Risk mitigation provided by human monitoring and control over a water supply system has been consistently overlooked when estimating pathogen exposure to consumers. The Systems-Actions-Management (SAM) framework lends itself neatly to Quantitative Microbial Risk Assessment (QMRA) as one way to establish this link. The general premise is that an organisational protocol will influence how a human controller behaves, in turn influencing the system performance. For illustrative purposes, the framework was applied to a hypothetical water supply system to quantify the risk reduction offered by routine Cryptosporidium monitoring and the response to oocyst 'detects'. Our findings suggest that infrequent direct pathogen monitoring may provide a negligible risk barrier. The practice of sampling treated water to verify microbiological integrity is also dubious: oocyst densities were largely under-estimated, in part due to the spatial dispersion of oocysts in the waterbody, but predominantly from imperfect detection methods. The development of 'event-driven' monitoring schemes with barrier performance-based treatment verification methods, as promoted in new guidelines, is supported as a pressing issue to reduce the likelihood of undetected pathogen passage through a treatment plant.