Manage Learn to apply best practices and optimize your operations.

Architect preventative compliance controls for best risk management

Controls are a key part of your compliance and risk management strategy, but which controls are the right ones for your organization?

Compliance controls are a key component to your company's success, but how are they developed and what is IT's role in that process? You must be prepared for these conversations and you should have your IT department ready to respond when compliance issues become a concern for your organization. You need a proven framework to architect the right IT solutions for managing compliance controls. But first, let's get a good understanding of what a control is.

Controls mitigate risks

Controls mitigate risks, and risks are uncertainties that can interfere with an objective. It's important to understand this, because in a lot of cases compliance controls are just handed to you or your compliance department without any background on why the controls exist, or more specifically what risk the control is trying to mitigate.

More compliance resources
E-discover the gaps in your information management process

Discovery process puts onus on electronic records management tools
For example, you might be handed a control that states that any disbursement of more than $10,000 must be approved by a manager. Sure, this is a control, but what's the risk? In this case, the risk could be fraud or some other type of misappropriation. Finally, the objective would be something like fiscal responsibility.

It's good to go through this exercise every time you're handed a control with no explanation. You could be handed an ineffective control for the risk you're trying to mitigate. So, sure, you'll be in compliance, but you'll still suffer the negative impact of the risk. It's like entering an intersection at the same time a car is crossing by at high speed, and your reasoning is because the light is green.

Two questions for framing controls

Once you understand the risk that a control is trying to mitigate, you can find out what type of control you're dealing with. To do this, you need to answer two questions related to risk management:

  • Are we dealing with a risk that's already happened, or a risk that might still happen? This is what I call the timing of the control.
  • Are we dealing with the cause of the risk or the impact of the risk? This is what I call the character of the control.

Once you know the timing and the character, you can determine the category of control, which you must know before architecting an IT solution.

Preventative or contingent controls

If the answer to the first question (i.e., the timing of the control) is "a risk that still might happen," then you're dealing with either a preventative or a contingent category of controls. Preventative controls

Corrective controls deal with the cause of a risk after it happens. You have a leaky roof, you correct it by fixing the roof. As opposed to the adaptive control of
putting a pail under the leak.

deal with the cause of a risk and contingent controls deal with the impact of a risk. By far, preventative controls are the best category of control for mitigating risk and a distant second is contingent controls. The best risk is a risk that never happens.

To architect for a preventative control, you'll need to determine causation. For instance, to prevent a fire you may inspect for loose wiring. Loose wiring is an indicator that causes fires. The inspection is the control. The risk is a fire breaking out, and the objective is a safe environment.

You can leverage your data warehousing environment to assess causation and determine appropriate indicators. Then, install triggers and monitors in your operational system (i.e., ERP) to pick up your indicators. Once triggered, you can instruct the system to execute the control, like stopping an unauthorized disbursement.

Contingent controls deal with the impact of the risk instead of the cause. Installing smoke detectors would be an example of a contingent control on fire. Your operational data store is a good place to install contingent controls as you want to catch the risk as soon as it happens.

Corrective or adaptive controls

When the risk has already happened, you're dealing with either a corrective or adaptive category of controls. These controls are reactive instead of proactive, which is why they're the least desirable category of control.

Corrective controls deal with the cause of the risk after it has happened. If you have a leaky roof, you'll correct it by fixing the roof. This is opposed to the adaptive control of putting a pail under the leak, thereby dealing with the impact.

The key with both corrective and adaptive controls is a good issue-tracking system (e.g., remedy). Once the risk breaks out, use your tracking system to track every step that was taken to mitigate the control, recording the who, what and where of each action. These records will be vital for your organization to prove its diligence in handling the risk, in case of an audit.

Leverage what you have

You probably already have data warehouse, ERP and issue-tracking systems in place. Start thinking about how you might be able to leverage them to serve the needs of your company's compliance control efforts. Since preventative controls are the most valuable, launch an effort today to study causation of your company's biggest risks.

John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco management consultancy that helps companies dramatically improve efficiency and avoid penalties and fines. For more information, visit

Dig Deeper on Compliance framework software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.