I have come across an interesting question on linkages between Risk and Control.
Usually we start with risk and identify controls to mitigate the risk. Now imagine a scenario, where you have taken over a new position and the first request that comes to you is listing of risk that a control was supposed to treat/ mitigate.
What will you do? Off course you can do a risk assessment, then identify controls required, do a mapping of identified controls needed vs control listing, put into an excel sheet and come across a list of risk which control is supposed to mitigate.
But that take time. It will be fun to create a list of risk for every control therein listed.
Looks like a case of loss of risk register…