Preventive or Preventative (AARGH – it is always preventive). This is one of those little nagging pet peeves. Even though Merriam-Webster states: "There is no difference between preventive and preventative. They are both adjectives that mean 'used to stop something bad from happening.'" Merriam-Webster also says: "Preventive, however, is used much more frequently than preventative." It is like Coke and Pepsi – Pepsi is not OK. I feel better now that we have had that discussion.
We always say in training that preventive controls are stronger than detective controls. Logically, that makes sense. Sticking with my favorite analogy – driving a car – there are so many preventive controls. A seat-belt and an airbag prevent you from being injured in an accident. Having your automobile inspected each year (in states that require inspections) is a detective control. The inspection will determine if your brakes are wearing thin or if other safety features are not working correctly. The check engine light might also be considered a detective control. I would rather have brakes working right the first time than finding out the hard way that they have failed.
Can we put preventive controls in place to mitigate ALL risks? Of course we can't, because humans make mistakes. Take reconciliation controls as an example. Can we prevent the bank from posting something in error (although it happens less and less frequently)? Can we prevent someone from posting to the wrong account? Of course not, so we do account reconciliations to detect those mistakes.
Do we need both preventive controls and detective controls to mitigate the same risk? That is a much harder question to answer. In the case of cyber-security, one could argue that we need preventive controls in place to stop someone from penetrating our system. We also need detective controls in place just in case they do get in. The old saying is that a hacker only needs to be right once, while our IT security team needs to be right all the time.
I think that sometimes the strongest preventive controls are automated and by changing our mitigation strategy from a manual control to an automated control is the easiest way to go from detective to preventive. It is also the easiest way to get rid of detective controls, once you have determined that the preventive controls are working. It is also the most expensive change to implement.
Good Luck to those working to make their companies more efficient while still mitigating the risk to achieving their strategic objective. Remember, I am always here to help.