Surely it is the effectiveness of a control that is more important than the design - if it controls the risk, and the cost/benefit of the control is acceptable, then it works, irrespective of any inefficiencies of design.
As for the "well designed" control - if a control is ignored, then that is worse than not having any control, as it could give false comfort to senior management who might think that all is well, because there are well designed controls in place.
The point is not about the design quality of controls, it's about its impact on risk. If poor design of control means that is doesn't do the job, e.g. because it is not followed, then its worthless and should be disgarded (or improved / replaced).
Ignorance of a "well-designed" control is also a hint that its purpose is not accomplished and its design may actually be improvable.
After all, risk controls are to enable/allow the right things to be accomplished. Controls should not be followed for the controls sake - nor for the risk managers or his reports. Controls should be followed because they provide protection while achieving business or organisations' goals.
To imply at controls are inherently good regardless of their impact is an subjective bias that leads to serious errors in judgment. To even suggest that adhering to "any control" is better than nothing is problematic; adherence to a poor control to it could certainly be worse than nothing. Case-in-point, ‘If a control cost more than the expected consequence of a risk that the control is intending to control, then I would call that a ‘poor control’ that should NOT be followed!
The question is about a poor control that is followed vs. a good one that is ignored. To suggest a good one can't be ignored begs the question. My view is any control that is adhered to is better than nothing.
I agree that any development of a control as an initial degree of uncertainty. Only execution can tell if it is a well-designed or poor control.
A poor control must be scraped and a well-designed control must be improved.
The issue with this discussion related to differentiation of development and validation of business processes and operational standard procedures.
["A poorly designed control that is followed is still better than a well-designed control that's ignored."] in my opinion implies the controls are validated and integrated in the company’s standard operations procedures.
A poorly designed control provides false information and false sense of security while a well-designed control provides information reflecting it is not being followed.
I disagree, regardless of what the military says ('Any" plan does not equal the right plan). You don’t have to suffer the consequences to estimate the consequences and adequacy is a measure of the expected consequence. So "Half a Plan" could certainly be worse than "No Plan" i.e. if the 'Half Plan" marches you off a cliff but the "No Plan" provides options to avoid the cliff: "adapt, overcome, improvise" is hardly a well-designed plan!).
Risk comes in gradations; even a well-designed plan will have consequences. You must measure the consequences to properly do the comparison. Therefore it is about the consequences of well-define plan that is not followed compared to the consequences of a poorly-defined plan that is followed. The results will vary because it depends: it depends on the relevant consequences.
A poorly designed control will not address the risks adequately.So no use following this.If this [ poorly designed] control was also not subject to scenario testing,I guess we are probably heading for a bigger danger than the original threat itself.
Many organizations have not suffered the consequences of either poorly designed or well-designed controls. For these organizations these are relative terms. Remember that most well-designed controls come about as a result of following poor or non-existent controls. Everyone begins with poorly designed ones - NASA; the World-Wide Web; banks (all over the world); building codes in all cities and countries; and the list goes on. Following no control what so ever has far greater consequences thus the question as it is posed. In my chosen field of business continuity and risk management many organizations have poor or well-designed controls. Some follow them. Some are only aware of them when stuff happens. Those who follow poorly designed controls can be assisted to better their organizations. Those who have well-designed controls but don't follow them open themselves to the greater liability risk. Even the military admits half a plan is better than none at all.
A well-designed control by definition will not be ignored, however, it 'ALL' depends on the consequences of each action. A well-designed control that is ignored but has a large consequences would be worse that a poorly defined control that is followed with smaller consequences. On the flip-side a poorly designed control that has large consequences even though it is followed would be worse if the consequence of not following a well-designed control is small. It is not about the control: IT IS ABOUT COMPARING THE CONSEQUENCES of each control.
The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.
For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!
Comments
Surely it is the effectiveness of a control that is more important than the design - if it controls the risk, and the cost/benefit of the control is acceptable, then it works, irrespective of any inefficiencies of design.
As for the "well designed" control - if a control is ignored, then that is worse than not having any control, as it could give false comfort to senior management who might think that all is well, because there are well designed controls in place.
Spot on Alfred! Optimum risk mitigation.
The point is not about the design quality of controls, it's about its impact on risk. If poor design of control means that is doesn't do the job, e.g. because it is not followed, then its worthless and should be disgarded (or improved / replaced).
Ignorance of a "well-designed" control is also a hint that its purpose is not accomplished and its design may actually be improvable.
After all, risk controls are to enable/allow the right things to be accomplished. Controls should not be followed for the controls sake - nor for the risk managers or his reports. Controls should be followed because they provide protection while achieving business or organisations' goals.
To imply at controls are inherently good regardless of their impact is an subjective bias that leads to serious errors in judgment. To even suggest that adhering to "any control" is better than nothing is problematic; adherence to a poor control to it could certainly be worse than nothing. Case-in-point, ‘If a control cost more than the expected consequence of a risk that the control is intending to control, then I would call that a ‘poor control’ that should NOT be followed!
The question is about a poor control that is followed vs. a good one that is ignored. To suggest a good one can't be ignored begs the question. My view is any control that is adhered to is better than nothing.
Richard Ellis PMP PRM
http://www.linkedin.com/in/richardellis86
I agree that any development of a control as an initial degree of uncertainty. Only execution can tell if it is a well-designed or poor control.
A poor control must be scraped and a well-designed control must be improved.
The issue with this discussion related to differentiation of development and validation of business processes and operational standard procedures.
["A poorly designed control that is followed is still better than a well-designed control that's ignored."] in my opinion implies the controls are validated and integrated in the company’s standard operations procedures.
A poorly designed control provides false information and false sense of security while a well-designed control provides information reflecting it is not being followed.
I disagree, regardless of what the military says ('Any" plan does not equal the right plan). You don’t have to suffer the consequences to estimate the consequences and adequacy is a measure of the expected consequence. So "Half a Plan" could certainly be worse than "No Plan" i.e. if the 'Half Plan" marches you off a cliff but the "No Plan" provides options to avoid the cliff: "adapt, overcome, improvise" is hardly a well-designed plan!).
Risk comes in gradations; even a well-designed plan will have consequences. You must measure the consequences to properly do the comparison. Therefore it is about the consequences of well-define plan that is not followed compared to the consequences of a poorly-defined plan that is followed. The results will vary because it depends: it depends on the relevant consequences.
A poorly designed control will not address the risks adequately.So no use following this.If this [ poorly designed] control was also not subject to scenario testing,I guess we are probably heading for a bigger danger than the original threat itself.
Many organizations have not suffered the consequences of either poorly designed or well-designed controls. For these organizations these are relative terms. Remember that most well-designed controls come about as a result of following poor or non-existent controls. Everyone begins with poorly designed ones - NASA; the World-Wide Web; banks (all over the world); building codes in all cities and countries; and the list goes on. Following no control what so ever has far greater consequences thus the question as it is posed. In my chosen field of business continuity and risk management many organizations have poor or well-designed controls. Some follow them. Some are only aware of them when stuff happens. Those who follow poorly designed controls can be assisted to better their organizations. Those who have well-designed controls but don't follow them open themselves to the greater liability risk. Even the military admits half a plan is better than none at all.
A well-designed control by definition will not be ignored, however, it 'ALL' depends on the consequences of each action. A well-designed control that is ignored but has a large consequences would be worse that a poorly defined control that is followed with smaller consequences. On the flip-side a poorly designed control that has large consequences even though it is followed would be worse if the consequence of not following a well-designed control is small. It is not about the control: IT IS ABOUT COMPARING THE CONSEQUENCES of each control.