A risk prevention control aims to stop or reduce the likelihood of a risk occurring in the first place, by implementing strategies at the root cause of the activity.

Risk Prevention takes no consideration of the “impact” side of the risk equation; it solely focuses on preventing the likelihood. By preventing risk occurring in the first place, there is less disruption to business activity as the risk is likely to occur fewer times.

For example, computer security software will reduce the likelihood of virus attacks on IT and hopefully prevent this risk from ever occurring. Even if the security software doesn’t prevent all risks (which it is not likely to), the frequency of attacks will be considerably less than previously because of the prevention controls used.

Prevention tends to be the first control method used for most risks because preventing a risk is less disrupting than having to deal with the potential negative outcomes. Once the likelihoods have been reduced, organisations may consider targeting the consequences and outcomes through mitigation methods.