TRADE
ensure long-term success and sustainability.

ARTICLE SOURCES

Related Terms
Enterprise Risk Management (ERM): What Is It and How It
Works
Enterprise risk management (ERM) is a holistic, top-down approach that assesses how
risks affect an organization and devises plans on how to approach different risks. more

Risk Analysis: Definition, Types, Limitations, and Examples

Risk analysis is the process of assessing the likelihood of an adverse event occurring
within the corporate, government, or environmental sector. more

What Is a Gap Analysis?

Gap analysis is the process that companies use to examine their current performance vs.
their desired, expected performance. more

Internal Audit: What It Is, Different Types, and the 5 Cs

An internal audit checks a company’s internal controls, corporate governance, and
accounting processes. more

Chief Risk Officer Definition, Common Threats Monitored

A chief risk officer (CRO) is an executive who identifies and mitigates events that could
threaten a company. more

What Is Total Quality Management (TQM) and Why Is It

Important?
Total quality management (TQM) aims to hold all parties involved in the production
process as accountable for the overall quality of the final product or service. more

Related Articles
Enterprise Risk BUSINESS ESSENTIALS

Management (ERM) Enterprise Risk Management (ERM): What Is It and

How It Works

Ad

Risk Analysis RISK MANAGEMENT

Risk Analysis: Definition, Types, Limitations, and
Examples
 Businessman BUSINESS

stop domino effect. Risk Management TRADE

Framework (RMF)

BUSINESS ESSENTIALS
Identifying and Managing Business Risks

Gap Analysis FINANCIAL ANALYSIS

What Is a Gap Analysis?

Internal Audit ACCOUNTING

Internal Audit: What It Is, Different Types, and the 5
Cs

TRUSTe
Ad
About Us Terms of Service

Dictionary Editorial Policy

Advertise News

Privacy Policy Contact Us

Careers

Investopedia is part of the Dotdash Meredith publishing family.

Please review our updated Terms of Service.