Risk control can assist in minimising operational disruptions and increasing workplace productivity. It is one of the last steps of risk management. Risk management involves a business estimating the probability of a risk occurring and the impact this risk could have on the business. Mastering risk management is a challenging task. Businesses need to make a risk versus reward assessment to determine which decisions are worth taking and then conduct a risk assessment to understand how to manage the threats. 

Risk control is implemented to change the impact or likelihood of the risk. It may also slow down the speed to which a threat is progressing. For example, if a financial loss was expected at the end of the year, appropriate risk control measures could be taken to push it to next year and give the company time to prepare. All businesses need effective controls to maximise their growth.

The hierarchy of risk control

Risk control has many stages as every threat is different and needs to be handled carefully. One strategy will not work for all risks so employers need to be creative and have great analytical skills. If a strategy worked in the past, it is not guaranteed that it will continue to remain effective. As time passes, risks develop and change in nature. Even though the type of the risk may remain same, its root cause might change, hence requiring different measures to address it.

The hierarchy of risk control looks at the following:

  • Elimination
  • Substitution
  • Isolation
  • Engineering Controls
  • Administrative controls
  • Personal Protective Equipment


The most preferred risk control is to eliminate the risk completely. Most companies wish to manage risks by ensuring that there is no possibility for them to materialise. The most common way of eliminating a risk is either making a different decision or taking steps to ensure higher risk control. For example, cables could be a health and safety hazard. By moving to cordless equipment, cables around the workplace could be restricted to solely be under the desk so they are not a hazard anymore. Removing the risk from the workplace is not always an option.


If risk elimination is not feasible, then risk substitution is the next best option for risk control. Risk substitution requires managers to find a safer way to complete a project or a task. Solvent-based ink may be replaced with soy-based ink when possible to prevent print head nozzles from being blocked. While risk substitution is used as a safer alternative, the substitute may have its own risks. The team needs to assess whether the advantages of the replacement outweigh the disadvantages.


Risk isolation involves employees being shielded from the risk. The threat is kept away from staff members so as to make the working environment safer. For example, closing off an area can separate workers from the hazard. Risk isolation is sometimes not included in the risk control hierarchy as it is similar to engineering controls.

risk control

Engineering controls

Engineering controls also look at how the hazard can be isolated but involves the creation of tools to make this happen. For example, implementing a spam filter is a tool that businesses use often. The spam filter can isolate emails that can be inspected using a different system so they do not end up in an employee’s inbox, which reduces the chances of cyberattacks. Engineering controls do not completely eliminate the risk, they just reduce the possibility of it impacting the employees and business operations.

To implement successful controls, the business needs to assess the type of exposure it is facing and how employees are vulnerable to the risk. It can then change aspects of machinery, workflow or software that will contribute towards a safer working environment.

For example, automating parts of the organisation’s workflow can reduce the risk of human error. This is one of the main reasons our clients choose Polonious to manage their investigations and risks. Action items for risk treatment are automatically created, along with reminders for reassessments. During many investigations, case reports can be completely automated using data, documents and images added during the investigation process.

Administrative controls

Administrative controls require the employees to be well-informed about potential risks associated with equipment, projects and everyday tasks. Policies and procedures can support employees with their work to reduce their exposure to risks during certain tasks. The use of signs is a common administrative control as it warns employees of potential danger.

Employees need to be trained thoroughly to recognise vulnerabilities and know how to deal with them. This will assist in minimising the impact and likelihood of the risk on their health and well-being. Employees can cooperate with their managers to develop the best strategies possible and then create effective training programs. The training they receive should make it clear what they have to follow to ensure a safer working environment. For example, instructions on how to use equipment can reduce the likelihood of injuries and performing regular maintenance on machinery can prevent any incidents from occurring.

Personal Protective Equipment (PPE)

PPE is the last option for risk control, with regard to physical risks. If the business has tried to eliminate, substitute and isolate risks and none of those have worked then they focus on protecting employees from the hazard. To create or choose the right equipment the business needs to assess carefully what the risk is and to what extent employees are exposed to it. An example could be ear plugs in a very noisy environment to protect an employee’s hearing. Once chosen, employers should ensure that employees know how to use the PPE correctly and that it is suitable for them. They should emphasise the importance of right size equipment and should encourage employees to ask questions if they are concerned about the use of PPE.

In some instances, businesses may require the use of more than one PPE. For example if working with chemicals, employees may need to use protective glasses, gloves and a protective suit. All this equipment should be designed without reducing the effectiveness of the other. PPE should be worn for all tasks found to be a risk to employees. Even if they last for a short period of time.

Advantages of effective risk control

Risk control is essential for all businesses. Risk control can promote growth as business operations are not disrupted and everything is running smoothly. Growth is also realised through efficiency and more informed decision making. By controlling the risks the organisation is facing, workplace safety will increase and injuries or incidents will be prevented. This will then translate to less unnecessary costs for the entity and higher productivity. If employees see that the business cares about them and has strategies in place to protect them, they feel valued and their morale is improved. 

 From a legal perspective, risk control can show that the business has taken every step possible to manage the risk and prevent it from impacting the company and the workers. It can highlight how seriously the organisation takes risk management and if the worst case scenario occurs it will be evident that the business took action to prevent it. The unnecessary costs the business will avoid is not only in the form of employee injuries but law compliance as well. Entities with strong risk control are less likely to pay fines or penalties and less likely to be involved in a lawsuit. 

 Strong risk control is always supported by great communication and regular reviews. Management needs to talk to staff at every stage of the risk management process and ensure they understand what is happening. This will help shape the training of risk control to increase its effectiveness. Monitoring and regular reviews of the risk control measures can enable the business to create a better working environment as current strategies are evaluated. These evaluations may indicate that modifications are necessary to the current strategies or that new measures need to be implemented. They ensure that the business stays up to date with the relevant threats that it is facing and always adapts to the shifting risk environment.

 Note, however, that it’s not possible to eliminate all risks without avoiding an activity entirely, or spending limited resources. It’s important to maintain a priority list of risks and ensure that as many risks as possible are brought within accepted thresholds. e.g. spending all your resources moving a low risk to a minimal/eliminated risk may leave you without resources to reduce a high risk. It’s important to maintain an overall picture of your company’s risks when deciding what controls to put in place and how to spend your resources on any one risk.

Keep in mind

One of the most important parts of risk management  involves reminding employees and the company that it is an ongoing process. There have to be multiple discussions on how risks can be handled and input from staff should be greatly encouraged. Having effective risk management requires the business to look at the information they have and analyse it carefully so it can improve. On top of that, risk control could be enhanced if the managers making the final decisions are experienced and knowledgeable. Greater experience of risk management leads to better decisions as the managers have probably faced something similar in the past and are familiar with the threat. 

 Polonious can assist in your company’s risk control by helping you manage all risks from one place. We can help you link multiple assets to relevant risks and automate certain parts of your processes. Polonious allows those involved in risk management to access their data from anywhere, anytime, whether they are online or offline. Do you want reduced administrative effort and a more efficient process? Get in touch