Hello @莉奈明 

Lets assume the Risk & compliance environments are in place and all is well.  Risks are assessed, controls are attested.......we have a Happy Environment.

Entity - Office Building

Authority Document - Government mandated office hours

Citation xxx.xxb - You must have a 24 hour per day Operational presence at the office

Risk Statement - Power Failure

Control Objective - Uninterrupted power Supply

     - Control Objective - Solar Power

     - Control Objective - Backup Power

We have a low risk, as we have mitigated our Municipal power supply interruption risk by adding Solar power and a backup diesel generator.

Just because the risk is mitigated, does not mean it cannot manifest within the organisation.  In the event that we do have a power failure - A risk has materialised -> Risk Event.

We now treat the event and ensure we remediate the situation (Quick Response) - Risk Event Response

Because of the event, we have not kept our Regulatory compliance.....We are in possible breach of our obligations.

Which control failed to mitigate our Risk?  

• Day time - Solar not operational?  Cloudy for the last week? no Solar Power.
• At night - Diesel generator did not start up?
• Fuel was checked (or was it?) 
• Was the fuel dirty and the generator could not start up? even though there was enough fuel in the fuel tank.

We create a Compliance case to determine if we have breached our obligation, and which one caused the risk to manifest.  We also have to determine if we need to report the breach to the Authority. 

This is usually be a long, drawn out situation where communication between the company/lawyers and the Regulating body could take years. 

Risk Event - Record, remediate quickly to ensure it does not happen again

Compliance Case - investigation / Explanation to the Authority as to why it happened, who was impacted, what did we do to remediate, and how did we strengthen our environment so that it does not happen again.  Could resolve over a long period.