In the COSO control framework, Control Activities are the things management does to be sure their risk responses are working. Looking very closely, you’ll see that the risk responses themselves are not a part of internal control, they are a management task! To quote from COSO IC, page 58:

Note that there is a distinction between risk assessment, which is part of internal control, and the resulting plans, programs or other actions deemed necessary by management to address the risks. The actions  undertaken, as discussed in the prior paragraph (identifying alternative supply sources, expanding product lines, or obtaining more relevant operating reports, or improving training programs) are a key part of the larger management process, but are not an element of the internal control system.

Often internal auditors incorrectly identify the response to a risk, which is a management task, as a Control Activity.  COSO actually requires two “control” steps for a given risk – a decision to avoid, share, reduce or accept the risk (as the final part of Risk Assessment), then a method whereby management knows if their selected response is actually working (a Control Activity). The risk response itself is not part of internal control. A specific example from page 42 of COSO IC is a disaster recovery plan (DRP), which is a risk response, whereas management’s decision to reduce the impact of a disaster is part of the Risk Assessment component of control. Testing and other procedures to be sure the DRP is appropriately designed and implemented are Control Activities.

Even in the COSO ERM framework, which contains a component titled Risk Responses, the component consists of management making decisions to avoid, share, reduce or accept risks. This component does not address the actual responses to risks, because those are not a part of internal control.