Architect preventative compliance controls for best risk management

Controls mitigate risks

Controls mitigate risks, and risks are uncertainties that can interfere with an objective. It's important to understand this, because in a lot of cases compliance controls are just handed to you or your compliance department without any background on why the controls exist, or more specifically what risk the control is trying to mitigate.

For example, you might be handed a control that states that any disbursement of more than $10,000 must be approved by a manager. Sure, this is a control, but what's the risk? In this case, the risk could be fraud or some other type of misappropriation. Finally, the objective would be something like fiscal responsibility.

It's good to go through this exercise every time you're handed a control with no explanation. You could be handed an ineffective control for the risk you're trying to mitigate. So, sure, you'll be in compliance, but you'll still suffer the negative impact of the risk. It's like entering an intersection at the same time a car is crossing by at high speed, and your reasoning is because the light is green.

Two questions for framing controls

Once you understand the risk that a control is trying to mitigate, you can find out what type of control you're dealing with. To do this, you need to answer two questions related to risk management:

• Are we dealing with a risk that's already happened, or a risk that might still happen? This is what I call the timing of the control.
• Are we dealing with the cause of the risk or the impact of the risk? This is what I call the character of the control.

Once you ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Regulatory compliance audits Facing uncertainty, IT turns to governance, risk and compliance, ERM Effective compliance document management in five days FAQ: What is the impact of a compliance audit on IT operations? ISO 27001 certification not enough for verifying SaaS, cloud security HIPAA-covered entities' first step should be a quality assurance plan Healthcare, cybersecurity policy and privacy on legislative agenda FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice PCI DSS compliance fails to raise the bar on financial fraud HIPAA-covered entities, business associates confront HITECH rules Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk Compliance framework software ISO 27001 certification not enough for verifying SaaS, cloud security OpenID federated identity framework set for .gov authentication pilot Energy efficiency, carbon driving sustainable business development Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure Compliance concerns dog enterprise 2.0 collaboration platforms Chapter excerpt: Decision-making processes and IT governance Startup helps turn carbon footprint management into cost savings Chapter excerpt: The Three Core Disciplines of IT Risk Management Open Group releases log management update, risk management guide

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary compliance audit  (SearchCompliance.com) compliance validation  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

know the timing and the character, you can determine the category of control, which you must know before architecting an IT solution.

Preventative or contingent controls

If the answer to the first question (i.e., the timing of the control) is "a risk that still might happen," then you're dealing with either a preventative or a contingent category of controls. Preventative controls deal with the cause of a risk and contingent controls deal with the impact of a risk. By far, preventative controls are the best category of control for mitigating risk and a distant second is contingent controls. The best risk is a risk that never happens.

To architect for a preventative control, you'll need to determine causation. For instance, to prevent a fire you may inspect for loose wiring. Loose wiring is an indicator that causes fires. The inspection is the control. The risk is a fire breaking out, and the objective is a safe environment.

You can leverage your data warehousing environment to assess causation and determine appropriate indicators. Then, install triggers and monitors in your operational system (i.e., ERP) to pick up your indicators. Once triggered, you can instruct the system to execute the control, like stopping an unauthorized disbursement.

Contingent controls deal with the impact of the risk instead of the cause. Installing smoke detectors would be an example of a contingent control on fire. Your operational data store is a good place to install contingent controls as you want to catch the risk as soon as it happens.