Risk Control is the decision making process to accept the existing risk or to reduce the risk to an acceptable level. It is to be decided if the associated risk is negligible, acceptable or unacceptable.
For unacceptable risks, the mitigation strategy should define the correction, corrective action or preventive action that may be required to reduce the risk to an acceptable level.
Risks considered high (or unacceptable) must be mitigated or reduced to an acceptable level, as minimum as possible.
Risk reduction focuses on reducing the probability of occurrence of harm or increasing the detection of harm.
Risk mitigation may not remove the probability of harm entirely; however it limits any negative consequences of a particular event.
The risk reduction/mitigation activities can be classed as follows:
- Correction: Action taken to repair, rework, or make an adjustment to the disposition of an existing nonconformity.
- Corrective Action: Action taken to eliminate the causes of an existing non-conformity, defect or other undesirable situation in order to prevent recurrence
- Preventive Action: Action taken to eliminate the cause of a potential non-conformity, defect, or other undesirable situation in order to prevent occurrence
A cost/benefit analysis may be needed before a decision can be reached on which actions will be taken for risk reduction.
Risk acceptance is a decision to accept the level of risk, i.e., no additional risk control activities are necessary. Risk acceptance requires participation and approval of responsible system owners.