Blog

Comments

• 

  Ian Bayne March 24, 2011 16:19

  Maybe you could explore physical access control (to protect an organization's assets).  One would want to measure the effectiveness of the control (keeping unauthorized people out or feeding people into a secondary screening area).  One would also want  to monitor unintended consequences like lost productivity because of bottlenecks, resulting in delays in getting to one's workspace; and worse, clustering of people around an (exposed) entrance...
• 

  Benjamin Mira March 24, 2011 16:10

  Thank you everyone for replying. I´ll try and be more specific. I was hoping to find a simple example of a risk event along with a critical control(s) and show how the control is measured or followed through such that its perfomance meets a minimum criteria/critical operating parameter that a critical control must have in order to be effective in the management of a risk.
  
  The idea is to be able to first present to people at workshops, with a very simple example, the concept of what what we mean by a performance standard.
  
  Thanks again!
• 

  Beulah Misrole March 23, 2011 19:48

  Dear Benjamin

   

  Your message is a bit unclear.  Do I understand you correctly when I intepret that you are looking at examples of risk events with good controls or intervention?  sincerely

   

  Beulah
• 

  Martin Davies March 18, 2011 23:37

  Benjamin wrote:> Does anyone have information (general or otherwise) regarding performance standards for controls?

   

  Response:> On control and performance standards there are many international standards bodies which are accepted all over the world, I will take to list a few standards here.

   

  ISO Standards Board

  Perhaps the largest most widely accepted standards board.  The ISO standards board releases specifications for how to measure risk, volatility, calibration, in fact a whole set of metrics.  They are perhaps the largest and most widely accepted standards board in the world working with everything from IT security to quality assurance.

   

  FMEA / FMECA

  Failure Mode and Effects Analysis (FMEA) and Failure Modes, Effects and Criticality Analysis (FMECA) are methodologies designed to identify potential failure modes for a product or process.  The aim is to assess the potential hazard associated with specific failure and to grade potential threats.

  Failure Mode Effect Analysis set standards on Mean Time Between Failure, Mean Time To Repair.

   

  HAZOP

  Hazard and Operability Standards is based around a process of examination of a planned exercise to identify potential threats and it uses specific guided language to frame threats as explained here.

   

  MIL-SD-1629

  Failure mode and effects criticality standard is a US military standard that sets quality control for all equipment that is deployed to the field.  Think about it, a soldier doesn't need to be dependent on a device that only works half the time and goodness knows what they do with Microsoft Windows out in the battle zone.  More information can be found here bit of an old document and I am sure there are clearer ones up on the net.

   

  ASNZS 4360:2004

  A standard set down by the standard and control board of Australia on how to establish a risk framework for monitoring and measuring exposure.  The aim is to lift the risk management practice of corporations in Australia.  The standards board of Australia site link which can be found here sets all sorts of minimum requirements for everything from building design to work place safety practice.

   

  Six Sigma and others

  Nearly every field out there has a standards board for control, it is actually incredible how many of them there are but certainly in the realm of risk and control I would focus on ISO or Six Sigma.  Lets take Six Sigma for example, this sets about a method to improve the quality of a process or product by removing defects in the process value chain itself. It stipulates the methods for measuring variance and itself has become not only a recommended process for improving control but a standard.

   

  Trust this information helps but do feel free to come back to me if you have any questions.

   

   
• 

  Lawrence Carsom March 18, 2011 22:52

  Ian

  I would be very interested to hear from you after you return from the conf.  So many are light on the "take home and apply" tools and rarely do they present cutting edge insights into creating world class organizations.  I was asked to speak on an upcomming conf. in Vancouver however I had to tell the sponsor that what we do is for our "paying clients."  And I suppose that is why most conf. speakers hold back on sharing what they really know how to do.  :-)  Any way ... I will be waiting to hear about what you think.

  Regards ... LJC
• 

  Ian Bayne March 18, 2011 18:41

  Lawrence - excellent. I am attending a conference on supply chain risk management in two weeks.  The SC model is a good one. I've looked air cargo security from the regulatory perspective.  There is a shift in thinking from simply having security plans (controls) in place (to be deemed compliant) to demonstrating performance and capability, but, sadly, I'd say it is still early days... I look forward to reading your paper.
• 

  Lawrence Carsom March 18, 2011 18:30

  The business principles behind our organization and the clients we work with are based upon four extremely simple yet universally profound concepts:

   

  #1) The Universe and all within is continually changing

  #2) Change = Opportunity + Risk

  #3) If You Can’t Measure it … You Can’t Manage It Therefore … Measure  What Matters.

  #4) It’s the Human Metrics ... that Drives the Financial Metrics.  

   

  Go to >> http://www.atica.us/white_papers.htm   >> then select #4 – Engineering the Executive’s Dashboard …” download the free white paper … to get an overview of the power of supply chain metrics.

   

  Lawrence Carson

  Founding Principle
• 

  Ian Bayne March 18, 2011 17:57

  Three resources that come to mind are: DHS Chemical security risk-based performance standard - http://www.dhs.gov/files/programs/gc_1238784785789.shtm; a very clever water security Technical-Management-Financial (TMF) capacity self assessment tool from EPA; and a Canadian Standard for security of onshore oil and gas.  The latter costs money, so I do not have it.  It is interesting that it focused only on onshore, but it was done in response to 9/11, before the Deepwater Horizon Disaster.  An issue with the security cultures is that it thrives in the vertical dimension, which is action / reaction, control and countermeasures-oriented, but it does not do well in the world of uncertainty and performance (in the future).  I agree that controls are one facet of a bigger problem.  If you have trouble finding the information, email me irbayne@rogers.com.  I have witnessed threat/hazard identification and risk assessments that were really control assessments, not risk assessments - there is a significant difference.   Not everyone has a common understanding of the variables because people come at this  problem from several directions and cultures. Good luck
  
• 

  Nagesh Bharadwaj March 18, 2011 17:50

  Hi Benjamin, one example you could use is this.

  In case of Journal Entries (JE), if the designed control is "All JEs will be approved by appropriate person based on approval authority.  All JEs, will be signed by the appropriate person and adequate supporting documentation will be attached"  Here are many performance attributes

  1. All JEs approved by appropriate authority [based on authorized approval dollar limit]

  2. JE creator is not approving the JE

  3. JE is signed - approval can verified and irrefutable

  4. Supporting documentation is used for making decision  and the supporting documentation is attached so that it can verified.

  5. JE are made timely in the appropriate month

  So if you define these performance parameters, you can measure the performace of control.  If you sample 100 JEs how many are completely ok based on 5 parameters mentioned above.  Also you have to define the tolerance limit depending on application.  If 95/100 is found to be fine then can you tolerate 5 JEs that are not performing..ie your control performed at 95 percent, it depends whether this level of performance is sufficient.  This could be one example of define performance standards for controls and then defining tolerance levels on them.

  Best Regards

  Nagesh
• 

  Larry Castle March 18, 2011 17:32

  you will have to define this further I think, Performance standards should be contained in a contract if there is an outside entity providing the service, if it is in house then they should be defined in the standard operating procedures. The SLA's unless you can show that they are unrealistic in themselves will not through any red flags in a Risk Analysis perspective, however with that being said, if there is outdated processes, lack of personnel to provide to the SLA's or if there are sun setting software and hardware issues any of these could be used to make your case.