{
  "control_id": "GOV-01.1",
  "risk_if_not_implemented": "Without Steering Committee & Program Oversight, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.",
  "compensating_control_1": {
    "control_id": "GOV-04",
    "name": "Assigned Security, Compliance & Resilience Responsibilities",
    "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).",
    "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Steering Committee & Program Oversight (GOV-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented."
  },
  "compensating_control_2": {
    "control_id": "RSK-01",
    "name": "Risk Management Program",
    "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.",
    "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Steering Committee & Program Oversight (GOV-01.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented."
  }
}