A risk mitigation strategy as it pertains to specific regulatory compliance functions within a financial institution becomes part of the specific risk model. For an ambiguous example, if a financial institution conducts a risk assessment and determines that certain activities over a specific threshold meet a higher classification of risk, then those activities and thresholds become part of the risk mitigation strategy. An internal procedure regarding use of a process, report, or software as part of this risk mitigation strategy becomes a risk control.  

Multiple controls become part of a specific risk model, and also become a primary focus of examiners when testing and validating a financial institution’s adherence to regulations. Risk models contain inherent risks specific to the controls in place that are meant to mitigate risk.