Common controls in Risk Management

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Common controls in Risk Management

    In the Risk Management application, linking risks to common controls streamlines the management and application of centralized controls across multiple reliant entities or business units (BUs). Common controls are shared controls or policies managed by one department but used across various BUs, such as IT, HR, and finance. This centralized approach helps organizations maintain consistent control processes while allowing individual BUs to leverage these controls to meet regulatory requirements and manage risks.

    Show full answer Show less

    Key Features

    • Risk-Control Association: When a control objective and risk statement are linked, and the reliant entity matches the risk entity, the risk-control association is created automatically. Risks can inherit common controls if marked as reliant entities.
    • Common Controls in Risk Assessments and Mitigation Tasks: Common controls can be inherited in risk assessments and risk-mitigating tasks (in Draft or Work In Progress states) when the entity is marked as reliant.
    • Common Controls in Risk Events: When a risk materializes as a risk event, common controls automatically link to it, enabling control owners to monitor failures and respond promptly.
    • Active Relationships Only: Only active associations between risks and controls are maintained; historic relationships are automatically deleted to ensure accurate reporting.

    Benefits

    • Efficiency in Management: Testing and applying common controls across multiple reliant entities reduces the time and effort spent on control management.
    • Improved Reporting: Managing only active controls enhances the accuracy and quality of control reporting.
    • Centralized Control with Distributed Use: Organizations maintain centralized oversight while enabling multiple BUs to use shared controls effectively.
    • Immediate Action on Failures: Automatic linking to risk events allows timely identification and remediation of control failures.

    By linking the risks to a common control in the Risk Management application, you can reduce the time and effort that is needed to manage and apply these centralized controls to your reliant entities. For example, a fire sprinkler system can be a common control for multiple business units (BUs), such as finance, security, and human resources (HR).

    Overview of common controls

    Every organization has multiple (BUs) and shared functions, such as information technology (IT), HR, and finance. These shared functions define the policies and controls that the BUs can use to meet the regulatory requirements or to manage the risks in their BUs. Multiple BUs can use common controls that are owned and managed by a different department or team. This process enables an organization to maintain centralized control over certain processes while each BU can take advantage of these common controls. For more information on common controls, see Common Controls.

    To mitigate the risks in the reliant entities, a risk owner can link their risks to the common controls. By linking the risk, a risk owner can reduce the effort that is required to attest and test these common controls for the reliant entities.

    Benefits of common controls

    A common control has the following benefits:
    • You spend less time and effort to manage a common control because you can test and apply a common control to all your reliant entities.
    • You only need to manage the active controls, so the overall reporting of the controls is improved.

    Common controls in a risk

    If a control objective and risk statement are associated and the reliant entity of the control matches the risk entity, the risk-control association is established automatically. You can also inherit common controls to a risk when the risk entity is marked as a reliant entity in a common control. Any changes to the risk statement and the control's objective relationship can impact the risk-control association as well. The following example shows the inherit common controls option on the risk form:
    Figure 1. Inherit common controls
    Inherit common controls.
    Note:
    Only active relationships between risks and controls are maintained and any historic relationships are automatically deleted.

    Common controls in a risk assessment

    You can inherit common controls in the risk assessment when the entity is marked as a reliant entity in the common control. The following example shows the inherit common controls option on the risk assessment form.
    Figure 2. Inherit common controls in risk assessment
    Inherit common controls in a risk assessment.

    Common controls in a risk-mitigation task

    You can inherit the common controls to a risk-mitigating task when the entity is marked as a reliant entity in the common control. You can inherit the common controls to a risk-mitigating task when it is in the Draft or Work In Progress state. The following example shows the inherit common controls option on the risk-mitigation task form.
    Figure 3. Inherit common controls in risk-mitigation task
    Inherit common controls in risk mitigation.

    Common controls in a risk event

    A common control is automatically linked to a risk event when the underlying risk has materialized for the risk event. It enables the control owner to identify when the common control fails and to take immediate action if a common control does fail. The following example shows the inherit common controls option on the risk event form:
    Figure 4. Common controls in risk event
    Inherit common controls in risk mitigation.