For there to be a control, there has to be a risk. If there is a control without a risk then you have to question the reason for the control. Some controls are in place because they have always been there and may no longer have a purpose.
The purpose of controls is to reduce risk. That is their primary purpose. Without the control there is a greater likelihood that the risk will occur. In this way control and risk are two sides of the coin. You cannot look at risk without control and there is no point looking at controls without risk. With controls you ask “What are we trying to prevent from happening?”
In the formula for control and risk management, the risk must come first and then the control is developed to mitigate this risk. The level of controls required are determined by the level of risk. A bank needs to have much tighter security than an admin office as they are at greater risk of being robbed.
If you have controls and you do not know what risk they are preventing then maybe you should chuck these out.
If you are interested in having a control or risk assessment of your business then contact us at firstname.lastname@example.org.