Risk Mitigation and Control Implementation

Action Summary

Management should implement a control environment consistent with its risk assessment. Sound IT operations controls are grounded in policies, standards, and procedures that provide for:

  • Environmental controls;
  • Preventive maintenance;
  • Physical security;
  • Logical security;
  • Personnel controls;
  • Change management;
  • Information controls;
  • User support/help desk;
  • Controls over job scheduling, output, and negotiable instruments; and
  • Event management.


Risk mitigation involves creating a sound control environment that reduces internal and external threats to the institution's tolerance level and establishes a structured environment for IT operations. Examples of controls include policies and procedures related to personnel and operations, segregation of duties and dual controls, data entry controls, quality assurance programs, industry certification, and operating thresholds and parameters. While not a control, insurance can be an effective risk mitigation tool. Management should balance controls against business operations requirements, cost, efficiency, and effectiveness.


Previous Section
Prioritizing Risk Mitigation Efforts
Next Section
Policies, Standards, and Procedures