Controls are frequently described as documents that foster change and are most often reflected in policy documents, also referred to as the hierarchy of controls. Having a control model provides the framework for risk mitigation by defining actions or deliverables that can be implemented to mitigate a risk. Figure 2 illustrates an example set of hierarchy of controls.