Module 28: Control Design, Selection & Analysis

If a control costs more than the risk it addresses, something went wrong in the selection process.

This module focuses on disciplined control decisions.

CRISC expects you to evaluate:

• Appropriateness
• Proportionality
• Cost-benefit alignment
• Operational feasibility
• Impact on business objectives

Control design is strategic — not reactive.

What the exam is really testing

When control selection appears, CRISC is asking:

• Does the control reduce likelihood or impact appropriately?
• Does it address root cause?
• Is it aligned with risk appetite?
• Is it cost-justified?
• Does it conflict with business objectives?
• Has residual risk been reassessed?

CRISC prefers structured analysis over technical enthusiasm.

Step 1: Align control to risk

Every control must connect clearly to:

• A defined risk scenario
• A known vulnerability
• A measurable exposure

If the control does not reduce likelihood or impact of that specific risk, it is misaligned.

Example:

Risk: Unauthorized privileged access
Misaligned control: Backup enhancement
Aligned control: MFA + access review

CRISC often tests misalignment traps.

Step 2: Address root cause

If an issue is recurring:

• Is it a policy problem?
• Is it an ownership gap?
• Is it monitoring weakness?
• Is it design deficiency?

Adding technical controls without fixing governance gaps often fails long-term.

CRISC favors systemic correction.

Step 3: Perform cost-benefit analysis

Controls should be:

• Economically reasonable
• Proportionate to risk
• Sustainable operationally

If mitigation cost exceeds expected loss and residual risk is within tolerance, acceptance may be appropriate.

CRISC frequently tests over-control scenarios.

Step 4: Consider operational impact

Controls must not:

• Undermine business objectives
• Create excessive friction
• Conflict with strategy
• Introduce new risk

Example:

Overly restrictive access control that disrupts operations may create productivity risk.

CRISC values balance.

Preventive vs detective tradeoff

Sometimes:

• Preventive control is too costly
• Detective + corrective combination may be acceptable

Example:

Instead of full system replacement, implement monitoring and response until modernization is feasible.

CRISC tests realistic governance thinking.

Example scenario (walk through it)

Scenario:
A moderate risk is identified involving unauthorized remote access. Proposed mitigation involves deploying a costly identity platform that exceeds projected loss exposure.

What should be evaluated FIRST?

A. Cost-benefit alignment and alternative controls
B. Risk avoidance
C. Immediate deployment
D. Risk transfer

Correct answer:

A. Cost-benefit alignment and alternative controls

Controls must be proportionate and economically justified.

A tougher one

Repeated access violations occur due to unclear access provisioning procedures. Management proposes implementing advanced monitoring software.

What is the MOST appropriate first action?

A. Deploy monitoring software
B. Transfer risk to vendor
C. Redesign access governance process
D. Increase audit frequency

Correct answer:

C. Redesign access governance process

Root cause is procedural governance weakness — not lack of monitoring.

Control layering

Strong design may include:

• Preventive control
• Detective control
• Corrective capability

Layered defense increases resilience.

But layering must be justified — not redundant.

Redundant controls without risk justification may signal inefficiency.

Compensating controls analysis

When primary control cannot be implemented:

• Evaluate whether compensating control reduces risk sufficiently
• Document justification
• Reassess residual risk
• Monitor effectiveness

CRISC tests whether compensating controls are truly equivalent in risk reduction.

The most common exam mistakes

The biggest exam trap in this topic area: picking the answer with the most impressive-sounding technology. If the question describes a procedural breakdown, a technical control will not fix the root cause. Also remember that residual risk must be reassessed after implementation — not assumed to be lower. CRISC evaluates structured decision-making.

Advanced scenario

A high-cost encryption program is implemented to address a low-impact internal data risk already within tolerance.

What governance principle is MOST relevant?

A. Excessive risk appetite
B. Poor control alignment
C. Weak inherent risk calculation
D. Cost-benefit misalignment

Correct answer:

D. Cost-benefit misalignment

Control cost must be proportionate to risk exposure.

Control effectiveness analysis

After implementation, organizations should evaluate:

• Design effectiveness
• Operating effectiveness
• Impact on residual risk
• Ongoing monitoring needs
• Metrics for performance tracking

Without measurement, effectiveness cannot be validated.

CRISC frequently tests failure to reassess after implementation.

Quick knowledge check

1) The FIRST step in control selection should be:

A. Purchase technology
B. Align control to defined risk scenario
C. Transfer risk
D. Increase monitoring

2) If mitigation cost exceeds expected loss and residual risk is within tolerance, the MOST appropriate response may be:

A. Avoid
B. Accept
C. Mitigate anyway
D. Escalate automatically

3) Repeated issues usually indicate:

A. Weak inherent risk
B. Poor threat modeling
C. Excessive tolerance
D. Root cause not addressed

Final takeaway

Control design must be:

• Risk-aligned
• Root-cause driven
• Cost-justified
• Operationally feasible
• Governance-supported
• Measured for effectiveness

Strong controls are not always the right controls.

Strong controls are not always the right controls. On the exam, the best answer is the one that fits the risk — not the one that sounds toughest.