Common controls in Risk Management

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Common controls in Risk Management

    Common controls in Risk Management allow organizations to streamline the management of risks across multiple business units (BUs) by linking shared controls to risks. This centralization helps reduce the time and effort needed to manage compliance and risk mitigation. For instance, a fire sprinkler system can serve as a common control utilized by various departments such as finance, security, and human resources (HR).

    Show full answer Show less

    Key Features

    • Centralized Control: Organizations can maintain centralized governance over shared functions like IT, HR, and finance, allowing BUs to leverage common controls effectively.
    • Risk Linking: Risk owners can link risks to common controls, simplifying the attestation and testing processes for reliant entities.
    • Automatic Associations: When a control objective and risk statement are linked, the risk-control relationship is established automatically if the reliant entity matches the risk entity.
    • Inherit Controls: Common controls can be inherited in risk assessments, risk-mitigating tasks, and risk events, enhancing reporting and management efficiency.

    Key Outcomes

    By implementing common controls, organizations can expect:

    • Reduced effort in managing controls as they can be applied across multiple entities.
    • Improved reporting through a focus on active controls only.
    • Immediate identification and response to control failures when linked to risk events.

    By linking the risks to a common control in the Risk Management application, you can reduce the time and effort that is needed to manage and apply these centralized controls to your reliant entities. For example, a fire sprinkler system can be a common control for multiple business units (BUs), such as finance, security, and human resources (HR).

    Overview of common controls

    Every organization has multiple (BUs) and shared functions, such as information technology (IT), HR, and finance. These shared functions define the policies and controls that the BUs can use to meet the regulatory requirements or to manage the risks in their BUs. Multiple BUs can use common controls that are owned and managed by a different department or team. This process enables an organization to maintain centralized control over certain processes while each BU can take advantage of these common controls. For more information on common controls, see Common Controls.

    To mitigate the risks in the reliant entities, a risk owner can link their risks to the common controls. By linking the risk, a risk owner can reduce the effort that is required to attest and test these common controls for the reliant entities.

    Benefits of common controls

    A common control has the following benefits:
    • You spend less time and effort to manage a common control because you can test and apply a common control to all your reliant entities.
    • You only need to manage the active controls, so the overall reporting of the controls is improved.

    Common controls in a risk

    If a control objective and risk statement are associated and the reliant entity of the control matches the risk entity, the risk-control association is established automatically. You can also inherit common controls to a risk when the risk entity is marked as a reliant entity in a common control. Any changes to the risk statement and the control's objective relationship can impact the risk-control association as well. The following example shows the inherit common controls option on the risk form:
    Figure 1. Inherit common controls
    Inherit common controls.
    Note:
    Only active relationships between risks and controls are maintained and any historic relationships are automatically deleted.

    Common controls in a risk assessment

    You can inherit common controls in the risk assessment when the entity is marked as a reliant entity in the common control. The following example shows the inherit common controls option on the risk assessment form.
    Figure 2. Inherit common controls in risk assessment
    Inherit common controls in a risk assessment.

    Common controls in a risk-mitigation task

    You can inherit the common controls to a risk-mitigating task when the entity is marked as a reliant entity in the common control. You can inherit the common controls to a risk-mitigating task when it is in the Draft or Work In Progress state. The following example shows the inherit common controls option on the risk-mitigation task form.
    Figure 3. Inherit common controls in risk-mitigation task
    Inherit common controls in risk mitigation.

    Common controls in a risk event

    A common control is automatically linked to a risk event when the underlying risk has materialized for the risk event. It enables the control owner to identify when the common control fails and to take immediate action if a common control does fail. The following example shows the inherit common controls option on the risk event form:
    Figure 4. Common controls in risk event
    Inherit common controls in risk mitigation.