Material Risk Management

Critical Control Management.

ISO 27001-Information Security-CGR
Cyber Essentials Certified CGR
CGR Logo Corporate Governance Risk Software

Material Risk Management and Critical Control Management

Material Risk Management and Critical Control Management are two pivotal components in ensuring organisational safety and operational efficiency, yet they serve distinct functions within a risk framework.

Material Risk Management is a proactive process focused on identifying, analyzing, and mitigating risks that have the potential to impact an organisation severely. This involves a comprehensive assessment of potential scenarios, often referred to as Material Unwanted Events (MUEs), which could significantly disrupt business operations or cause harm.

In contrast, Critical Control Management (CCM) zeroes in on the specific mechanisms, or controls, put in place to manage these identified risks. CCM emphasises implementing, monitoring, and reviewing these controls to ensure they are effective and meet performance expectations. It’s about ensuring that the right controls are in place and that they work as intended to mitigate the identified risks.

In essence, while Material Risk Management strategizes the risk management framework, CCM operationalises it, and our software is the tool that ensures both processes work in harmony for optimal risk mitigation.

Critical control management steps

Common questions

About critical control management

Critical Control Management (CCM) is vital for maintaining safety and operational integrity in any organization. It focuses on:

Managing Major Risks: Targets the most significant risks to prevent severe impacts.
Preventing Catastrophes: Aims to avert events that could cause major harm or disruption.
Ensuring Compliance: Meets regulatory requirements, avoiding legal and financial penalties.
Maintaining Operational Efficiency: Keeps business processes running smoothly and reliably.
Promoting Risk Culture: Encourages a proactive approach to safety and risk awareness among employees.
Building Stakeholder Trust: Enhances reputation and confidence among customers, investors, and regulatory bodies.
In essence, CCM is a strategic necessity that safeguards against critical risks, ensuring the sustainability and success of an organization.

A critical control is a specific, actionable measure designed to prevent or mitigate a Material Risk, also sometimes referred to as a Material Unwanted Event (MUE), in the context of risk management.

These controls are essential mechanisms that directly influence the likelihood or impact of a significant risk. They can be physical (like safety barriers), procedural (such as protocols or procedures), or technological (including software systems). The effectiveness of a critical control is measured by how well it maintains its integrity under different conditions and its ability to perform as expected, thereby ensuring the safety and continuity of operations in an organization.

A control becomes ‘critical’ when it directly addresses a significant risk that, if not managed, could lead to a Material Unwanted Event (MUE). What distinguishes a critical control is its capacity to significantly reduce either the likelihood or the impact of a high-risk scenario.

The criticality of a control is determined by its indispensability in preventing a catastrophic outcome and its effectiveness in maintaining safety and operational integrity. It’s not just any measure; it’s a pivotal element in the risk management process, whose failure could result in severe consequences.

Here are a few questions that you can ask about a control in order to gain clarity towards its criticality:

Risk Relevance: Does this control directly address a specific, high-severity risk (Material Risk or Material Unwanted Event)?

Impact on Risk: Would the failure or absence of this control significantly increase the risk’s likelihood or severity despite other controls?

Impact on multiple risks: Does the control prevent more than one risk or mitigate more than one consequence?

Uniqueness: Is there any other control that can provide the same level of risk mitigation if this one fails?

Acts (Behavioral Controls) involve human behaviours or actions, such as following procedures or engaging in specific practices.
Objects (Physical Controls) are tangible tools or equipment used to manage risks.
Systems (Systemic Controls) refer to an organized set of procedures or technological solutions.

Highly Effective: These controls are robust and reliable. They work as intended, almost like clockwork, providing strong safeguards against the risks they are designed to mitigate. They align seamlessly with your business operations and effectively manage risks without disrupting workflow.

Moderately Effective: Think of these as your solid performers. They do their job well enough to keep risks at bay, but there might be occasional lapses or areas for improvement. They manage risks to an acceptable degree yet may benefit from periodic reviews and fine-tuning.

Partially Effective: These controls are somewhat hit or miss. They offer some level of protection against risks, but their performance is inconsistent. They’re like partially successful strategies that work under certain conditions but are not wholly reliable across all scenarios.

Ineffective: These are controls that, simply put, don’t cut it. They fail to reduce or manage the risks they are supposed to address. This could be due to design flaws, execution issues, or a mismatch with the risk environment. They require urgent reassessment and likely overhaul.

Not Applicable/Not Tested: This category is for controls that are either irrelevant to your current risk landscape or haven’t been evaluated for effectiveness yet. It’s important to keep them on the radar for future assessment, especially as your business environment and risk profile evolve.

Setting Performance Expectations

Practical Considerations for Setting Performance Expectations for Controls

Once you’ve identified your key risks, their causes, potential consequences, and the controls (including your critical controls), the next step is setting effective performance expectations for your controls. Here are some things that you can consider:

Control Type and Function: Understand the nature of each control (preventive, detective, corrective, etc.) and set expectations based on their specific functions. For example, preventive controls should have expectations related to preventing risk occurrences, while detective controls should focus on the timeliness and accuracy of detecting risks.

Control Effectiveness: Determine how you’ll measure the effectiveness of each control. Will it be through incident reduction rates, response times, or error rates? Choose metrics that directly relate to the control’s purpose.

Baseline Performance Levels: Assess the current performance of your controls. Establishing a baseline allows you to set realistic and achievable improvement goals.

Resource Availability: Consider the resources (budget, personnel, technology) available for implementing and maintaining controls. Ensure your expectations align with these resources.

External and Internal Factors: Be aware of external factors like regulatory changes or industry trends, as well as internal changes in your organization, which might influence control performance.

Stakeholder Input: Gather input from those who implement, monitor, or are affected by these controls. Their insights can highlight practical challenges and opportunities for improvement.

Regular Review and Adjustment: Set regular intervals for reviewing the performance against expectations. Be ready to adjust expectations in light of new information, changes in the risk environment, or control performance.

Documentation and Communication: Clearly document and communicate the performance expectations to all relevant parties. Transparency ensures everyone understands their roles and responsibilities in meeting these expectations.

Common Challenges

When implementing critical control management

Implementing a critical control management process is a complex task that often presents several challenges for organizations. The four most common challenges are:


Integrated Risk, Controls, and Assurance

CGR is a software solution for organisations working towards effectively identifying, analysing, managing, and providing risk assurance. With a bowtie approach that includes control libraries and the ability to run first and second-line assurance, CGR Foundation ensures that you can implement critical control management in your organisation.

Control library

Control Library

In CGR you will have access to a control library where you can centrally manage all controls in different registers. This allows you to have central performance expectations that are shared with all control owners.


CGR enables you to assess your controls and deliver the necessary level of assurance required for effective critical control management.

Control assurance


CGR risks are treated as bowties, and the software provides an easy-to-use, drag-and-drop bowtie view that displays all of your controls alongside the causes and consequences (impacts) you are aiming to mitigate.


Find out more about it

Ready to enhance your Critical Control Management?

Contact us today and schedule a demo and see CGR in action.

  • Over a decade of feedback from risk professionals
  • Highly scalable & configurable
  • Enterprise-grade security


Common questions about Critical Control Management

Critical Control Management is a proactive approach to ensuring the effectiveness of essential safety measures within our operations.

CCM is crucial for identifying and addressing potential operational hazards, enhancing overall workplace safety and reliability.

CCM focuses on specific critical controls that, when effectively managed, significantly reduce the likelihood of incidents, distinguishing it from broader safety methodologies.

Absolutely, CCM is designed to complement and enhance your existing operational processes, ensuring a seamless integration.

Yes, CCM not only improves safety but also helps organisations meet regulatory requirements by proactively managing critical controls. CGR can help you monitor CCM for your risk and your compliance needs.