Compensating Controls

Sometimes the ideal control is not feasible — technically impossible, prohibitively expensive, or incompatible with business operations. Compensating controls provide alternative risk reduction when primary controls cannot be implemented. A compensating control addresses the same risk through a different mechanism. If automated bias testing is not feasible for a specific model, manual review of output samples at defined intervals is a compensating control.

1. Document Why Primary Control Is Infeasible The compensating control exists because the primary control does not. Document why — technical limitation, cost prohibition, operational conflict. The documentation justifies the alternative approach to auditors and stakeholders. A compensating control without documented justification looks like an inferior substitute rather than a rational alternative.
2. Demonstrate Equivalent Protection The compensating control must provide risk reduction equivalent to or approaching the primary control. If the primary control would reduce risk by 80%, the compensating control should achieve at least 60-70%. Document the expected risk reduction for both controls so the comparison is explicit. [RISK]: A compensating control that provides significantly less protection than the primary control may not satisfy audit requirements.
3. Review for Primary Control Feasibility Compensating controls should be temporary whenever possible. Revisit the feasibility of the primary control annually. Technical limitations change. Costs decrease. Operational constraints evolve. The compensating control that was necessary last year may be replaceable with the primary control this year.