Performance Standards for controls

Hello everyone,

Does anyone have information (general or otherwise) regarding performance standards for controls. I´m trying to come up with some good examples to present at risk workshops. By showing a few I hope to get the message across that control identification alone is not enough.



Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • Maybe you could explore physical access control (to protect an organization's assets).  One would want to measure the effectiveness of the control (keeping unauthorized people out or feeding people into a secondary screening area).  One would also want  to monitor unintended consequences like lost productivity because of bottlenecks, resulting in delays in getting to one's workspace; and worse, clustering of people around an (exposed) entrance...
  • Thank you everyone for replying. I´ll try and be more specific. I was hoping to find a simple example of a risk event along with a critical control(s) and show how the control is measured or followed through such that its perfomance meets a minimum criteria/critical operating parameter that a critical control must have in order to be effective in the management of a risk.

    The idea is to be able to first present to people at workshops, with a very simple example, the concept of what what we mean by a performance standard.

    Thanks again!
  • Dear Benjamin


    Your message is a bit unclear.  Do I understand you correctly when I intepret that you are looking at examples of risk events with good controls or intervention?  sincerely



  • Benjamin wrote:> Does anyone have information (general or otherwise) regarding performance standards for controls?


    Response:> On control and performance standards there are many international standards bodies which are accepted all over the world, I will take to list a few standards here.


    ISO Standards Board

    Perhaps the largest most widely accepted standards board.  The ISO standards board releases specifications for how to measure risk, volatility, calibration, in fact a whole set of metrics.  They are perhaps the largest and most widely accepted standards board in the world working with everything from IT security to quality assurance.



    Failure Mode and Effects Analysis (FMEA) and Failure Modes, Effects and Criticality Analysis (FMECA) are methodologies designed to identify potential failure modes for a product or process.  The aim is to assess the potential hazard associated with specific failure and to grade potential threats.

    Failure Mode Effect Analysis set standards on Mean Time Between Failure, Mean Time To Repair.



    Hazard and Operability Standards is based around a process of examination of a planned exercise to identify potential threats and it uses specific guided language to frame threats as explained here.



    Failure mode and effects criticality standard is a US military standard that sets quality control for all equipment that is deployed to the field.  Think about it, a soldier doesn't need to be dependent on a device that only works half the time and goodness knows what they do with Microsoft Windows out in the battle zone.  More information can be found here bit of an old document and I am sure there are clearer ones up on the net.


    ASNZS 4360:2004

    A standard set down by the standard and control board of Australia on how to establish a risk framework for monitoring and measuring exposure.  The aim is to lift the risk management practice of corporations in Australia.  The standards board of Australia site link which can be found here sets all sorts of minimum requirements for everything from building design to work place safety practice.


    Six Sigma and others

    Nearly every field out there has a standards board for control, it is actually incredible how many of them there are but certainly in the realm of risk and control I would focus on ISO or Six Sigma.  Lets take Six Sigma for example, this sets about a method to improve the quality of a process or product by removing defects in the process value chain itself. It stipulates the methods for measuring variance and itself has become not only a recommended process for improving control but a standard.


    Trust this information helps but do feel free to come back to me if you have any questions.



  • Ian

    I would be very interested to hear from you after you return from the conf.  So many are light on the "take home and apply" tools and rarely do they present cutting edge insights into creating world class organizations.  I was asked to speak on an upcomming conf. in Vancouver however I had to tell the sponsor that what we do is for our "paying clients."  And I suppose that is why most conf. speakers hold back on sharing what they really know how to do.  :-)  Any way ... I will be waiting to hear about what you think.

    Regards ... LJC

  • Lawrence - excellent. I am attending a conference on supply chain risk management in two weeks.  The SC model is a good one. I've looked air cargo security from the regulatory perspective.  There is a shift in thinking from simply having security plans (controls) in place (to be deemed compliant) to demonstrating performance and capability, but, sadly, I'd say it is still early days... I look forward to reading your paper.
  • The business principles behind our organization and the clients we work with are based upon four extremely simple yet universally profound concepts:


    #1) The Universe and all within is continually changing

    #2) Change = Opportunity + Risk

    #3) If You Can’t Measure it … You Can’t Manage It Therefore … Measure  What Matters.

    #4) It’s the Human Metrics ... that Drives the Financial Metrics.  


    Go to >>   >> then select #4 – Engineering the Executive’s Dashboard …” download the free white paper … to get an overview of the power of supply chain metrics.


    Lawrence Carson

    Founding Principle

  • Three resources that come to mind are: DHS Chemical security risk-based performance standard -; a very clever water security Technical-Management-Financial (TMF) capacity self assessment tool from EPA; and a Canadian Standard for security of onshore oil and gas.  The latter costs money, so I do not have it.  It is interesting that it focused only on onshore, but it was done in response to 9/11, before the Deepwater Horizon Disaster.  An issue with the security cultures is that it thrives in the vertical dimension, which is action / reaction, control and countermeasures-oriented, but it does not do well in the world of uncertainty and performance (in the future).  I agree that controls are one facet of a bigger problem.  If you have trouble finding the information, email me  I have witnessed threat/hazard identification and risk assessments that were really control assessments, not risk assessments - there is a significant difference.   Not everyone has a common understanding of the variables because people come at this  problem from several directions and cultures. Good luck
  • Hi Benjamin, one example you could use is this.

    In case of Journal Entries (JE), if the designed control is "All JEs will be approved by appropriate person based on approval authority.  All JEs, will be signed by the appropriate person and adequate supporting documentation will be attached"  Here are many performance attributes

    1. All JEs approved by appropriate authority [based on authorized approval dollar limit]

    2. JE creator is not approving the JE

    3. JE is signed - approval can verified and irrefutable

    4. Supporting documentation is used for making decision  and the supporting documentation is attached so that it can verified.

    5. JE are made timely in the appropriate month

    So if you define these performance parameters, you can measure the performace of control.  If you sample 100 JEs how many are completely ok based on 5 parameters mentioned above.  Also you have to define the tolerance limit depending on application.  If 95/100 is found to be fine then can you tolerate 5 JEs that are not your control performed at 95 percent, it depends whether this level of performance is sufficient.  This could be one example of define performance standards for controls and then defining tolerance levels on them.

    Best Regards


  • you will have to define this further I think, Performance standards should be contained in a contract if there is an outside entity providing the service, if it is in house then they should be defined in the standard operating procedures. The SLA's unless you can show that they are unrealistic in themselves will not through any red flags in a Risk Analysis perspective, however with that being said, if there is outdated processes, lack of personnel to provide to the SLA's or if there are sun setting software and hardware issues any of these could be used to make your case.
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!