Table 6.
Control effectiveness scoring.
 | |
| Score | Descriptions - the extent to which current controls reduce risk |
| 1 | The design, implementation, and operation of controls are efficient. With the risk score reduced to a minimally acceptable level, no more mitigations are necessary to support the achievement of the objectives. Concerning the effectiveness of controls in lowering risk impact and likelihood, all stakeholders agreed. Assignment of management responsibility and thorough documentation of controls. |
| 2 | controls that are functional and well-designed. In light of recent changes to operations, it is important to establish that accountabilities are in existence, understood, and actively handled.All stakeholders have recorded the controls and rated the risk as acceptable, requiring no additional or minimal mitigations. Alternatively, due to the nature of the risk, measures cannot be more effective than adequate. |
| 3 | Minor weaknesses and improvement possibilities have been identified, and action plans will be put into place. The controls that are already in place don't manage the risk well enough, and there are some actions and procedures that could further lower the risk. |
| 4 | Current measures are either in the process of being adopted or are ineffective. To further control the risk, new mitigations might be implemented. There is no defined timetable or clear accountability for work completion. |
| 5 | High-risk exposure if existing measures are insufficient. There is no responsibility assigned for the little controls in place, and the risk score is high or the trend is increasing. To lower the risk to the level that management expects, significant steps are needed. It is necessary to describe existing controls and new mitigations, assign owners, and monitor their applications. |
| 6 | controls that are ineffective or do not function as intended. Stakeholders have determined that the risk score is at an unacceptable level, and new mitigations, procedures, and systems are needed to lessen the effect and probability of the risk. The new mitigations must be documented, implemented, and monitored. Management and the Board may also need to be notified. |
| 7 | There is no strategy, action plan, or structure in place to control the risk. The organization is immediately exposed to the risk's full impact, and other methods to lessen that impact have not been found. Management and the Board must recognize the effect and provide the risk owners with instructions to reduce the risk to an ALARP level. |