How to Link Risks, Controls, and Actions

The Problem

Many organizations have risks documented in one place, controls in another, and action items scattered across spreadsheets and project management tools. Without clear links between them, you can't answer basic questions: Which controls address which risks? What actions are in progress to improve our risk posture? Are there risks with no mitigation strategy?

This disconnection leads to duplicated effort, gaps in coverage, and an inability to demonstrate your risk management approach to auditors or leadership. A proper risk-control-action framework connects these elements so you can see—and show—how each risk is being managed.

Prerequisites

• An existing risk register with identified risks
• Basic understanding of control types (preventive, detective, corrective)
• Knowledge of inherent and residual risk concepts
• A method for tracking action items (spreadsheet, task management, or risk software)

Understanding the Relationships

Before linking elements, understand how they relate:

• Risks are potential events that could negatively impact your organization
• Controls are ongoing measures that reduce risk likelihood or impact
• Actions are one-time tasks to implement, improve, or remediate controls

The relationships flow like this:

• A risk can have multiple controls addressing it
• A control can address multiple risks
• An action typically relates to implementing or improving one control
• Multiple actions may be needed for a single control

Step 1: Map Controls to Each Risk

Work through your risk register systematically and identify controls that address each risk. For every risk, ask:

• What existing controls reduce the likelihood of this risk occurring?
• What existing controls reduce the impact if this risk materializes?
• What controls detect this risk if it occurs?

Document each link with:

• Risk ID/name: Which risk is being addressed
• Control ID/name: Which control addresses it
• Relationship type: Does this control reduce likelihood, impact, or both?
• Control type: Preventive, detective, or corrective

If you're just starting, begin with your highest-rated risks. These need controls most urgently, and the exercise will help you build a process you can apply to lower-priority risks later.

Step 2: Assess Control Effectiveness

Not all controls work equally well. For each risk-control link, assess how effective the control is at addressing that specific risk.

Use a consistent effectiveness scale:

Rating	Definition	Risk Reduction
Highly Effective	Control consistently works as intended; well-designed and properly operated	70-90%
Moderately Effective	Control generally works but has some limitations	40-70%
Partially Effective	Control provides some protection but has significant gaps	20-40%
Ineffective	Control exists but doesn't adequately address this risk	0-20%

When assessing effectiveness, consider:

• Design adequacy: Is this control actually designed to address this risk?
• Operating effectiveness: Is the control being followed consistently?
• Coverage: Does it apply to all relevant scenarios?
• Evidence: Do audit results or testing confirm it works?

This assessment directly affects your residual risk calculation. Inherent risk minus control effectiveness equals residual risk.

Step 3: Identify Control Gaps

With your risk-control mapping in place, analyze for gaps:

Risks Without Controls

Any risk with no linked controls is either:

• Accepted (consciously decided to tolerate)
• A gap that needs addressing

For each uncontrolled risk, document whether it's accepted (and why) or needs controls implemented.

Risks With Inadequate Controls

Look for risks where:

• All linked controls are rated "Partially Effective" or lower
• Only one control type exists (e.g., preventive but no detective)
• Residual risk remains higher than acceptable

Missing Control Types

Effective risk management uses layered controls. For high-priority risks, verify you have:

• Preventive controls: Stop the risk from occurring
• Detective controls: Identify when the risk has occurred
• Corrective controls: Respond and recover if it happens

Step 4: Create Actions for Gaps

For each identified gap, create specific actions. Actions are different from controls—they're the tasks needed to implement or improve controls.

Good actions have:

• Clear description: What specifically needs to be done
• Owner: Who is responsible for completion
• Due date: When it should be completed
• Status: Current progress (not started, in progress, complete)
• Target control: Which control this action implements or improves

Step 5: Link Actions to Controls and Risks

Create explicit connections between actions, controls, and risks. This enables traceability:

• From any action, you can see which control it improves and which risks it ultimately addresses
• From any control, you can see what actions are in progress to implement or improve it
• From any risk, you can see both existing controls and pending actions

Document these links in whatever system you use. In a spreadsheet, you might use reference columns. In dedicated software, these are typically relationship fields.

For each action, record:

• Related control: Which control does this implement/improve?
• Related risk(s): Which risk(s) will this ultimately address?

Step 6: Document the Relationships

Create a clear structure that captures all relationships. Common approaches include:

Risk-Control Matrix

A table with risks as rows and controls as columns. Mark intersections where a control addresses a risk. Include effectiveness ratings in each cell.

Integrated Register

A single register view that shows, for each risk:

• Risk details and inherent score
• Linked controls with effectiveness ratings
• Calculated residual score
• Open actions related to this risk's controls

Relationship IDs

Assign unique IDs to risks, controls, and actions. Use these IDs to reference relationships across separate tracking sheets or systems.

This documentation becomes valuable when preparing for audits, as it demonstrates clear traceability from risk through control to mitigation action.

Maintaining the Linkages

Relationships need ongoing maintenance:

When Risks Change

• New risk identified: Map existing controls, identify gaps, create actions
• Risk eliminated: Remove linkages (but consider keeping historical record)
• Risk severity changes: Reassess whether current controls are adequate

When Controls Change

• New control implemented: Link to all risks it addresses
• Control modified: Update effectiveness ratings on linked risks
• Control removed: Assess impact on linked risks' residual scores

When Actions Complete

• Mark action complete
• Update related control (e.g., change status from "planned" to "implemented")
• Reassess control effectiveness
• Recalculate residual risk for linked risks

Build this into your regular risk register review cycle to keep relationships current.

Common Mistakes to Avoid

• Linking controls that don't actually apply: Don't link a control just because it sounds related. Verify it genuinely reduces this specific risk.
• Ignoring control effectiveness: A control that exists but doesn't work well offers false comfort. Always assess and document effectiveness.
• Creating vague actions: "Improve security" isn't actionable. Be specific about what needs to happen.
• Letting linkages go stale: As risks and controls evolve, relationships change. Review and update regularly.
• Over-complicating the structure: Start simple. You can add sophistication as your program matures.
• Not documenting acceptance: If a risk intentionally has no controls, document that decision. Otherwise it looks like a gap.