As risk management professionals, we spend a lot of time and energy developing and evaluating controls. What we do not tend to do as much of is measuring their effectiveness. Part of this may be because of the inherent difficulty in establishing real-world testing methods. Another possible challenge is that, as a profession, it seems like we have not really taken the time to think deeply about the nature of controls, how they work (and do not work) both independently and in combination with other controls. Most of the time, controls are simply categorized in some high-level manner (e.g., internal controls versus technical controls, or “prevention” versus “compensating” controls).

In this chapter, we will introduce an ...