Jun 26

Written by: JohnWeathington
Thursday, June 26, 2008 

A couple of weeks ago in Prevention over Intervention, we talked about the different kinds of controls, and discussed the reasons why preventive controls are always the best route. In fact, as a reminder, here’s my sage wisdom again on controls:


What Control Options are Left?

Okay, now that we have that straight I’d like to pose this question. If preventive controls are not feasible, then what do you do? Well, according to the Golden Gem above, you’re left with the lesser of all evils. Let’s take a look at your options again:

1. Corrective Controls are controls that deal with the cause of a risk that has already happened.
2. Adaptive Controls are controls that deal with the impact of a risk that has already happened.
3. Contingent Controls are controls that deal with the impact of a risk that may happen in the future.

Of course, our preferred control, the preventive control deals with the cause of a risk that may happen in the future. Given that, you might say the diametric opposite to that would be the adaptive control. In the previously referenced article, we used the fraud example to illustrate the different controls, and the adaptive control was some sort of settlement to the shareholders impacted by the fraud. As you might expect, this is not the best route to go.

So that only leaves corrective and contingent controls. Which leads to the question – What is it about preventive controls that makes it the obvious and attractive best option? Is it because they deal with the cause of a risk, or is it because they kick in before the risk event happens?

That’s a good question.

In my view, it’s more important to be proactive than reactive, so my vote is for the contingent control. If you can’t deal with the cause up front, then deal with the impact up front. In our fraud example, the contingent control was to setup a Fraud Fund to compensate impacted stakeholders just in case fraud happened.

Catastrophic Database Failure - An Illustrative Example

You may not immediately see the value of this generalization based on this example, so let’s use another example that might hit closer to home. Let’s say your risk is a catastrophic database failure at your facility. Of course, databases can fail for a number of reasons, but let’s focus on causation being hardware failure. What’s the impact of a catastrophic database failure? Users can’t access time-sensitive data that is mission critical to the operation of your business ( e.g. an order processing system ).

We can get this under control in a number of ways. As is already established, the best way is a preventive control, which would be anything to keep the hardware alive. RAID and advanced monitoring would be examples. An adaptive control would be to have an emergency meeting after the fact, to figure out how to manually process the orders. Do you now see why this is such a bad idea?

A corrective control would be to have an emergency meeting after the fact, to figure out how to get the database back up and running. This actually isn’t that bad of an idea, and if you’ve been doing this a while, you may have even attended one or two of these meetings!

As stated earlier however, my recommended course of consideration, after the preventive control has been ruled out, is the contingent control. While developing the contingent control, you would be answering the question, “How can we still process orders, even if there is a catastrophic database failure at our facility?” Some of you may already be ahead of me, but a perfect example of a contingent control, is a disaster recovery site that is not at your facility – perhaps another city. The disaster recovery site would of course mirror the data in your mission critical database and upon a catastrophe in the main system, failover would happen instantly and automatically. The order processors shouldn’t even know that anything happened.

You should lock this example in your head, and when the time arises, superimpose the scenario on your compliance objectives. As another example, your auditors may need to control for financial misstatements caused by inexperienced processors. Once it’s determined that educating and training the inexperienced processors ( preventive control ) is not effective, you could suggest the contingent control of having an automated system-wide reconciliation to make sure all the numbers tie out ( contingent control ).

Three Ideas for Contingency Control Architecture

For architectural considerations, you can leverage last week’s blog entry on Automated Process Auditing. Contingent controls are generally events that will be executed “in case of.” In most cases, a series of events is necessary – or a process needs to be controlled. With this in mind, you can use some of the techniques for automated process control to not only document your contingent process, but to also demonstrate that the contingent process was followed, in the unfortunate event of the risk showing up.

To add to the idea of process control, I would also emphasize the importance of the trigger that sets off the contingent plan. This needs to be carefully tracked so that you can demonstrate when the risk event occurred, and when your contingent plan went into place.

Finally, in consideration of contingent controls, you should setup a repository to store your contingent plans. Your auditors will absolutely love this, as it clearly demonstrates that you have the impact of your high probability and / or impact risks controlled by well thought out contingency plans.

In Summary

Although the best case controls to use are preventive, sometimes we can’t engage them. Either it’s physically not possible (for instance, you cannot prevent an earthquake) or the preventive controls that you have in place are not effective (think Columbine). In these cases, the next best thing is the contingent control – deal with the impact of the risk before it happens. With the correct data architecture in place, such as a contingency plan repository, and contingency process control, you will have no problem demonstrating to auditors that you once again – have things well under control.