 |
Blogs
Toad and Database Commentaries |
Toad World blogs are a mix of insightful how-tos from Quest experts as well as their commentary on experiences with new database technologies. Have some views of your own to share? Post your comments! Note: Comments are restricted to registered Toad World users.
 Do you have a topic that you'd like discussed? We'd love to hear from you. Send us your idea for a blog topic.
|
|
|
|
|
|
Location: Blogs
John Weathington's Blog
|
|
| JohnWeathington |
Thursday, July 24, 2008 |
Over the last couple of months, we’ve been discussing different types of controls, and how they might fit into the architecture of your compliance data system. We’ve already discussed preventive controls, contingent controls, and corrective controls. To round out our discussion, today we’ll be discussing our final category of controls – adaptive controls.
If you’ve been following my recent discussions on controls, you know where these controls sit in the overall framework of controls as I see it. For the benefit of those who haven’t, I’ll briefly describe what an adaptive control is.
An adaptive control is a control that deals with the impact of a risk event, after the risk event has occurred. Let’s consider the risk of a power outage. What would happen if the power went out while you were watching TV at night? What would be the impact? Of course, you wouldn’t be able to see. Not being able to see can have other uncomfortable consequences like stubbing your toe, however we’ll just stop there for a moment – not being able to see is a bad enough impact.
To control for this, we could light a candle or better yet a flashlight. In this sense, we are adapting to the situation. You could build the argument that there was some contingency controlling on your part by having a candle or flashlight ready for an emergency, and you would be right if these things were consciously put in place, specifically to address the risk of a power outage.
This is not what I’m talking about.
In my scenario, you didn’t plan for it, but you still knew where to find the flashlight, and fortunately the batteries that you put in it last time when you were crawling under your house, are still working.
It’s important to understand the distinction. Corrective and adaptive controls are reactive in nature. For this reason, I don’t like these controls as your primary system of defense against risk. That said, they are still necessary for the same reasons that we covered when we talked about corrective controls; as a backup for better controls, in case it’s not feasible to install better controls, and handling the consequences of a risk that was purposely ignored.
Corrective vs. Adaptive
So, if you have the choice of using a corrective control ( addressing the cause of the risk ), or an adaptive control ( addressing the impact of the risk ), which should you prefer? You actually need both, but you should exercise the adaptive control first. This is the equivalent of “stopping the bleeding.” After your adaptive efforts have contained the situation, then your corrective controls should kick in so your metrics can eventually be improved. An alternative would be to launch both in parallel, if you have the resources to do it.
Leveraging Corrective Control Architectures
If you’ve gone through the process of integrating some of the suggestions that we’ve discussed for corrective controls, this will add a lot of value to your adaptive control setup. If you remember, we discussed three architectural considerations; a detection system, tracking system, and metrics system.
You will need to leverage both the detection system and the tracking system. The metrics system is not useful for adaptive control system, as you are not trying to improve your compliance -- you are just trying to bandage the impact.
Just like the corrective control system, you will need to quickly detect that a risk event has occurred, and start tracking actions. The goal of the actions is different however, and the response time more critical.
The business will need to come up with an ad-hoc, temporary process to support the business goal. Let’s use another example – a SOX example this time. Let’s say your business is trying to control the risk of a bug in the reporting system throwing the numbers off. The impact of this risk is financial inaccuracies in the official financial statement.
Your system is running fine, until one day your detection system fires a warning. Some balancing assertions are failing in the Latin America reports, so something’s wrong with the system. It will take a few months to correct the problem, but in the meantime, an adaptive control needs to be deployed. The adaptive control is to have finance people manually comb through the Latin America reports, and fix any errors before they make their way to the official financial statement.
Key Considerations for the Adaptive Control System
The key to your adaptive control system is being able to document the actions taken to reduce the impact of the risk. This will give your company a reference database, in case this risk event shows up again.
Furthermore you need to collect some metrics for understanding the impact to the organization of exercising the adaptive control. Important metrics to consider are the time it takes to handle the impact, the degree to which the impact is contained ( in our example, 100% ), and the cost to the organization for implementing the control ( both initial and ongoing ). This type of reporting will highlight the premium your organization is paying for having this risk show up. Stated in other terms, this is the alternative impact of the risk – the price you pay for avoiding the primary impact of the risk.
In Summary
Adaptive controls are another weapon in your arsenal of controlling risk. Like corrective controls, these are reactive, so you can leverage a lot of the architecture already established. The key however in designing support for your adaptive controls, is making sure adaptive actions are documented, and proper metrics are collected. Creating a framework for your business users to track this information is vital to their overall compliance efforts. |
|
| Permalink |
Trackback |
|
|
|
|
|
|
|
|
|