From risk awareness to risk assurance: Without controls, you’re only telling half the story

Most organisations, including many Drova customers, already log their risks. It’s the entry point: identify what might go wrong, categorise it, assign an owner. It’s a necessary start. But it’s only a start. Because a risk without a control is little more than a worry written down. It tells you what could happen - but not how you’re preventing it, testing it, or proving it’s under control.

That gap matters.

The credibility gap

Our customer data shows an imbalance. Risk is one of the most widely used Drova modules. Controls, by contrast, lag far behind. The result? Boards and regulators see awareness of risk, but not evidence of management.

When the inevitable ‘what are you doing about it?’ comes, too often the answers live in a spreadsheet, an inbox, or the mind of a single team member - who may or may not have left the business.

In today’s regulatory environment, that isn’t enough. The FCA recently fined Barclays £42 million after finding serious failures in its financial crime controls, including weak oversight and poor handling of high-risk transactions. In Australia, Macquarie Bank was fined A$10 million by ASIC for inadequate controls over third-party fee transactions, where advisers and brokers were able to withdraw client funds in bulk without proper monitoring. In both cases, regulators made clear: knowing the risks wasn’t the problem. Failing to prove the controls was.

Risks without controls are inherent risks - the raw exposure before any mitigating actions. Once controls are applied, the risk reduces to a residual risk level.

Controls are the bridge between the two: they show how exposure is reduced, whether it falls within the Board’s stated appetite, and where gaps remain. Strong controls drive residual risk down into tolerance. Weak or untested controls leave exposure above appetite - a red flag for regulators and directors alike.

What happens when risks meet controls

Linking risks to controls inside Drova closes that credibility gap. Suddenly, a risk register is no longer a static list but a living framework. Each risk points to the measures designed to mitigate it, the people responsible for those measures, and the evidence of whether they’re working.

That shift matters in the boardroom, where discussions move from speculation to assurance. It matters in audits, where weeks of preparation collapse into minutes because the evidence trail is already there.

And it matters in compliance, where obligations can be tied directly to the controls that satisfy them.

Why this matters now

Frameworks like CPS230 in Australia, and FCA and PRA regimes across the UK, are explicit: identifying risks is not enough. Organisations must show the controls in place to manage those risks, and prove that those controls are effective. Without that evidence, risk management programs are incomplete, and increasingly, non-compliant.

Which brings us back to the starting point: if risk is the ‘what’, controls are the ‘how’. Using one without the other leaves the story half-told. The direction from regulators is clear: inherent risk must be measured, controls prioritised, and residual risk proven - continuously.

What Boards expect to see

Boards don’t want raw data. They want stories - clear, strategic, and actionable. A risk register full of entries or a spreadsheet of metrics doesn’t cut it. What they’re looking for is an overview of the most significant risks and the controls in place, set firmly in the context of business objectives.

They expect to see whether controls are working, where gaps exist, and how those gaps are being closed. They want forward-looking insight: emerging risks, non-financial risks, trends and incidents that explain performance shifts. And they want it in plain language, with visuals that enable debate rather than bury it in detail.

Above all, Boards want clarity on residual risk. Is it inside appetite? And if not, what’s being done about it? That’s the ‘so what’ that turns risk data into decision-ready intelligence.

The value waiting to be unlocked

The good news is that this isn’t new work. The controls already exist in most organisations. They’re being carried out every day. What’s missing is visibility. By capturing them in Drova and linking them to risks, the work becomes evidence. Assurance grows. Confidence follows.

The Controls module was designed to close this loop. By linking risks to the controls that mitigate them, you can:

• Show the relationship between risk and treatment, clearly and traceably.

• Assign ownership, so accountability is built in - not buried in emails.

• Test control effectiveness in-platform, instead of waiting for auditors to ask.

• Create evidence trails that stand up in an audit or regulatory review.

For Drova customers already logging risks, the next step is obvious: connect your risks to controls and prove what you’re already doing. For everyone else, make sure your risk register doesn’t stop at awareness.