Do your investigations suck? Are you learning about the functionality of critical controls?

Do your investigations suck? Are they exploring the presence and functionality of risk controls?

Check out Safe AF podcast (just 9 mins of your life 😉 ) which dives into what investigations explore and ignore – critically, up to 60% of investigations may not evaluate whether risk controls actually functioned as intended.

Spotify: https://open.spotify.com/episode/2uyLNSbLmBti5deKFzB630?si=PUipY6ooRUa7EmBBX0po4g

Apple: https://podcasts.apple.com/us/podcast/ep-7-how-investigations-blind-us-to-control-effectiveness/id1819811788?i=1000715453134

Indeed, across all studied industries (based on surveys), just ~42% of investigations *did* consider how controls functioned.


This research highlighted that while many investigations consider whether expected controls were present prior to/during the incident sequence, more rare is considering whether those controls did function, or could ever have functioned as intended.

Please help share the word, and leave a review/rating on Spotify/Apple.

This image has an empty alt attribute; its file name is buy-me-a-coffee-3.png

Shout me a coffee (one-off or monthly recurring)

Unknown's avatar

Published by Ben Hutchinson

Leave a comment