The concept of protecting people and assets with layers of controls, both preventive and mitigative, is an important aspect of reducing and managing operational risk.
Rarely is one control adequate in reducing and maintaining risk to a level that is considered acceptable. Layers of control selected in accordance with the hierarchy of risk treatment and their actions should be constructed, implemented, verified and monitored to achieve a level that is as low as reasonably practicable (ALARP).
Techniques such as barrier analysis, layers of protection analysis, bow-tie analysis and modified methods such as layers of control assessment can be used to assess existing controls and determine whether risk is at an acceptable level or whether further risk reduction strategies are necessary to achieve and maintain ALARP.
From ancient times, the concept of using multiple lines of defense or layers of protection was practiced to survive. During the Byzantine Empire, cities and castles were fortified by trenches, moats, multiple stone walls built 30 ft wide and 30 ft high or higher, tall towers equipped with archers and drawbridge-gated entrances, all to provide layers of protection against outside forces. The walls of Constantinople were the most famous of the medieval world, not only due to the scale of the layers of defense, but also due to their construction and design. These lines of defense were constantly challenged and tested by would-be invaders and required continual improvement of defense weaknesses, learning from failures and breaches. However, even the best layers of defense are vulnerable. Ultimately, the walls of Constantinople were breached by an emerging risk of the time: gunpowder and cannon fire. When the Ottoman sultan acquired cannons, the walls of Constantinople were rendered obsolete. On May 29, 1453, the Gate of St. Romanus was destroyed by artillery, the garrison of the Circus Gate was seized, and the Fifth Military Gate was stormed by the Turks. The city was finally captured (Livius.org, 2020). Today, organizations face similar battles from an operational risk standpoint.