Designing Controlled Processes

Then review the mitigation options and determine appropriateness:

  • Does the cost/benefit ratio makes sense?
  • What are the implementation costs?
  • What will the ongoing operational expenses be?
  • How will it impact productivity?
  • Can it realistically be sustained?
  • How long will it take to implement?
  • Will the mitigation activity itself be reliable? What are its risks? What controls are needed for it?
  • Many times, several lower cost controls can be combined to yield better risk reduction than one complex expensive control.

    It is essential that management support processes and set the proper “tone” so controlled processes are honored. Dr. Deming would emphasize there are only two outcomes to processes—you either follow them or formally change them.

    Process designs that embody proper controls can yield operational, security and regulatory compliance benefits. To be effective and efficient, they must be implemented on the basis of risk such that the controls used reduce the risks to objectives to an acceptable level.

    Risk mitigation beyond that point can result in needlessly expensive processes that are too complex for people to sustain in the long-term. Processes need to be designed with these requirements taken into consideration to yield not only controlled processes but, even more importantly, controlled processes that can actually be sustained over the long-term.

    George Spafford is a principal consultant with Pepperweed Consulting and a long-time IT professional. George’s professional focus is on compliance, security, management and overall process improvement.