Control over risk involves the first two elements of risk management defined in paragraph 1.61; that is (i) the capability to make decisions to take on, lay off, or decline a risk-bearing opportunity, together with the actual performance of that decision-making function and (ii) the capability to make decisions on whether and how to respond to the risks associated with the opportunity, together with the actual performance of that decision-making function. It is not necessary for a party to perform the day-to-day mitigation, as described in (iii) in order to have control of the risks. Such day-to-day mitigation may be outsourced, as the example in paragraph 1.63 illustrates. However, where these day-to-day mitigation activities are outsourced, control of the risk would require capability to determine the objectives of the outsourced activities, to decide to hire the provider of the risk mitigation functions, to assess whether the objectives are being adequately met, and, where necessary, to decide to adapt or terminate ...
Read more