IRM ERM M1U4.2 Control effectiveness Flashcards
Cost associated with responding to and/or treating the risk.
So, for threats, at the inherent level of risk, the total risk exposure of the organisation will be extremely high, while the cost of response will be zero. As we invest in controls, the total cost of expected risk exposure will decline (it will probably decline quickly at first, since we will focus our responses on the most serious risks), but at the same time the total cost of all our risk responses will increase.
The theory of a diminishing level of return from investing in threat responses is a compelling one, simply because of its logic and that some degree of judgement must be made on the appropriate point to stop investing in risk responses and start tolerating risk exposure.
This cost benefit analysis is part of understanding the control effectiveness. As noted earlier in this unit, we are not trying to manage all risks at any cost. At the same time, we should not be managing all costs at any risk.
Hierarchy of controls (H&S)
From a health and safety perspective, there is a hierarchy of controls. The UK’s Health and Safety Executive (HSE) notes that personal protective equipment (PPE) should be the last resort to protect against risks.
The HSE suggest that elimination (termination or prevention) is the most effective control, with four other types of control below that in hierarchical order of their effectiveness.
Elimination – physically remove the hazard.
Substitution – replace the hazard.
Engineering controls – isolate people from the hazard.
Administrative controls – change the way people work.
PPE – protect the worker with equipment.
The first three types of control are not reliant on people to interact with the hazard, so the risk is less likely to occur.
The Swiss cheese model of control effectiveness (H&S) and its advantages
Another health and safety perspective when considering control effectiveness is the Swiss Cheese Model, created by James Reason in 1991. Although based on accidents, it can be used to consider the effectiveness of any suite of controls.
This model has its advantages and disadvantages, but essentially it considers that all controls have weaknesses (or holes) and that you need to have multiple controls to mange a risk incase one or more controls fail.
This model also enables organisations to consider alternative controls. For example, all organisations will have fairly robust cyber security controls, but some organisations will go further to test for holes or weaknesses in their controls by employing hackers to break through their cyber security.
Another example is physical security of assets where some organisations employ former thieves to test their security measures.