Risk controls are the bridge between identifying a risk and actually reducing it. Understanding the three types of controls—preventive, detective, and corrective—helps you build comprehensive protection for your organization.

What Are Risk Controls?

Risk controls are the policies, procedures, tools, and activities that organizations implement to manage risks. They work by either reducing the likelihood of a risk occurring, minimizing its impact if it does occur, or both.

There are three fundamental categories of controls:

  • Preventive controls — Stop risks before they happen
  • Detective controls — Identify risks when they occur
  • Corrective controls — Fix issues after they're detected

Understanding these categories helps you build a comprehensive control framework that addresses risks at every stage—before, during, and after incidents occur.

Preventive Controls: Stop Risks Before They Happen

Preventive controls are proactive measures designed to prevent undesirable events from occurring in the first place. They're your first line of defense—the locks on your doors, the guardrails on your processes.

These controls are generally the most cost-effective because they avoid the costs associated with incidents altogether. However, they require investment upfront and can sometimes impede operational efficiency.

Examples of Preventive Controls

Access Controls
  • Password requirements and multi-factor authentication
  • Role-based access restrictions
  • Biometric authentication for sensitive areas
  • Network segmentation and firewalls
Process Controls
  • Segregation of duties (different people approve and process payments)
  • Approval workflows for high-value transactions
  • Pre-employment background checks
  • Mandatory training before system access
Technical Controls
  • Input validation to prevent invalid data entry
  • Encryption of data at rest and in transit
  • Automated backup systems
  • System hardening and patching

When to Prioritize Preventive Controls

Preventive controls should be prioritized when:

  • The potential impact of the risk is severe or irreversible
  • Recovery after an incident would be costly or time-consuming
  • Regulatory requirements mandate specific preventive measures
  • The cost of prevention is significantly less than the cost of recovery

Detective Controls: Identify Risks When They Occur

Detective controls identify undesirable events during or after they occur. They don't prevent incidents, but they ensure you know about them quickly so you can respond.

Detective controls are essential because no preventive control is 100% effective. They're your early warning system—catching what slips through your preventive measures.

Examples of Detective Controls

Monitoring & Logging
  • System audit logs and activity tracking
  • Security information and event management (SIEM)
  • Intrusion detection systems
  • Transaction monitoring for anomalies
Review Processes
  • Internal audits and assessments
  • Management reviews and sign-offs
  • Bank reconciliations
  • Inventory counts and verification
Automated Detection
  • Exception reports for out-of-policy transactions
  • Threshold alerts for unusual activity
  • Data quality checks and validation rules
  • Automated compliance scanning

Key Metrics for Detective Controls

The effectiveness of detective controls depends on:

  • Detection time — How quickly are issues identified?
  • False positive rate — How often are non-issues flagged?
  • Coverage — What percentage of activity is monitored?
  • Accuracy — How reliably are real issues detected?

Corrective Controls: Fix Issues After Detection

Corrective controls remediate issues after they've been detected. They restore systems to normal operation, fix vulnerabilities, and prevent recurrence.

While corrective controls are reactive, they're essential for limiting damage and ensuring your organization can recover from incidents. They're also important for learning from failures and strengthening your control environment.

Examples of Corrective Controls

Incident Response
  • Incident response plans and playbooks
  • Emergency response procedures
  • Communication and escalation protocols
  • Crisis management teams
Recovery Procedures
  • Backup restoration processes
  • Business continuity plans
  • Disaster recovery procedures
  • System rebuild protocols
Remediation Actions
  • Security patches and updates
  • Process corrections and improvements
  • Disciplinary actions
  • Root cause analysis and lessons learned

The Recovery Time Objective

A critical metric for corrective controls is the Recovery Time Objective (RTO)—how quickly you can restore normal operations. Your RTOs should align with your business requirements and risk appetite.

Control Type Comparison

Here's a side-by-side comparison of the three control types:

Aspect Preventive Detective Corrective
Timing Before incident During/after incident After detection
Purpose Stop risks from occurring Identify when risks occur Fix and recover
Cost profile Higher upfront cost Ongoing monitoring cost Incident-driven cost
Effectiveness Avoids damage entirely Limits damage through early detection Minimizes damage duration
Example Password policy Failed login alerts Account lockout reset

Building a Balanced Control Framework

Effective risk management requires a balanced mix of all three control types. This creates defense in depth—multiple layers of protection that work together.

The Swiss Cheese Model

Think of controls like slices of Swiss cheese. Each slice has holes (weaknesses), but when you layer multiple slices together, the holes don't align—creating effective protection.

  • Layer 1: Preventive controls block most threats
  • Layer 2: Detective controls catch what gets through
  • Layer 3: Corrective controls limit damage and enable recovery

Balancing Cost and Effectiveness

The right balance depends on several factors:

  • Risk severity — High-impact risks warrant stronger preventive controls
  • Cost considerations — Prevention is usually cheaper than remediation
  • Operational impact — Overly restrictive preventive controls can impede work
  • Regulatory requirements — Some controls may be mandated
i

The 80/20 Rule

Many organizations find that focusing on the top 20% of risks with strong controls addresses 80% of their risk exposure. Prioritize controls based on risk scoring.

Compensating Controls

Sometimes the ideal control isn't feasible. Compensating controls are alternatives that provide similar risk reduction when the primary control can't be implemented.

Example: In a small team, segregation of duties (preventive) may not be possible. Enhanced monitoring and supervisory review (detective) can serve as compensating controls.

Measuring Control Effectiveness

Controls need to be tested and monitored to ensure they work as intended. The gap between inherent and residual risk reflects your control effectiveness.

Control Assessment Methods

  • Design effectiveness — Is the control properly designed to address the risk?
  • Operating effectiveness — Is the control actually working as designed?
  • Testing frequency — How often is the control validated?
  • Maturity level — How established and consistent is the control?

Common Control Weaknesses

Watch for these signs that controls aren't effective:

  • Controls exist on paper but aren't followed in practice
  • Manual controls without evidence of execution
  • Controls that can be easily bypassed
  • Over-reliance on a single control without backup
  • Controls that haven't been updated as risks evolved
Key Takeaways

Summary

  • The three types of risk controls are preventive (before), detective (during/after), and corrective (recovery)
  • Preventive controls stop risks but require upfront investment
  • Detective controls catch what preventive controls miss
  • Corrective controls limit damage and enable recovery
  • Defense in depth requires a balanced mix of all three types
  • Regularly test and monitor controls to ensure effectiveness

Frequently Asked Questions

What are the 3 main types of risk controls?

The 3 main types are: 1) Preventive controls that stop risks before they occur (e.g., access controls, approvals), 2) Detective controls that identify risks when they happen (e.g., audits, monitoring), and 3) Corrective controls that fix issues after detection (e.g., incident response, backup restoration).

Why do organizations need all three types of controls?

No single control type is 100% effective. Preventive controls may fail, so detective controls catch what gets through. Corrective controls ensure recovery when incidents occur. This layered approach creates defense in depth and comprehensive protection.

What is an example of a preventive control?

Examples include password requirements, segregation of duties, approval workflows, input validation, access restrictions, pre-employment background checks, and firewall rules. These controls aim to stop risks before they materialize.

What is the difference between detective and corrective controls?

Detective controls identify issues when they occur (e.g., audit logs, intrusion detection, exception reports), while corrective controls fix issues after detection (e.g., backup restoration, incident response, system patches). Detective finds the problem; corrective solves it.

How do you balance preventive and detective controls?

Balance depends on risk appetite and cost. Preventive controls are generally more cost-effective but can impede operations. Detective controls are less intrusive but allow incidents to occur. High-impact risks warrant strong preventive controls; lower-impact risks may rely more on detection.

What are compensating controls?

Compensating controls are alternative controls implemented when the ideal control isn't feasible. For example, if segregation of duties isn't possible in a small team, enhanced monitoring and supervisory review serve as compensating controls.