Risk Management requires identifying the risks to which you are exposed, and then establishing controls to prevent those risks significant enough to be controlled. But you can’t stop there. You really need to have mitigations in place in case a risk occurs anyway, despite your controls.
“VA’s Watchdog Is Slammed,” Wall Street Journal, June 24, 2014 A3 http://on.wsj.com/T4GRxg. You have an internal watchdog to make sure you learn of operating problems (a control for a risk). But then the watchdog undercuts the reports of wrongdoing. Oops. And what about the impact on the organization’s culture (notwithstanding the watchdog’s career path)?