Controls

Introduction

Controls (also called beheersmaatregelen) mitigate risks within your organisation. A control can be preventive, detective, or repressive.

Together with risks and testing, controls form the foundation of your GRC process. They demonstrate that your organisation is actively managing its risks and maintaining control.

This training explains how to:

Create controls in CERRIX
Link controls to risks
Work with control attributes and execution frequency
Ensure controls are properly classified and documented

Accessing the Controls Workspace

Navigate to the Controls workspace from the main menu. The workspace provides:

A complete list of all controls at the detail level
Central oversight of control quality and coverage
The ability to create and save custom views with filters and sorting
Export functionality to Excel or other formats

The Controls workspace shows all controls belonging to organisations you have access to, along with their types, frequencies, owners, and linked risks.

Filtering and Sorting

The Controls workspace uses the same filtering and configuration system as other CERRIX workspaces.

Applying Filters

Click Advanced configuration to open the filter panel. You can filter on any column, including control type, owner, organisation, or testing status.

Customising the Table

Click Table configuration to show or hide specific columns based on what information you need to see.

Applying Your Configuration

Click Apply configuration to refresh the workspace with your selected filters and table settings.

Saving Presets

Use Preset management to save your configurations:

Name your preset descriptively (e.g., "Key Controls - My Department")
Click + to save the preset
Click X to delete an unwanted preset
Set a default preset by selecting it and clicking *****

Your default preset will automatically load every time you open the Controls workspace.

Creating a New Control

How to Get There

Open the Controls workspace and click Add new control in the top right corner.

Control Catalogue

Start by selecting the appropriate category in the control catalogue. Like risk catalogues, control catalogues provide standardised control definitions. If subtypes are available, select the most specific option.

Select the organisation responsible for this control. This determines access rights and which risks can be linked to the control.

Naming and Description

Give the control a clear and descriptive name that makes its purpose immediately obvious.

Write a comprehensive description of the control. We recommend using the 5W 1H model:

Who – Who performs the control?
What – What activities are performed during control execution?
Where – Which department or location executes the control?
With what – Which systems or documents are used?
When – How often is the control executed?
What if – What happens if the control fails?

A complete description using this structure eliminates ambiguity and ensures everyone understands exactly what the control entails.

Control Classification

Key control: Tick this box if the control is critical to your risk management. Key controls must be tested and monitored more rigorously.

Requires monitoring: Select this if the control needs active monitoring and periodic testing. Not all controls require formal monitoring – use this designation thoughtfully.

Linking Dimensions

Business dimensions connect the control to specific processes or projects. This improves traceability and helps generate targeted reports.

Framework dimensions link the control to external standards such as ISAE 3402, ISO 27001, or DORA. This is essential for audit and compliance reporting.

Implementation Status

Tick In place if the control is already implemented and operating. Leave this unchecked for controls that are still being designed or rolled out.

Click Save to create the control.

Additional Control Details

After creating the basic control, you can add more detailed attributes that describe how it operates.

Internal Classification

Aspect internal categorises the control according to your organisation's internal control framework. This might align with frameworks like COSO or your organisation's specific risk taxonomy.

Control Type

Select whether the control is:

Detective – identifies issues after they occur
Preventive – stops issues from occurring
Repressive – corrects issues that have occurred

Most controls are either detective or preventive. Understanding the control type helps you assess whether your control environment is balanced.

Ownership

The owner field designates who is responsible for the control. This person ensures the control is executed correctly and addresses any issues that arise.

Choose someone with direct operational knowledge of the control and the authority to make changes when needed.

Execution Method

Control execution indicates how the control is performed:

Manual – human-performed activities
Automated – system-enforced controls
Semi-automated – combination of system and human activities

Automated controls are generally more reliable but less flexible. Manual controls require more oversight but can adapt to exceptions.

Execution Frequency

Control frequency records how often the control is executed:

Continuous (automated controls)
Daily
Weekly
Monthly
Quarterly
Annually
Ad hoc (event-driven)

Be realistic when setting frequency. Overstating frequency creates unrealistic testing expectations. Understating it may expose your organisation to unnecessary risk.

Optional Information

You can also record:

RACI matrix – who is Responsible, Accountable, Consulted, and Informed
Cost – the financial or resource cost of operating the control
Comments – any additional context or special circumstances

Click Save to record these details.

Linking Risks to Controls

Controls exist to mitigate risks. Linking them together creates a complete picture of how your organisation manages risk.

Accessing Linked Risks

Navigate to the Linked risks tab within the control. This shows which risks the control addresses.

Adding Risks

Click Link panel to open the risk selection interface. You can browse available risks and drag them into the linked risks area.

Link only the risks that this control genuinely mitigates. Over-linking creates false confidence and makes it harder to identify genuine control gaps.

When you've selected the appropriate risks, click Save.

Best Practices

Controls are the backbone of risk management in CERRIX. Poorly described or incorrectly classified controls lead to:

Confusion among colleagues
Incomplete or inaccurate reports
Problems during audits or testing

Follow these practices to ensure your controls are consistent, clear, and complete.

Be Concrete and Complete

Use the 5W 1H structure when writing control descriptions:

Who performs the control?
What actions are taken?
Where is it performed?
With what tools or systems?
When is it executed?
What if something goes wrong?

A complete description eliminates ambiguity and ensures the control can be tested effectively.

Apply Classification Correctly

Key control = critical to risk management, must be tested
Requires monitoring = needs active oversight and periodic testing
Execution method = manual, automated, or semi-automated

Correct classification determines how the control appears in reports and testing schedules.

Set Realistic Frequency

Don't inflate control frequency unnecessarily. If a control is performed monthly, record it as monthly – not weekly. Unrealistic frequencies create impossible testing burdens.

At the same time, don't understate frequency if the control genuinely runs more often. The frequency should reflect reality.

Assign Clear Ownership

Every control must have a designated owner – a person or department responsible for its execution. Without clear ownership, controls become neglected and ineffective.

Always Link to Risks

A control that isn't linked to any risk has no clear purpose. Link controls to the risks they mitigate to create traceability and demonstrate the value of your control environment.

Use Business and Framework Dimensions

These connections make controls more useful in dashboards and external reports. Framework dimensions are particularly important for audit and compliance purposes (e.g., ISAE 3402, DORA, BIO).

Exercises

Exercise 1: Create a New Control

Create a new control with a complete description using the 5W 1H convention:

Who executes the control?
What is done during execution?
Where is the control performed?
With what systems or documents?
When is it executed (frequency)?
What if the control fails?

Exercise 2: Export Controls

Export all controls to Excel for a specific framework dimension in your organisation.

PreviousRisks NextControl Testing

Last updated 22 days ago

hashtagControls

hashtagIntroduction

hashtagAccessing the Controls Workspace

hashtagFiltering and Sorting

hashtagApplying Filters

hashtagCustomising the Table

hashtagApplying Your Configuration

hashtagSaving Presets

hashtagCreating a New Control

hashtagHow to Get There

hashtagControl Catalogue

hashtagNaming and Description

hashtagControl Classification

hashtagLinking Dimensions

hashtagImplementation Status

hashtagAdditional Control Details

hashtagInternal Classification

hashtagControl Type

hashtagOwnership

hashtagExecution Method

hashtagExecution Frequency

hashtagOptional Information

hashtagLinking Risks to Controls

hashtagAccessing Linked Risks

hashtagAdding Risks

hashtagBest Practices

hashtagBe Concrete and Complete

hashtagApply Classification Correctly

hashtagSet Realistic Frequency

hashtagAssign Clear Ownership

hashtagAlways Link to Risks

hashtagUse Business and Framework Dimensions

hashtagExercises

hashtagExercise 1: Create a New Control

hashtagExercise 2: Export Controls