In the International Organization for Standardization (ISO) vocabulary, risk mitigation is defined by the four Ts: Tolerate, Treat, Transfer, Terminate. Tolerate means accepting the risk as it is. Treat refers to internal controls, aimed at reducing either the likelihood or the impact of a risk (or both); it is the most common form of risk mitigation. Transfer means to move the consequence – or the causes – of a risk to another party, typically an insurer or a third‐party supplier. Terminate means to remove risk exposure altogether, when none of the other options is acceptable. This chapter concentrates on the two most common mitigation solutions: internal controls and risk transfers.
There are many different classifications for controls. Given my background in internal audit, I tend to adopt the following simple classification used by the Institute of Internal Auditors (IIA):1 preventive, detective, corrective and directive controls.
The aim of preventive controls is obviously to reduce the likelihood of an event happening. The controls are executed before possible events and address their causes. A car seat belt is an example of a preventive control in everyday life, while the segregation of duties, where different people are in charge of initiating, approving and settling a transaction, is probably the most common and effective preventive control for internal fraud.
Detective controls take place during or just after ...