Controls mitigate risks
Controls mitigate risks, and risks are uncertainties that can interfere with an objective. It's important to understand this, because in a lot of cases compliance controls are just handed to you or your compliance department without any background on why the controls exist, or more specifically what risk the control is trying to mitigate.
It's good to go through this exercise every time you're handed a control with no explanation. You could be handed an ineffective control for the risk you're trying to mitigate. So, sure, you'll be in compliance, but you'll still suffer the negative impact of the risk. It's like entering an intersection at the same time a car is crossing by at high speed, and your reasoning is because the light is green.
Two questions for framing controls
Once you understand the risk that a control is trying to mitigate, you can find out what type of control you're dealing with. To do this, you need to answer two questions related to risk management:
- Are we dealing with a risk that's already happened, or a risk that might still happen? This is what I call the timing of the control.
- Are we dealing with the cause of the risk or the impact of the risk? This is what I call the character of the control.
Once you know the timing and the character, you can determine the category of control, which you must know before architecting an IT solution.
Preventative or contingent controls
If the answer to the first question (i.e., the timing of the control) is "a risk that still might happen," then you're dealing with either a preventative or a contingent category of controls. Preventative controls
To architect for a preventative control, you'll need to determine causation. For instance, to prevent a fire you may inspect for loose wiring. Loose wiring is an indicator that causes fires. The inspection is the control. The risk is a fire breaking out, and the objective is a safe environment.
You can leverage your data warehousing environment to assess causation and determine appropriate indicators. Then, install triggers and monitors in your operational system (i.e., ERP) to pick up your indicators. Once triggered, you can instruct the system to execute the control, like stopping an unauthorized disbursement.
Contingent controls deal with the impact of the risk instead of the cause. Installing smoke detectors would be an example of a contingent control on fire. Your operational data store is a good place to install contingent controls as you want to catch the risk as soon as it happens.
When the risk has already happened, you're dealing with either a corrective or adaptive category of controls. These controls are reactive instead of proactive, which is why they're the least desirable category of control.
Corrective controls deal with the cause of the risk after it has happened. If you have a leaky roof, you'll correct it by fixing the roof. This is opposed to the adaptive control of putting a pail under the leak, thereby dealing with the impact.
The key with both corrective and adaptive controls is a good issue-tracking system (e.g., remedy). Once the risk breaks out, use your tracking system to track every step that was taken to mitigate the control, recording the who, what and where of each action. These records will be vital for your organization to prove its diligence in handling the risk, in case of an audit.
Leverage what you have
You probably already have data warehouse, ERP and issue-tracking systems in place. Start thinking about how you might be able to leverage them to serve the needs of your company's compliance control efforts. Since preventative controls are the most valuable, launch an effort today to study causation of your company's biggest risks.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco management consultancy that helps companies dramatically improve efficiency and avoid penalties and fines. For more information, visit www.excellentmanagementsystems.com.
This was first published in August 2009