APPENDIX D INFORMATION RISK CONTROLS
It is often wrongly assumed that a single control of any kind is sufficient to resolve a risk. In fact, it is frequently the case that more than one control is required, and also of different types. It is conceivable, therefore, that a risk could be reduced by some means, leaving some level of risk that is shared with a third party before the residual risk is accepted. There are three levels of control – strategic, tactical and operational. Figure D.1 illustrates the overall structure of controls.
Strategic controls come in four flavours: