Does anyone have information (general or otherwise) regarding performance standards for controls. I´m trying to come up with some good examples to present at risk workshops. By showing a few I hope to get the message across that control identification alone is not enough.
The idea is to be able to first present to people at workshops, with a very simple example, the concept of what what we mean by a performance standard.
Your message is a bit unclear. Do I understand you correctly when I intepret that you are looking at examples of risk events with good controls or intervention? sincerely
Benjamin wrote:> Does anyone have information (general or otherwise) regarding performance standards for controls?
Response:> On control and performance standards there are many international standards bodies which are accepted all over the world, I will take to list a few standards here.
ISO Standards Board
Perhaps the largest most widely accepted standards board. The ISO standards board releases specifications for how to measure risk, volatility, calibration, in fact a whole set of metrics. They are perhaps the largest and most widely accepted standards board in the world working with everything from IT security to quality assurance.
FMEA / FMECA
Failure Mode and Effects Analysis (FMEA) and Failure Modes, Effects and Criticality Analysis (FMECA) are methodologies designed to identify potential failure modes for a product or process. The aim is to assess the potential hazard associated with specific failure and to grade potential threats.
Failure Mode Effect Analysis set standards on Mean Time Between Failure, Mean Time To Repair.
Hazard and Operability Standards is based around a process of examination of a planned exercise to identify potential threats and it uses specific guided language to frame threats as explained here.
Failure mode and effects criticality standard is a US military standard that sets quality control for all equipment that is deployed to the field. Think about it, a soldier doesn't need to be dependent on a device that only works half the time and goodness knows what they do with Microsoft Windows out in the battle zone. More information can be found here bit of an old document and I am sure there are clearer ones up on the net.
A standard set down by the standard and control board of Australia on how to establish a risk framework for monitoring and measuring exposure. The aim is to lift the risk management practice of corporations in Australia. The standards board of Australia site link which can be found here sets all sorts of minimum requirements for everything from building design to work place safety practice.
Six Sigma and others
Nearly every field out there has a standards board for control, it is actually incredible how many of them there are but certainly in the realm of risk and control I would focus on ISO or Six Sigma. Lets take Six Sigma for example, this sets about a method to improve the quality of a process or product by removing defects in the process value chain itself. It stipulates the methods for measuring variance and itself has become not only a recommended process for improving control but a standard.
Trust this information helps but do feel free to come back to me if you have any questions.
I would be very interested to hear from you after you return from the conf. So many are light on the "take home and apply" tools and rarely do they present cutting edge insights into creating world class organizations. I was asked to speak on an upcomming conf. in Vancouver however I had to tell the sponsor that what we do is for our "paying clients." And I suppose that is why most conf. speakers hold back on sharing what they really know how to do. :-) Any way ... I will be waiting to hear about what you think.
Regards ... LJC
The business principles behind our organization and the clients we work with are based upon four extremely simple yet universally profound concepts:
#1) The Universe and all within is continually changing
#2) Change = Opportunity + Risk
#3) If You Can’t Measure it … You Can’t Manage It Therefore … Measure What Matters.
#4) It’s the Human Metrics ... that Drives the Financial Metrics.
Go to >> http://www.atica.us/white_papers.htm >> then select #4 – Engineering the Executive’s Dashboard …” download the free white paper … to get an overview of the power of supply chain metrics.
Hi Benjamin, one example you could use is this.
In case of Journal Entries (JE), if the designed control is "All JEs will be approved by appropriate person based on approval authority. All JEs, will be signed by the appropriate person and adequate supporting documentation will be attached" Here are many performance attributes
1. All JEs approved by appropriate authority [based on authorized approval dollar limit]
2. JE creator is not approving the JE
3. JE is signed - approval can verified and irrefutable
4. Supporting documentation is used for making decision and the supporting documentation is attached so that it can verified.
5. JE are made timely in the appropriate month
So if you define these performance parameters, you can measure the performace of control. If you sample 100 JEs how many are completely ok based on 5 parameters mentioned above. Also you have to define the tolerance limit depending on application. If 95/100 is found to be fine then can you tolerate 5 JEs that are not performing..ie your control performed at 95 percent, it depends whether this level of performance is sufficient. This could be one example of define performance standards for controls and then defining tolerance levels on them.