Common controls in Risk Management

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Common controls in Risk Management

    Common controls in the Risk Management application allow organizations to centralize the management of controls that apply across multiple business units (BUs) or shared functions such as IT, HR, and finance. By linking risks to these common controls, risk owners can efficiently apply, test, and attest controls across various reliant entities, reducing duplication of effort and maintaining centralized oversight.

    Show full answer Show less

    Key Features

    • Linking Risks to Common Controls: Risks can be linked to common controls when the reliant entity matches the risk entity, enabling automatic risk-control associations.
    • Inheritance of Common Controls: Common controls can be inherited in risk forms, risk assessments, and risk-mitigation tasks when the entity is marked as a reliant entity in the control. This applies particularly when risk-mitigation tasks are in Draft or Work In Progress states.
    • Automatic Linking in Risk Events: When a risk event occurs, common controls linked to the underlying risk are automatically associated with the risk event, enabling control owners to monitor control failures and take prompt action.
    • Active Relationship Management: Only active relationships between risks and controls are maintained; historic links are automatically removed to keep control reporting accurate and up to date.

    Benefits

    • Efficiency: Reduces time and effort by managing and testing controls once and applying them to multiple reliant entities.
    • Centralized Control: Maintains centralized oversight while allowing BUs to benefit from shared controls, improving compliance and risk mitigation.
    • Improved Reporting: Focusing on active controls enhances the accuracy and relevance of control reporting across the organization.

    By linking the risks to a common control in the Risk Management application, you can reduce the time and effort that is needed to manage and apply these centralized controls to your reliant entities. For example, a fire sprinkler system can be a common control for multiple business units (BUs), such as finance, security, and human resources (HR).

    Overview of common controls

    Every organization has multiple (BUs) and shared functions, such as information technology (IT), HR, and finance. These shared functions define the policies and controls that the BUs can use to meet the regulatory requirements or to manage the risks in their BUs. Multiple BUs can use common controls that are owned and managed by a different department or team. This process enables an organization to maintain centralized control over certain processes while each BU can take advantage of these common controls. For more information on common controls, see Common Controls.

    To mitigate the risks in the reliant entities, a risk owner can link their risks to the common controls. By linking the risk, a risk owner can reduce the effort that is required to attest and test these common controls for the reliant entities.

    Benefits of common controls

    A common control has the following benefits:
    • You spend less time and effort to manage a common control because you can test and apply a common control to all your reliant entities.
    • You only need to manage the active controls, so the overall reporting of the controls is improved.

    Common controls in a risk

    If a control objective and risk statement are associated and the reliant entity of the control matches the risk entity, the risk-control association is established automatically. You can also inherit common controls to a risk when the risk entity is marked as a reliant entity in a common control. Any changes to the risk statement and the control's objective relationship can impact the risk-control association as well. The following example shows the inherit common controls option on the risk form:
    Figure 1. Inherit common controls
    Inherit common controls.
    Note:
    Only active relationships between risks and controls are maintained and any historic relationships are automatically deleted.

    Common controls in a risk assessment

    You can inherit common controls in the risk assessment when the entity is marked as a reliant entity in the common control. The following example shows the inherit common controls option on the risk assessment form.
    Figure 2. Inherit common controls in risk assessment
    Inherit common controls in a risk assessment.

    Common controls in a risk-mitigation task

    You can inherit the common controls to a risk-mitigating task when the entity is marked as a reliant entity in the common control. You can inherit the common controls to a risk-mitigating task when it is in the Draft or Work In Progress state. The following example shows the inherit common controls option on the risk-mitigation task form.
    Figure 3. Inherit common controls in risk-mitigation task
    Inherit common controls in risk mitigation.

    Common controls in a risk event

    A common control is automatically linked to a risk event when the underlying risk has materialized for the risk event. It enables the control owner to identify when the common control fails and to take immediate action if a common control does fail. The following example shows the inherit common controls option on the risk event form:
    Figure 4. Common controls in risk event
    Inherit common controls in risk mitigation.