Risk Control vs. Risk Management

Instructor: James Blackburn

James has an MBA from Auburn University and a MA in Humanities from Cal State-Dominguez Hills He writes on leadership, business strategy and finance.

In this lesson, we will clarify the difference between risk management and risk control. We will also describe a five step process commonly used in risk management. In addition, we will highlight four basic categories of risk controls.

Pre-historic Risk Management

What came first, risk control or risk management? Built into our DNA is the ability to avoid risk. In prehistoric times, we would avoid locations known to populated by dangerous predator animals. When we did enter these areas, we approached with caution and a hand full of rocks. As the human race matured, we developed rules to help us navigate dangerous environments. Reactions gave way to precautions. As a result, the first risk management plan was created.

Risk Management

Today, risk management is different. It's a planned process designed to identify, mitigate, and evaluate our exposure to risk. Risk control is a stage of risk management. Controls are specific activities undertaken to reduce exposure to risk.

GM Fined

As the graphic on GM illustrates, today's risks most often have financial impacts. In business, management identifies and assesses the risks that can lead to financial loss. Next, they select and implement controls to reduce these risks. Finally, they evaluate the effectiveness of their controls on reducing risks.


The first stage of the risk management process is to identify the risks in the environment. Risks could include fire in a workplace, theft in a retail store, or the failure of a new product in the marketplace. Each of these risks has a different probability of occurrence dependent on the environment. In this step, the organization will identify many risks relevant to the environment.


The next stage of the process is to determine the probability of a negative outcome for each risk. Each organization must rank the risks based on the probability of occurrence and financial impact from high to low. For example, in a manufacturing setting, the risk of fire is moderate. However, the risk of personal injury is much higher. Therefore, the company ranks personal injury higher than fire in their assessment.


Now that the risks have been ordered from high to low, the leaders of the organization identify the types of activities that will be undertaken to reduce the probability of a negative outcome. These activities are called risk controls. The purpose of a risk control is to avoid, prevent, reduce, or transfer the risk.


The next stage of risk management is to implement the controls selected. When implementing a control, it's best to ensure each control is well thought out, structured and communicated to the organization. Control failures can result from a lack of understanding, lack of communication, lack of structure and poor design. Establishing controls using the SMART format is recommended. SMART controls are specific, measurable, attainable, realistic and time-based.


SMART controls are easy to measure. In the final stage of risk management, the organization will evaluate the effectiveness of the controls. An evaluation structure should be designed prior to the implementation of the control. It should also be implemented at the same time as the implementation of the control. Doing so will improve the success rate of the control.

The early stages of the evaluation of the control should focus on its adoption. Since most control failures occur when people fail to understand the control activities or adopt the control, this early evaluation improves the adoption rate. In the later stages of evaluation, the focus should move to the intended outcomes of the goal, risk mitigation. If the control is found to be ineffective, corrective actions should be undertaken, including the replacement of the control. Now, let's look at these controls.

Risk Management

Risk Control

Risk controls are the activities implemented to mitigate risks. Controls can attempt to avoid the risk in its entirety. Or, the control may be designed to prevent the risk from occurring. In many cases, the risk may attempt to reduce the losses associated with an activity. Alternatively, the organization may choose to transfer the risk to another party in part or entirely. Let's explore each of these types of controls in greater detail.


If a company has identified the financial risk caused by personal injury a high probability and a significant financial risk, a company may choose not to manufacturer a product that involves the use of corrosive materials in the manufacturing process. In doing so, they avoid the risk entirely.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account