Compensating Controls, also known as ‘alternative controls, ‘which are temporary measures implemented when specific requirements cannot be met with existing or new mitigating controls. They are associated with the risk directly, providing an alternative way of managing it when the preferred method of mitigation is not feasible, too costly, or impractical. These controls are often in place until the primary control can be implemented, but they must effectively mitigate the identified risk to an acceptable level.
Mitigating controls, on the other hand, are actions intended to significantly reduce the chances of a risk or threat happening, for example, using security products like antivirus, firewalls, and VPNs. Mitigating Controls are part of the risk mitigation plan, which is a strategy or set of strategies for reducing the risk. These address the root cause of the risk and work to decrease the likelihood of the risk happening or reduce its impact should it occur. They are directly associated with the steps taken to reduce the severity of risks as identified in the risk assessment process.
How can this be reflected in ServiceNow?
Compensating controls are measures implemented to address risks identified in the risk register. They are implemented as a direct response to the actual exposures identified. On the other hand, mitigating controls are identified during the risk assessment process and selected when performing the risk mitigation task. When working on the risk mitigation task, the assigned user can choose the appropriate mitigating controls to address the identified risks.
It is important to note that while compensating controls are directly tied to the risk as alternative measures, mitigating controls are broader actions or strategies within the risk mitigation plan to address and reduce the risk. Both play crucial roles in a comprehensive risk management strategy but function at slightly different stages of the risk management process.