Control is a mechanism whereby one entity provides directive instructions to another entity. The controlling entity dictates exactly what the controlled entity should do.
A driver controls a car. When the driver turns the steering wheel left, the car should move left. When the driver puts their foot on the accelerator, the car should go faster. When the driver hits the
Limits describe the boundary of operation for the limited entity. Provided the limited entity stays within the limits it is free to operate as it chooses.
A drivers speed is limited by the authorities. In suburban areas where people are more likely to step into the road, then limits are lower. On motorways/freeways the limits are higher. Near a school or hospital the speed limit is even lower as there are people who may run into the road in an “irrational” manner. Occasionally someone may breach the limit such as an ambulance, fire engine or police car on the way to an incident.
Many risk managers confuse controls and limits. Control require constant active engagement. Limits need to be monitored and may require occasional adjustment.
Using limits instead of controls frees the IT risk managers time up so that they can focus on managing other risks in the project.
Imagine children running around in a field of corn close to a cliff. Instead of telling the children what to do at every moment, you can create a line near the edge of the cliff. When they cross the cliff you intervene. You become the “Catcher in the Rye”.