Common controls in Risk Management

  • Release version: Australia
  • Updated April 28, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Common controls in Risk Management

    In the Risk Management application, linking risks to common controls helps streamline control management across multiple business units (BUs) or shared functions such as IT, HR, and finance. Common controls are centralized controls owned by a specific department but used across different BUs to meet regulatory requirements and manage risks efficiently. For example, a fire sprinkler system can serve as a common control for finance, security, and HR departments.

    Show full answer Show less

    This approach enables organizations to maintain centralized oversight while allowing each BU to benefit from shared controls. Risk owners can link their risks to these common controls, reducing the effort required for attestation and testing across reliant entities.

    Key Features

    • Automatic risk-control associations: When control objectives and risk statements align, and the reliant entity matches the risk entity, the system automatically establishes risk-control links.
    • Inheritance of common controls: Common controls can be inherited in risks, risk assessments, and risk-mitigation tasks when the risk entity is designated as a reliant entity in the common control.
    • Active relationship management: Only active risk-control relationships are maintained; historic links are automatically removed to keep data current.
    • Risk event linkage: Common controls link automatically to risk events when the underlying risk materializes, enabling prompt identification and response if the control fails.
    • Control management in task states: Common controls can be inherited into risk-mitigating tasks that are in Draft or Work In Progress states, supporting early intervention and management.

    Benefits

    • Reduces time and effort by allowing a single common control to be tested and applied across multiple reliant entities.
    • Improves overall control reporting by focusing management on active controls.
    • Facilitates centralized control ownership while enabling risk management at the business unit level.
    • Supports quick response to control failures during risk events, improving risk mitigation effectiveness.

    By linking the risks to a common control in the Risk Management application, you can reduce the time and effort that is needed to manage and apply these centralized controls to your reliant entities. For example, a fire sprinkler system can be a common control for multiple business units (BUs), such as finance, security, and human resources (HR).

    Overview of common controls

    Every organization has multiple (BUs) and shared functions, such as information technology (IT), HR, and finance. These shared functions define the policies and controls that the BUs can use to meet the regulatory requirements or to manage the risks in their BUs. Multiple BUs can use common controls that are owned and managed by a different department or team. This process enables an organization to maintain centralized control over certain processes while each BU can take advantage of these common controls. For more information on common controls, see Common Controls.

    To mitigate the risks in the reliant entities, a risk owner can link their risks to the common controls. By linking the risk, a risk owner can reduce the effort that is required to attest and test these common controls for the reliant entities.

    Benefits of common controls

    A common control has the following benefits:
    • You spend less time and effort to manage a common control because you can test and apply a common control to all your reliant entities.
    • You only need to manage the active controls, so the overall reporting of the controls is improved.

    Common controls in a risk

    If a control objective and risk statement are associated and the reliant entity of the control matches the risk entity, the risk-control association is established automatically. You can also inherit common controls to a risk when the risk entity is marked as a reliant entity in a common control. Any changes to the risk statement and the control's objective relationship can impact the risk-control association as well.

    Note:
    Only active relationships between risks and controls are maintained and any historic relationships are automatically deleted.

    Common controls in a risk assessment

    You can inherit common controls in the risk assessment when the entity is marked as a reliant entity in the common control.

    Common controls in a risk-mitigation task

    You can inherit the common controls to a risk-mitigating task when the entity is marked as a reliant entity in the common control. You can inherit the common controls to a risk-mitigating task when it is in the Draft or Work In Progress state.

    Common controls in a risk event

    A common control is automatically linked to a risk event when the underlying risk has materialized for the risk event. It enables the control owner to identify when the common control fails and to take immediate action if a common control does fail.