Driving a Sustainable Control Environment through Failure Modes and Effects Analysis (FMEA)


A Top 10 US Bank deployed dozens of new controls across several of its enterprise service areas in response to intensifying regulatory scrutiny and inadequate findings from recent audits. Early results from the first wave of control testing highlighted deficiencies in the design and/or execution of many of the new controls. Additionally, controls once deemed ‘effective’ were also beginning to show signs of weakness due to slight modifications to control activities and dependencies on other controls. The bank needed to remediate its ‘ineffective’ controls, scrutinize and harden its untested controls, and implement a sustainable process for ensuring the efficacy and reliability of its control suites.


Infinitive’s risk management advisory and assurance consultants developed and tailored a process-based Failure Modes and Effects Analysis (FMEA) methodology that enhanced the organization’s control assurance model and testing practices. By breaking controls down into their component parts, the FMEA model enabled Infinitive to proactively simplify and structure discussions with control owners and SMEs to gain powerful and precise insights into the organization’s control environment and risk posture. Infinitive’s SMEs used the FMEA model and approach to facilitate numerous workshops with cross-functional teams of engineers, testers, risk managers and cyber SMEs, resulting in:

  • Assessments of more than 120 unique controls
  • Identification of several hundred failure modes
  • Detailed findings with recommended priorities for remediation
  • Action plans and timelines for addressing failure modes with moderate+ findings
  • Executive summaries highlighting continuous improvement opportunities


Infinitive’s FMEA methodology enhanced the client’s control model and testing process. By the end of Infinitive’s engagement:

  • 98% of the organization’s controls tested effective (up from 75%)
  • Significant reductions to remediation work and cost of retesting controls
  • A controls assurance organization fully trained in the new approach
  • Near-term goals and objectives for the bank’s enterprise services technology environment
  • A vision for optimizing the bank’s control environment
Published September 28, 2022