Risk Management - the Swiss Cheese Model (Update)

Risk 02Risk Management - the Swiss Cheese Model

Which is better: One major control that is 95% effective OR 4 minor controls each of which is 60% effective? 

In applying ISO/IEC 27001:2013 to an information security management system (ISMS), one of the requirements in Clause 6.1.3.c) states:

'Compare the controls determined in 6.1.3 b) above with those of Annex A and verify that no necessary controls have been omitted.'

All too frequently, Certification Body Auditors find that this requirement, which is about risk management, results in a one-to-one relationship between applicable threats and a control to address the risk arising.  

While this may be accepted by the Auditor, it is a lousy, poor way to manage risk.  The Swiss Cheese approach is far superior.

The Swiss Cheese Approach

In the fields of both Aviation Safety and Occupational Health & Safety, the Swiss Cheese Model, originally proposed by an Englishman, James Reason, has a long and proven record of effectiveness in managing risk. The model and its application is very well explained in this YouTube Video on Aviation Safety.

In this model, each control to reduce risk is represented as a slice of cheese. The holes in the slice represent weaknesses in individual parts of the system and are continually varying in size and position across the slices.

The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.

Swiss Cheese Model

So, lets consider the question in the subtitle. Having established through risk assessment and evaluation that risk reduction measures (i.e. controls) are required, what approach should we take?

a) One major control that is 95% effective

Here the chance of failure of the control is 5 in 100 (or 5%). Or to put it another way:

With one major controls in place, the chances of successfully controlling the risk is 95.0%

Path to ISO 27001 Certification

b) Four minor controls each of which is 60% effective? 

In this case, we need to combine the individual chance of failure to evaluate the combined effect of the four controls.

Consider how the risk of failure decreases as we add each of the four controls.

Remembering that each is 60% effective, the chance of failure is the remaining 40%.

So, with one control in place the chance of failure is 40%.

With two controls in place the chance of failure is 40% x 40%.  That is 16%.

With a third control in place we get 40% x 40% x 40%.  That is, 6.4 %

And add in the fourth control, we get 40% x 40% x 40% x 40%.  Giving us a 2.56% chance of failure.

Therefore, with four minor controls in place, the chances of successfully controlling the risk is 97.4%.

Robust Protection against Failure

The robustness of the protection provided by the four minor controls is greater. Consider, if the one major control fails there is zero protection remaining. But if one of the four minor controls fails a 93.6% chance of successfully controlling the risk remains.

But be careful

There are two implicit assumptions in the Swiss Cheese approach to risk management for you to be aware of:

Firstly, for the multiple controls to be effective, they must be independent of one another.  An example would be, say, three controls each requiring an electricity supply to maintain their protection.

Here, one adverse event, a power loss, would knock out all three controls and the assumed protection of three controls would not accrue. To put it bluntly: you'd be kidding yourself!

Secondly, that we can reliably predict the level of risk reduction a control will provide.  We can't. Only by monitoring the performance of a system over time can we confirm the risk reduction achieved.  This is a powerful argument for using combinations of controls.


The combination of risk controls provides a higher level of protection and, wherever possible, the use of single control to reduce risk should be avoided.. A combination of controls will almost certainly prove more robust and more effective in the long run.

monthly email sign-up

NOTE: This Post was first published in February 2017 and has now been revised and updated.

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Subscribe to Email Updates


Recent Posts

Posts by Topic