Risks and controls documents
A risk is a possibility of acts or events that could adversely impact an organization's business process. Risks also provide the source for designing the controls that mitigate damage, which could be caused by the risks and a control mitigates the potential damage from a risk for a specific business process. For each risk documented for a process, there must be a documented control. Controls provide a safety mechanism to ensure that all risks are addressed by documented responses that mitigate the risks.
Risks and controls documents are generally maintained as a matrix of each business process that link the risks to the business process and describe who, how, and when the controls mitigate risks. The matrix also contains detailed risk characteristics—such as likelihood, impact, and type—as well as controls characteristics—such as control objectives, frequency, type, and method. Control documents required for compliance with Sarbanes-Oxley Act also include...
