247983-001I was at a conference recently where I heard a presenter explaining his risk management strategy. He explained that they assessed risks annually and followed up with monthly and quarterly control assessment and testing.

If This Is Risk Management, What Is Control Management?

My view is that this is not risk management; it’s control management. The only reason this company assessed risks was to associate related controls. Most control management practitioners don’t do that well, if at all. In my view, it’s important to understand the difference.

Here is the basic difference. Risk management seeks primarily to gather information and knowledge about the risk. Control management seeks to primarily gather information and knowledge about the control.

control vs risk

There is nothing wrong with control management. It’s an effective and useful strategy in many situations. But risk management is totally different and equally valid.

The tools, technology and skills used by risk managers are entirely different as are the objectives of the two approaches. They are most definitely not the same.

I think it’s useful to make certain we understand and appreciate the difference. Some types of risk are best managed with risk management techniques. Others are susceptible to control management practices.

There are many GRC related strategies that organizations might adopt. I can think of at least two more, other than risk and control. But it’s not an either or scenario. Organizations should incorporate the strategies that best protects their investment.   Which do you do – manage risk or manage controls – or both?