The best way to gauge the effectiveness of an organization's approach to risk management and response all too often comes down to three simple canary questions:
1) When the building caught fire, why did they respond by pointing the hose at the parking lot?
2) Were they surprised when the building still burned down?
3) Did they learn from the mistake and change the approach before somebody brought in the next box of matches?