All types of organizations are at risk. Your supplier is not present, your machine fails, a cyber attack compromises it, or your market turns on a dime. These events are not unusual in any way — it’s only the resilient organizations that are prepared for them that stand out. That preparation can be distilled down to one main subject:
Risk control measures – the action, systems and protection that an organization puts in place to reduce the risk and/or risk impact of identified risks. They’re involved in the action side of the risk management process and they make an assessment that’s on paper a protection on the ground. Even if they can be found, the most thorough risk analysis is theoretical.

This guide provides an explanation of the concept of risk control measures, the rationale behind implementing them and how other organizations have implemented them and what to look for in your organization. The ideas outlined in this article can be put to use in the following roles: manufacturing plant manager, financial portfolio manager, and growing start-up.
What are Risk Control Measures?
Risk Control Measures are intentional actions to control risk once identified and assessed. They are not the same as risk identification and risk assessment which are aimed at finding and assessing threats. Control measures are about action – either physically or procedurally, reducing exposure to those threats.
It’s important to remember that risk assessment provides information about the location of the risk and the potential size of the risk. The risk control measures tell you what you will do about it. This is important because many organizations are spending more money on assessment and reporting but not as much money on the measures that will actually prevent harm from happening.
Control measures are used in almost all business processes such as:
- Health and safety at work.
- Financial and credit risk
- Data security and cyber safety.
- Supply chain and vendor management.
- Delivering the project and scheduling.
- Adhere to legal and regulatory requirements.
- The risks to the environment and reputation.
The specific tools vary by industry and the rationale behind each one is the same: understand the risk, select the right control strategy, apply the control the right way, and check the effectiveness of the control.
The Hierarchy of Risk Control Measures
An often-used approach to structuring control measures is found in occupational health and safety (OHS) standards, such as ISO 45001, and agency guidance like OSHA and Safe Work Australia. This is sometimes referred to as the hierarchy of controls, with the most effective control measures listed first.
1. Elimination
Elimination will eliminate the hazard altogether. If a task must be done at height and involves a fall risk, then redesigning the process so that no one is working at height, will remove the fall risk entirely. There is no risk left to fail — it is the most effective control method.
At the business level, elimination could be the choice to de-emphasize a high-risk product line, to stop doing business with an unreliable supplier, or to eliminate a human-based process that is prone to error.
2. Substitution
Substitution involves replacing a dangerous process, material or activity with a less hazardous one. A manufacturing plant might substitute a toxic solvent with a non-toxic cleaning agent. A finance team could instead replace a more volatile investment with one that is more stable while delivering returns within the desired range.
Substitution does not eliminate the risk completely, but does significantly lessen the likelihood/harm of it occurring.
3. Engineering Controls
Engineering controls are physical separation of persons from a hazard or a change in a system to decrease risk. This can involve machine guards, ventilation, automatic valve shut-off, firewalls, multiple servers, etc. Relying on human compliance with instructions, they are more reliable than controls that require human compliance to be accurate each time.
4. Administrative Controls
Administrative controls modify the way people work by modifying policies, training, signage, scheduling and procedures. Some of these many examples are: safety training, standard operating procedures, rotation of employees to ensure they are not overworked, and approval processes for high dollar transactions.
While these controls will be important, they are subject to human compliance and are therefore not as reliable as elimination or engineering controls.
5. Personal Protective Equipment (PPE) and Safeguards
At the lowest end of the hierarchy is PPE, which can only be effective if worn properly; and it only becomes effective after all other controls have failed to eliminate exposure. In the business sense, it could be insurance policies or contractual indemnity clauses: very helpful but not an alternative to better upstream controls.
It can help organisations to make the same mistake, namely relying exclusively on administrative controls or those equivalent to PPE at the top of the chain when there are more effective controls further down.
Core Categories of Risk Control Measures
In addition to the hierarchy of controls, risk professionals usually categorize control measures into four general strategic categories. These are applicable to any risk and not just work.

Risk Avoidance
Risk avoidance is to avoid the activity which causes the risk altogether. A company may be unwilling to expand its business into a foreign country that is politically unstable, or it may reject an offer to merge with a company that would expose it to too much risk, or it may refuse to sign a contract that would impose liability requirements it cannot tolerate.
Though avoidance is potent, it has a price – it may be the loss of a possible opportunity and a risk. It is important for organizations to consider whether the benefit of the opportunity outweighs the risk of exposure before playing it safe.
Risk Reduction (Mitigation)
To reduce the risk by either mitigating the likelihood or the consequences of the risk, but without stopping the activity. This is the most prevalent type of control measure since it permits an organization to operate while still controlling exposure.
Examples include:
- Collaborating with other suppliers to minimize reliance on a single supplier.Supply chain diversification: Avoid relying on one supplier.
- System installation within a warehouse.
- While there are several ways to mitigate the likelihood of the breach, using multi-factor authentication is one of them.
- Having staff cross-trained to mitigate the effects of unplanned absences
Risk reduction strategies are typically multi-layered; that is, organizations typically do not depend on a single control, but rather multiple layers of controls work together.
Risk Transfer
Risk transfer is the process of passing the financial or operational risk on to another party. The most common types of transfer are insurance, outsourcing, contractual indemnity, hedging and performance bonds.
Transfer doesn’t make the risk event less likely to happen — it simply shifts the costs of the risk to another party. This is something that makes it helpful in conjunction with other controls which are not meant to replace it. Even if a company is financially protected from the data breach costs, its reputation and operational disruption would still occur if it did nothing to diminish the likelihood of a data breach.
Risk Acceptance
Sometimes the expense of controlling a risk is greater than the risk that it would cause. In other instances, the organization explicitly takes the risk and will keep track of its progress and performance without investing more resources in risk control. Risk acceptance must always be made on purpose and documented; it should never be a “default” if a risk was not thought of.
For a small business, it may be worth it to use the equipment until it wears out in order to avoid replacing working equipment early. A bigger company could be willing to take the lower risks that may be determined through a risk assessment matrix because their likelihood of occurring is low and the impact is low.
How to Choose the Right Risk Control Measures
The type of controls chosen has to be carefully balanced for effectiveness, cost, feasibility, and organizational considerations. Ad hoc decision making is not as effective as a structured approach.
Step 1: Confirm the Risk Assessment Findings
To choose controls, review the risk assessment to find out if the likelihood and severity listed for each risk are still accurate. The level of control should be based on residual risk rather than probability alone, and not only is the likelihood of a given risk event considered, but risk factors that have already been addressed by existing controls.
Step 2: Apply the Hierarchy of Controls First
If possible, use elimination and substitution instead of administrative controls or transfer mechanisms. While this is not always feasible, it minimizes future exposure and can help to keep costs of reoccurring incidents low.
Step 3: Consider Cost-Effectiveness
Not all risks require the most stringent control. When evaluating a cost-benefit comparison, consider the loss reduction that can be expected and the implementation costs. This does not imply that it’s going to be a shortcut, it’s about channeling resources to where they will make the most significant dent in exposure.
Step 4: Layer Multiple Controls
Use of one control measure is one point of failure. Redundancy is achieved with layering controls, such as using engineering controls in addition to administrative controls and insurance. In the event of one control failure, others will be active to minimize the impact.
Step 5: Assign Ownership
All control measures should have an owner, someone who is responsible for its implementation, monitoring and reporting activities. Responsibility that is not clearly defined leads to deterioration of controls over time.
Implementing Risk Control Measures Effectively
Choosing appropriate controls is the easy part. Implementation will determine if those controls are effective.
Build Clear Procedures
All control measures must have a documented procedure which describes how it is effected, who it is effected by and what will trigger a review. If the controls are not documented or are vague, it is hard to audit and easy to overlook.
Train and Communicate
The best engineering controls can’t function if employees are not aware of its use or the importance of it. Training should not only tell the “how” of a control, but why a control is important and effective in driving compliance better than just the “how”.
Integrate Controls Into Daily Operations
Controls that are just in a policy document are seldom implemented. Including them in everyday processes—such as checklists, approval gates, automated system rules, etc.—makes it easier for people to comply than not to.
Monitor and Test Regularly
Processes evolve, staff change, and new risks appear and processes begin to lose their value in controlling risks. The testing process, including audits, drills, penetration testing, financial reconciliations and others, verifies the continued effectiveness of a control.
Useful real-life example: A medium sized logistics company used GPS tracking and route optimization software as an engineering control to lower the risk of vehicle accidents. An internal investigation showed that almost one-third of drivers had turned the tracking app off because of battery drain issues 6 months later. The control was in place but was de facto ineffective. It is a reminder that implementation without follow-up monitoring is an incomplete strategy, as the gap was identified with regular monitoring and before it became a serious incident.
Measuring the Effectiveness of Risk Control Measures
Control measure is not useful if it does not decrease risk. There is a need to measure effectiveness with quantitative and qualitative indicators.

Some quantitative indicators are incident frequency before and after implementation, financial losses avoided, downtime reduction, and pass rates for audits. Qualitative indications involve confidence of staff on the procedures put in place, ease of compliance and feedback from frontline staff who works with the control every day.
Periodic reviews of the effectiveness of the controls should also be conducted to monitor the control. Risk environments change — new laws and ordinances are adopted, technology advances, and new markets are explored. An effective control that worked two years ago may not be effective now.
It is important to point out here that there is no control measure that can eliminate risk completely. Unexpected factors can undermine even elimination level controls and always there is going to be some residual risk. The idea of a good risk mitigation program is not to eliminate risk, it’s to put it to a level that the organization can reasonably accept and manage.
Common Mistakes Organizations Make With Risk Control Measures
There are a number of patterns that emerge when control measures do not yield the desired outcomes across various industries.
Excessive use of administrative controls. Policies and training are the “easy and cheap” options, and can be overused by an organization because they are easy to do. Administrative controls also require a consistent human response which is not always as reliable.
Insurance as a whole solution. Risk transfer is about financial loss, not disruption, damage to reputation or regulatory implications. Insurance is a way to complement, not replace, active risk reduction.
Not updating controls following incidents. Near-miss or minor incident is valuable data. Without a systematic review and adjustment of controls, organisations risk not catching a more serious event occurring again.
No clear ownership. Controls that have no clear owner will dissipate over time as priorities change and institutional knowledge is lost due to turnover.
Ignoring residual risk. Even with good control measures, there’s still some risk. If a residual risk occurs and is not formally documented and monitored by an organization, it can come as a surprise.
Risk Control Measures Across Different Industries: Real Examples
The above controls are generic but vary between sectors.
However, in manufacturing, physical safety controls predominate, such as machine guarding and lockout/tagout procedures, as well as quality control measures that identify defects prior to the delivery to the customer.
It’s important to note that in finance, controls are often focused on internal approval procedures, segregation of duties, credit limits, and automated fraud detection systems that can identify unusual transaction patterns.
Engineering controls in the context of technology or cybersecurity are used in addition to administrative controls such as employee education on security awareness and response procedures for incidents.
Controls normally include a contingency budget, milestone reviews, scope change approvals, and vendor performance clauses in contracts within project management.
The key points are the same, however, in all of the disciplines: recognize exposure, implement the maximum practicable control, add further controls, and continuously monitor.
Building a Risk Control Measures Framework for Your Organization
Some practical tips for organisations developing or improving their strategy to make it a working system:
- Keep an active risk register with identified risk(s) and the person responsible for the control of each risk and what controls are in place.
- Identify controls following the hierarchy of controls and the four strategic categories (avoidance/reduction/transfer/acceptance) in order that gaps can be seen.
- Schedule review cycles, quarterly for high-risk risks and annual for lower-risk risks, to ensure that controls continue to be effective.
- Explicitly show residual risk, even if controls are thought to mitigate risk to zero.
- Include frontline employees in control design – the people who work with a process are often the ones who know and see the gaps that could be controlled but may not be apparent to leadership.
This structure does not have to be complicated and should not be created to be complicated. A simple spreadsheet risk register, properly maintained and reviewed, beats a sophisticated system that languishes after being installed.
Conclusion
Effective risk control practices make risk consciousness a real reality. Organizations demonstrate resilience by tackling the hierarchy of controls, implementing avoidance, reduction, transfer or acceptance measures, and continuing to monitor. It’s not about risk elimination, it’s about targeted risk exposure management and the review of controls as situations evolve. First of all, review your existing risk register and ensure that the owner of each control is still clear and identified; if this is not the case then close the gaps before they are expensive.
Frequently Asked Questions
What is the difference between risk control and risk management?
Risk Management is the general term for identifying, assessing, and responding to risk. Risk control measures are the specific actions which are taken once a risk has been identified and evaluated to minimize the likelihood and/or impact of the risk.
What are the four main types of risk control measures?
There are four main options: avoidance, reduction (mitigation), transfer and acceptance. Most organizations use multiple risk management strategies, selecting the most appropriate approach for each risk based on its severity, likelihood, and the cost of mitigation.
Is insurance considered a risk control measure?
Risk control is one type of risk transfer and insurance is a type of risk control. It transfers responsibility for a loss to someone else, but does not make it less likely to happen—it works better in combination with other loss-reduction strategies.
How often should risk control measures be reviewed?
Review frequency is based on Risk Priority. Organizations should review high-impact or rapidly changing risks every quarter, while reviewing lower-priority, stable risks annually. They should also conduct an immediate review after any significant incident to ensure risk controls remain effective.
What is the hierarchy of controls?
The hierarchy of controls is in order of effectiveness: Eliminate the risk, Substitute the risk, Engineering controls, Administrative controls, and PPE. Higher ranking controls are more likely to be effective since the reliability of the control is not dependent upon consistent human behavior.
Can a Risk fully eliminated?
The elimination level controls eliminate a certain hazard, but there is almost always some remaining risk in a complex system. Effective risk programs record, track residual risk, rather than take it for granted fully addressed.
Who should be responsible for implementing risk control measures?
The control measures should be the responsibility of a named and accountable person, and implemented and monitored by them. Ownership will vary depending on the type of risk. It can held by the department head, safety officer, IT security team or finance leader, depending on the risk.
How do small businesses implement risk control measures with limited resources?
Small businesses should begin with low-cost, high impact measures first: for example, establishing procedures, providing basic insurance and training staff before investing in more expensive engineering controls. A simple and regularly updated risk register can help prioritize scarce resources and target the highest risks.