Risk, Controls & Audits
Understand what a risk really is, how controls reduce it, and why an audit is a friendly check rather than a punishment.
What you'll learn
- Describe a risk in terms of likelihood and impact
- Explain how a control reduces a risk
- Approach an audit calmly and helpfully
“Risk” sounds dramatic, but in everyday work it’s a calm, useful idea: it’s simply something that could go wrong, weighed by how likely it is and how much it would hurt if it did. Every team carries risks, and that’s normal — the goal isn’t to eliminate them all, which is impossible, but to understand them and keep the serious ones in check. Once you can size up a risk and see how a control chips away at it, the whole language of compliance stops feeling abstract. This lesson gives you that practical lens, plus a gentler way to think about audits.
Sizing up a risk
A risk has two dimensions: how likely it is to happen, and how big the impact would be if it did. A handy way to picture this is a simple two-by-two grid — likelihood on one axis, impact on the other. A risk that’s both likely and high-impact sits in the top-right corner and deserves real attention. A risk that’s rare and minor sits in the bottom-left and probably just needs an eye kept on it.
The point of the grid isn’t precision; it’s perspective. Sending one wrong internal email is likely but low-impact. Losing a box of customer records is rarer but high-impact. Treating them the same would waste effort on the first and under-protect the second. The matrix helps you and your team agree on what actually matters.
The top-right cell — likely and high-impact — is where your controls should work hardest.
Controls: how risk gets managed
A control is anything you put in place to make a risk less likely or less damaging. Controls are usually simple and familiar once you name them. A rule that a second person must approve any payment over a certain amount is a control — it lowers the chance of a costly mistake or fraud slipping through. A locked filing cabinet is a control. So is a checklist, an automatic backup, or a system that won’t let you submit a form with missing fields.
Some controls prevent problems before they happen, like that second approval. Others detect problems after the fact, like a monthly review that catches an odd transaction. Good teams use both, because no single control is perfect. When you follow a process that feels slightly tedious, there’s usually a control hiding inside it — and a risk it’s quietly holding back.
A control you skip “to save time” is a risk you’ve quietly accepted on everyone’s behalf. If a control truly is in the way, raise it and have it changed properly — don’t just route around it.
Where audits fit
An audit is simply a check that the controls are really there and really working. An auditor isn’t trying to catch you out; they’re confirming that what’s meant to happen actually happens. They might ask to see records, walk through how you handle a task, or test whether that second approval really takes place. Think of it like a smoke-alarm test — slightly inconvenient, but reassuring once it’s done.
The best way to handle an audit is to be honest and organised. If something isn’t being done perfectly, say so plainly. Auditors deal with imperfection every day; what they can’t work with is a cover-up. A frank “we noticed this gap and here’s our plan” lands far better than a tidy story that doesn’t match reality.
Spot it: Risks and controls
Read each situation and decide what kind of risk or control it describes, then tap a card to flip it and check your answer.
Sort the risks and controls
Drag each statement into the bucket it belongs to — or tap it, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Something that could go wrong, weighed by likelihood and impact → Risk — that's the definition of a risk.
- A rule that a second person must approve any payment over a certain amount → Control — it's a preventive control reducing the risk of fraud.
- Probability that a system crashes and costs the business a day of work → Risk — that's likelihood and impact combined.
- A locked filing cabinet keeping records from being stolen → Control — physical security is a simple but effective control.
- The chance that a competitor takes your market share → Risk — unpredictable but high-impact.
- A checklist before shipping to catch defects early → Control — it's a detective control that catches problems before they reach customers.
Tip: drag with a mouse, or tap an item then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
Bring this language into ordinary conversations. A few phrases that help:
- “What’s the likelihood here, and how bad would the impact be?”
- “Is there a control for this, or are we just hoping?”
- “Let’s not skip that approval step — it’s there for a reason.”
- “The auditor’s coming; let’s make sure our records match what we actually do.”
Sizing risks by likelihood and impact keeps your team focused on what matters. Treating controls as helpful guardrails rather than red tape keeps the serious risks contained. And meeting an audit with openness turns it from an ordeal into a tune-up. You don’t need to be a specialist — you just need to think clearly about what could go wrong, and respect the small steps that keep it from going wrong.
Quick check
1. A risk is best understood as a mix of…
2. A requirement that a second person approve large payments is an example of a…
3. The best way to handle an audit is to…