(1) The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management or legal nature. Adapted from: FFIEC IT Examination Handbook, Information Security. 2021. https://ithandbook.ffiec.gov/glossary.aspx
(2) Controls may prevent risk from occurring, detect that risk has occurred or limit the negative impact of a risk once it has occurred.