Minimize
Blogger List

Johannes Ahrends
Toad and Oracle

Ben Boise
Toad SC Discussions

Kevin Dalton
Benchmark Factory

Steven Feuerstein
PL/SQL Obsession

Devin Gallagher
Toad SC discussions

Stuart Hodgins
JProbe Discussions
  Henrik "Mauritz" Johnson
Toad Tips & Tricks on the "other" Toads
  Mark Kurtz
Toad SC discussions
  Michael Lumbard
Toad SC discussions
Daniel Norwood
Toad for Data Analysts,
Toad Extension for Visual Studio
Debbie Peabody
Toad for Data Analysts
Gary Piper
Toad Reports Manager
John Pocknell
Toad for Oracle, JProbe
Kuljit Sangha
Toad SC discussions
Bert Scalzo Indicates Oracle ACE status
Toad for Oracle, Data Modeling, Benchmarking
Jeff Smith
Toad product family
Richard To
SQL Optimization
Jim Wankowski
DB2 - LUW and z/OS
John Weathington
  Toad Data Modeler Opens in a new window
Data Modeling		  
  Real Automated Code Testing for Oracle
Quest Code Tester blog
 
Minimize
Blog Categories
 
Minimize
Blog Tags
toad for oracle (122)
oracle (62)
plsql (46)
sql optimization (37)
toad for data analysts (28)
code tester (19)
toad for ibm db2 (13)
automation (11)
batch optimizer (10)
virtualization (10)
schema browser (9)
toad for sql server (9)
data grid (8)
sql (8)
sql editor (8)
toad data modeler (8)
benchmark factory (7)
excel (7)
query builder (7)
report manager (7)
toad extension (7)
visual studio (7)
11g (6)
configuration (6)
freeware (6)
health check (6)
vmware (6)
connect (5)
dba module (5)
er diagrammer (5)
F4 (5)
linux (5)
refactoring (5)
spotlight (5)
unicode (5)
compare (4)
debugger (4)
export (4)
formatter (4)
make code (4)
rman (4)
strip code (4)
benchmark (3)
bfscript (3)
bulk collect (3)
code templates (3)
code xpert (3)
database browser (3)
db2 (3)
notebook (3)
oem (3)
RAC (3)
session browser (3)
speed (3)
sql optimizer (3)
toad for mysql (3)
tpc-c (3)
9.7 (2)
alert log (2)
app designer (2)
awr (2)
code insight (2)
code snippets (2)
collection (2)
compare and sync (2)
compliance (2)
data generator (2)
data warehouse (2)
database explorer (2)
database monitor (2)
explain (2)
forall (2)
ftp (2)
group execute (2)
handbook (2)
installation (2)
job scheduler (2)
multi-task (2)
nested table (2)
os command (2)
profiler (2)
recovery (2)
release history (2)
save as (2)
schema compare (2)
sql recall (2)
stats pack (2)
subversion (2)
team coding (2)
trace file browser (2)
while loop (2)
10g (1)
64 bit (1)
7zip (1)
action (1)
addm (1)
alter (1)
ansi join (1)
array (1)
ccleaner (1)
code coverage (1)
code road map (1)
CRON (1)
cursor for loop (1)
data browser (1)
data subset (1)
database probe (1)
dbms_flashback (1)
dbms_profiler (1)
ddl (1)
feuerstein (1)
filezilla (1)
flash drive (1)
flow control (1)
for loop (1)
group policy manager (1)
hints (1)
import (1)
index (1)
inheritance (1)
invoker rights (1)
ipad (1)
java (1)
latency (1)
log switch (1)
logical model (1)
ltrim (1)
master-detail browser (1)
monitor (1)
multi-select (1)
naming standards (1)
network (1)
object explorer (1)
OEBS (1)
package (1)
parser (1)
partitioning (1)
performance (1)
pragma (1)
project manager (1)
RAT (1)
revo (1)
REXEC (1)
schema report (1)
script manager (1)
search (1)
set operator (1)
sga (1)
slow (1)
sonarsource (1)
source control (1)
space projection (1)
sql monitor (1)
sql navigator (1)
sql script (1)
sql tracker (1)
sql*plus (1)
standards (1)
statistics (1)
stored procedure (1)
string parser (1)
sub-model (1)
sub-type (1)
synch (1)
synchback (1)
TELNET (1)
toad (1)
trace (1)
unit test (1)
unix (1)
usb (1)
utility (1)
v10 (1)
v9.5 (1)
version control (1)
waits (1)
workload replay (1)
workspace (1)
xml (1)
 
WELCOME, GUEST
 
 

Blogs
Toad and Database Commentaries

Toad World blogs are a mix of insightful how-tos from Quest experts as well as their commentary on experiences with new database technologies.  Have some views of your own to share?  Post your comments!  Note:  Comments are restricted to registered Toad World users.

Do you have a topic that you'd like discussed?  We'd love to hear from you.  Send us your idea for a blog topic.

Coping with Disaster

Jul 24

Written by: JohnWeathington
Thursday, July 24, 2008  RssIcon

Over the last couple of months, we’ve been discussing different types of controls, and how they might fit into the architecture of your compliance data system. We’ve already discussed preventive controls, contingent controls, and corrective controls. To round out our discussion, today we’ll be discussing our final category of controls – adaptive controls.

If you’ve been following my recent discussions on controls, you know where these controls sit in the overall framework of controls as I see it. For the benefit of those who haven’t, I’ll briefly describe what an adaptive control is.

An adaptive control is a control that deals with the impact of a risk event, after the risk event has occurred. Let’s consider the risk of a power outage. What would happen if the power went out while you were watching TV at night? What would be the impact? Of course, you wouldn’t be able to see. Not being able to see can have other uncomfortable consequences like stubbing your toe, however we’ll just stop there for a moment – not being able to see is a bad enough impact.

To control for this, we could light a candle or better yet a flashlight. In this sense, we are adapting to the situation. You could build the argument that there was some contingency controlling on your part by having a candle or flashlight ready for an emergency, and you would be right if these things were consciously put in place, specifically to address the risk of a power outage.

This is not what I’m talking about.

In my scenario, you didn’t plan for it, but you still knew where to find the flashlight, and fortunately the batteries that you put in it last time when you were crawling under your house, are still working.

It’s important to understand the distinction. Corrective and adaptive controls are reactive in nature. For this reason, I don’t like these controls as your primary system of defense against risk. That said, they are still necessary for the same reasons that we covered when we talked about corrective controls; as a backup for better controls, in case it’s not feasible to install better controls, and handling the consequences of a risk that was purposely ignored.

Corrective vs. Adaptive

So, if you have the choice of using a corrective control ( addressing the cause of the risk ), or an adaptive control ( addressing the impact of the risk ), which should you prefer? You actually need both, but you should exercise the adaptive control first. This is the equivalent of “stopping the bleeding.” After your adaptive efforts have contained the situation, then your corrective controls should kick in so your metrics can eventually be improved. An alternative would be to launch both in parallel, if you have the resources to do it.

Leveraging Corrective Control Architectures

If you’ve gone through the process of integrating some of the suggestions that we’ve discussed for corrective controls, this will add a lot of value to your adaptive control setup. If you remember, we discussed three architectural considerations; a detection system, tracking system, and metrics system.

You will need to leverage both the detection system and the tracking system. The metrics system is not useful for adaptive control system, as you are not trying to improve your compliance -- you are just trying to bandage the impact.

Just like the corrective control system, you will need to quickly detect that a risk event has occurred, and start tracking actions. The goal of the actions is different however, and the response time more critical.

The business will need to come up with an ad-hoc, temporary process to support the business goal. Let’s use another example – a SOX example this time. Let’s say your business is trying to control the risk of a bug in the reporting system throwing the numbers off. The impact of this risk is financial inaccuracies in the official financial statement.

Your system is running fine, until one day your detection system fires a warning. Some balancing assertions are failing in the Latin America reports, so something’s wrong with the system. It will take a few months to correct the problem, but in the meantime, an adaptive control needs to be deployed. The adaptive control is to have finance people manually comb through the Latin America reports, and fix any errors before they make their way to the official financial statement.

Key Considerations for the Adaptive Control System

The key to your adaptive control system is being able to document the actions taken to reduce the impact of the risk. This will give your company a reference database, in case this risk event shows up again.
Furthermore you need to collect some metrics for understanding the impact to the organization of exercising the adaptive control. Important metrics to consider are the time it takes to handle the impact, the degree to which the impact is contained ( in our example, 100% ), and the cost to the organization for implementing the control ( both initial and ongoing ). This type of reporting will highlight the premium your organization is paying for having this risk show up. Stated in other terms, this is the alternative impact of the risk – the price you pay for avoiding the primary impact of the risk.

In Summary

Adaptive controls are another weapon in your arsenal of controlling risk. Like corrective controls, these are reactive, so you can leverage a lot of the architecture already established. The key however in designing support for your adaptive controls, is making sure adaptive actions are documented, and proper metrics are collected. Creating a framework for your business users to track this information is vital to their overall compliance efforts.

Trackback Print
Tags:
Categories:
Location: Blogs Parent Separator John Weathington's Blog
Minimize
Most Popular
 
Search Blog Entries
 
Blog Archives