Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Control Effectiveness and Efficiency

In addition to identifying whether the Control is Preventative, Detective or Corrective, the Simple Risk Model also assesses whether the Control is Effective and Efficient

  • Effective - Effectiveness measures whether the Control provides an acceptable level of risk mitigation to the organization. A Control may exist (for example, the organization maintains a Policy requirement that all employees must change their password every 30 days), but its value is diminished it it is not properly implemented (few employees are aware of the requirement and there is manageable evidence passwords are not being changed).
  • Efficient - Efficiency measures the cost of maintaining the Control compared to the potential loss if the Control were to fail. This is a cost/benefit analysis where Controls are ideally structured to yield a positive return on investment.