Controls designed to identify errors, irregularities, or adverse events that have already occurred. Detective controls help organizations identify when risks have materialized so that corrective action can be taken. Examples include exception reports, reconciliations, physical inventories, and compliance reviews. Within RBPM, detective controls are an important complement to preventive controls, providing a second line of defense in the risk management framework. Effective detective controls enable timely detection of risk events and limit their potential impact on strategic objectives.

The formal allocation of authority to make specific decisions within an organization. Clear decision rights establish who has input to decisions, who makes decisions, and who is accountable for outcomes. In RBPM, decision rights are formalized through the RACI model, clarifying who is Responsible, Accountable, Consulted, and Informed for each strategic objective, key risk, and control. Well-defined decision rights ensure that risk-taking decisions are made at appropriate organizational levels within established appetite boundaries.