Enterprises Should Emphasize Preventive Controls

There are three categories of controls - preventive, detective and corrective. Preventive controls are intended to reduce the likelihood of an undesired event (a risk) from happening in the future. A detective control is designed to uncover an undesired problem that has already transpired. Finally, a corrective control is designed to restore a system to an approved/last known good state. What we have learned from quality management is that preventive controls are where the bulk of attention must be given because an unwanted event has already happened by the time the detective or corrective controls come into play.

First we need to recognize that any control strategy must be tailored to address the risks to objectives that management identifies as unacceptable. There will always be more risks to the business than dollars and resources to fix them. The objective must be to identify what risks materially threaten the goals of the organization and to only reduce them to the point that management is willing to accept any residual risk. Any mitigation beyond that point, to put it bluntly, is a waste of time and money.

When we look at the works of quality management, we know that it is best to deal with variation by reducing it when possible through process design and addressing defects early versus later. To these ends, we want simplicity, not complexity, and we want to prevent problems before they happen when reasonably possible. Here, "reasonable" means that the risk reduction benefit is worth the cost and the total cost consideration must include both the initial implementation and on-going expenses associated with the control.

The following list of preventive controls is meant to provide examples that IT can review with management once risks are understood to prevent unwanted events from occurring:

Tone from the top - Management must set expectations and the acceptable bounds of behavior. Not only must they address performance and ethical requirements but they must constantly demonstrate the behavior as well. They must “walk the walk” at all times. One misstep can do tremendous damage.

Hiring - Be sure to hire the right people in the first place. Hire for cultural as well as technical fit. Do background screening commensurate with the person's role. Having the right people in the organization to begin with can make a tremendous difference.

Organizational Design and Segregation of Duties - The organization must be designed appropriately to allow for segregation of duties and roles that make sense. A person can not follow segregation of duties if his/her job descriptions mandates that he/she perform work contrary to control expectations. In other words, the organizational chart must support the control environment needs and not unnecessarily inhibit them.

Policies and Procedures - Standard policies and procedures help identify acceptable behavior and how processes are to be performed. To be effective, there must be routine training, awareness campaigns, recertification, detective controls and audits. Policies and procedures can not be bought or written and then sit on a shelf.

Training - It's amazing how organizations all too often say they rely on their people and then fail to invest in them. Training is needed to ensure people have the necessary skills to perform jobs. This includes not just technical skills learned from outside sources but also training on internal systems and processes. Fundamentally, people can not follow what they don't understand and they can not perform quality work unless entrusted with all the tools necessary and this includes training.

Awareness Campaigns - These are vital to keep key issues on peoples' minds. Campaigns often utilize a number of channels to get the message across ranging from posters, to daily emails, to newsletters, luncheons, contests and so on. They aren't a substitute for training but they reinforce important points that should have been covered in formal training programs plus can highlight new developments.

Accountability - In the context of this list, accountability means that people are held liable for their actions, or inactions, in a fair and just manner. The resulting message communicated to others serves to prevent repetitions of unwanted behaviors. This isn't a call for draconian measures, simply that cause and effect must be tied with discipline.

Corrective Action Process - When unwanted outcomes transpire, whether by people, process failure or technology, there must be corrective actions taken to reduce the likelihood of the problem happening again. The action may be training, process redesign, additional technology and so on. The point is that when an event happens, it should be assessed and countermeasures taken on the basis of risk, cost and benefit.

Metrics Analysis - The organization must identify metrics that correctly measure processes and outcomes such that behavior is driven correctly. The collected data must be assessed at defined intervals to see if the process is in control or heading out of control and action is needed before an incident arises.

System Design/Architecture - Proper systems designs that enable segregation of duties, proper access controls, change controls, and application transaction controls go a long way to preventing problems before they happen. This is true for applications, networks, databases, etc. Proper engineering with an understanding of the control requirements from the start can lead to a far better system in the end. Always remember that it is easier to design proper controls into a system from the start than to try and retrofit them in later.

Stakeholder involvement - To prevent problems, IT and project teams must involve the relevant stakeholders early on and understand their requirements. For example, involve internal audit and security early on rather than not at all when redesigning a critical system, reviewing a system for purchase, etc. Control requirements are a system design consideration just like any other.

Leveraging Standards - Don't reinvent the wheel and go through lots of problems to get processes right. Start with standards and leverage the result of thousands of man hours of experience thus preventing mistakes. The British Standards Institute (BSI), International Standards Organization (ISO), the British Office of Government Commerce Information Technology Infrastructure Library (ITIL), The US National Institute of Standards (NIST), and the Carnegie Mellon Software Engineering Institute (SEI) are treasure troves of process information.

In summary, firms need to invest in preventive controls in a manner commensurate with the risks they face. There are many preventive controls to select from and the above are but a sample. The whole intent is to take reasonable efforts to prevent problems from happening in the first place and increase the likelihood that the organization can attain its goal.