People-based preventive control is considered the least effective form of risk management because it relies heavily on human intervention and behavior, which are prone to error and inconsistency. Systems-based controls, both preventive and detective, are more effective because they are automated and less susceptible to human error. Even people-based detective controls, while also dependent on humans, are effective for identifying issues after they occur, unlike preventive methods.