Minimize
Blogger List

Johannes Ahrends
Toad and Oracle

Ben Boise
Toad SC Discussions

Kevin Dalton
Benchmark Factory

Steven Feuerstein
PL/SQL Obsession

Devin Gallagher
Toad SC discussions

Stuart Hodgins
JProbe Discussions
  Henrik "Mauritz" Johnson
Toad Tips & Tricks on the "other" Toads
  Mark Kurtz
Toad SC discussions
  Michael Lumbard
Toad SC discussions
Daniel Norwood
Toad for Data Analysts,
Toad Extension for Visual Studio
Debbie Peabody
Toad for Data Analysts
Gary Piper
Toad Reports Manager
John Pocknell
Toad for Oracle, JProbe
Kuljit Sangha
Toad SC discussions
Bert Scalzo Indicates Oracle ACE status
Toad for Oracle, Data Modeling, Benchmarking
Jeff Smith
Toad product family
Richard To
SQL Optimization
Jim Wankowski
DB2 - LUW and z/OS
John Weathington
  Toad Data Modeler Opens in a new window
Data Modeling		  
  Real Automated Code Testing for Oracle
Quest Code Tester blog
 
Minimize
Blog Categories
 
Minimize
Blog Tags
toad for oracle (122)
oracle (62)
plsql (46)
sql optimization (37)
toad for data analysts (28)
code tester (19)
toad for ibm db2 (13)
automation (11)
batch optimizer (10)
virtualization (10)
schema browser (9)
toad for sql server (9)
data grid (8)
sql (8)
sql editor (8)
toad data modeler (8)
benchmark factory (7)
excel (7)
query builder (7)
report manager (7)
toad extension (7)
visual studio (7)
11g (6)
configuration (6)
freeware (6)
health check (6)
vmware (6)
connect (5)
dba module (5)
er diagrammer (5)
F4 (5)
linux (5)
refactoring (5)
spotlight (5)
unicode (5)
compare (4)
debugger (4)
export (4)
formatter (4)
make code (4)
rman (4)
strip code (4)
benchmark (3)
bfscript (3)
bulk collect (3)
code templates (3)
code xpert (3)
database browser (3)
db2 (3)
notebook (3)
oem (3)
RAC (3)
session browser (3)
speed (3)
sql optimizer (3)
toad for mysql (3)
tpc-c (3)
9.7 (2)
alert log (2)
app designer (2)
awr (2)
code insight (2)
code snippets (2)
collection (2)
compare and sync (2)
compliance (2)
data generator (2)
data warehouse (2)
database explorer (2)
database monitor (2)
explain (2)
forall (2)
ftp (2)
group execute (2)
handbook (2)
installation (2)
job scheduler (2)
multi-task (2)
nested table (2)
os command (2)
profiler (2)
recovery (2)
release history (2)
save as (2)
schema compare (2)
sql recall (2)
stats pack (2)
subversion (2)
team coding (2)
trace file browser (2)
while loop (2)
10g (1)
64 bit (1)
7zip (1)
action (1)
addm (1)
alter (1)
ansi join (1)
array (1)
ccleaner (1)
code coverage (1)
code road map (1)
CRON (1)
cursor for loop (1)
data browser (1)
data subset (1)
database probe (1)
dbms_flashback (1)
dbms_profiler (1)
ddl (1)
feuerstein (1)
filezilla (1)
flash drive (1)
flow control (1)
for loop (1)
group policy manager (1)
hints (1)
import (1)
index (1)
inheritance (1)
invoker rights (1)
ipad (1)
java (1)
latency (1)
log switch (1)
logical model (1)
ltrim (1)
master-detail browser (1)
monitor (1)
multi-select (1)
naming standards (1)
network (1)
object explorer (1)
OEBS (1)
package (1)
parser (1)
partitioning (1)
performance (1)
pragma (1)
project manager (1)
RAT (1)
revo (1)
REXEC (1)
schema report (1)
script manager (1)
search (1)
set operator (1)
sga (1)
slow (1)
sonarsource (1)
source control (1)
space projection (1)
sql monitor (1)
sql navigator (1)
sql script (1)
sql tracker (1)
sql*plus (1)
standards (1)
statistics (1)
stored procedure (1)
string parser (1)
sub-model (1)
sub-type (1)
synch (1)
synchback (1)
TELNET (1)
toad (1)
trace (1)
unit test (1)
unix (1)
usb (1)
utility (1)
v10 (1)
v9.5 (1)
version control (1)
waits (1)
workload replay (1)
workspace (1)
xml (1)
 
WELCOME, GUEST
 
 

Blogs
Toad and Database Commentaries

Toad World blogs are a mix of insightful how-tos from Quest experts as well as their commentary on experiences with new database technologies.  Have some views of your own to share?  Post your comments!  Note:  Comments are restricted to registered Toad World users.

Do you have a topic that you'd like discussed?  We'd love to hear from you.  Send us your idea for a blog topic.

Prevention over Intervention

Jun 12

Written by: JohnWeathington
Thursday, June 12, 2008  RssIcon

What’s the best kind of problem to deal with?

A problem that never happens.

Earlier, when I was training to be a facilitator, my instructor emphasized something that you’ve probably heard before. She kept saying, “Prevention over Intervention.” The context was of course, in facilitating through a meeting. She taught us that, if you setup ground rules at the beginning of a meeting, and get everyone to agree to them, the rest of the meeting will go much smoother. In practice, I’ve found she was absolutely accurate. Another popular locution that has been popularized over the years is, “An ounce of prevention is worth a pound of cures.” Phrases like this resonate well with me, so I’d like to present to you my golden gem of controls:

John Weathington’s Golden Gem of Controls: One effective preventative control is worth a thousand non-preventative controls.

Keep this in mind as you and your team are navigating the landscape of risk control. In my perspective, there are only four types of controls, and they deal in two different dimensions; timing of the risk event, and risk property. For timing, you’re either dealing with a risk that will occur, or a risk that has occurred. For risk property, you’re either dealing with the cause of the risk, or the impact of the risk. It’s really that simple. So, if you look at all the permutations of the referenced dimensions, you have the following four types of controls:

  1. Corrective Controls are controls that deal with the cause of a risk that has already happened.
  2. Adaptive Controls are controls that deal with the impact of a risk that has already happened.
  3. Preventive Controls are controls that deal with the cause of a risk that may happen in the future.
  4. Contingent Controls are controls that deal with the impact of a risk that may happen in the future.

Since fraud is a hot topic these days, let’s use that as an example. Let’s say we’re trying to control the risk that corporate executives will fraudulently back-date options, so that they can cash in big ( not such a far stretch ). One cause of this might be too much collusion in the upper ranks. Usually these kinds of activities are pulled off because the CEO, CFO, and other high ranking officials in a company are all working together. The key impact that the SEC is worried about, is the misrepresentation of financial data ( i.e. executive compensation ), that has now just occurred due to the fraudulent activity.

We can control this in a number of ways. A corrective control would be huge fines and jail time for the guilty senior management. Remember, they caused it, and the fraud has already happened.

An adaptive control would be some sort of settlement to the shareholders that were impacted. Executive compensation will have to be restated, and that will probably cause the company’s stock to suffer. A settlement to all the shareholders would be an adaptive way to handle this, as the fraud has already happened, and you’re taking care of the impacted parties.

An example of a contingent control would be to setup a Fraud Fund, in the anticipation that something like this might happen. The fraud hasn’t happened, and might not ever happen, but if it does, a fund is available to compensate impacted shareholders.

Of course, I’m saving the best for last. A preventive control is always the best choice. An example of a preventive control would be to setup an independent agency that audits the option issuing process, before it can be authorized for execution. You are taking measures to treat the cause of the problem ( collusion ) before the fraud actually occurs.

Of course all controls need to be effective. An ineffective control, isn’t really a control, it’s just a drain on resources.
So, since preventive controls are the ideal situation, let’s talk about some architectural considerations for supporting them. Here are three areas of your company’s data system infrastructure, where preventative controls can be realized:

Tap into the Transactional System

This is the most effective, and obviously the most challenging. If you’ve followed my work, you know I advocate the construction of a Compliance Data System ( CDS ). Although the CDS can be leveraged, what we’re talking about here is outside the scope of any downstream system. Since transactional systems come in all shapes, sizes, and forms, I can’t advise you on any specifics; however I can leave you with some goals. You need to be able to prevent an action from happening, based on a recognized condition. For instance, to control for data privacy, you may need to block an unauthorized request to view sensitive personal data. If your transactional system centralizes it’s action processing ( popular design consideration in web applications ), this is a good place to inject these rules.

To leverage the CDS, make sure the rules are documented, and the violations are captured. Develop a log that records all violations, and make it tamper proof. This information can then be downstreamed by the CDS for compliance related analytics.

Build a Compliance Operational Data Store

Leverage the Operational Data Store ( ODS ) concept from the data warehousing community, to build a compliance operational data store. This will be a part of your comprehensive compliance data system. To create any kind of preventive control outside of the transactional system, you will need leading indicators, and a fast response system. An example of a leading indicator, might be an inappropriate approval, since an inappropriate approval could lead to fraud down the line. Your compliance operational data store should catch this, and flag it as a potential problem, before it becomes a real one.

Leverage your Compliance Data Warehouse

Just because your data warehouse is downstream and strategic, doesn’t mean that it can’t be used for preventative controls. Fair-Issac has made an extremely profitable business purely around this concept, and the adoption of the FICO score. You can use your strategic data and advanced data mining techniques to identify trends that will attack the cause for future negative impact, in the same way Fair-Issac uses its proprietary data to deny credit to high risk borrowers.

Controlling risk is important and necessary. Any effective control is a good control, however a preventive control is by far the best choice. Effectively leveraging your transactional systems, and intelligent use of the operational and strategic components of your compliance data system to support effective preventive controls, is the smartest way to control risk at your company.

Trackback Print
Tags:
Categories:
Location: Blogs Parent Separator John Weathington's Blog
Minimize
Most Popular
 
Search Blog Entries
 
Blog Archives