Monitor Phase

All four stages of the Operational Risk Framework are critical and of equal importance in maintaining a secure environment. Yet, most of an op risk officer's time is spent, if not stuck, in the Monitor phase - reviewing audit logs, preparing management reports, assessing compliance with internal procedures, conducting penetration testing and vulnerability scans, managing SOX 404, HIPPA and other audits, etc. In a perfect world, the over emphasis on the Monitor phase is understandable. If the business has adequately focused on conducting risk assessments and implementing controls, then most of the ongoing resources can be devoted to monitoring activities and not constantly addressing errors. In the real world, most resources are focused on Monitoring, because businesses do not understand the importance of establish a strong foundation through assessment and controls. This approach becomes a self-fulfilling prophesy - by focusing on the Monitor phase risks are inappropriately prioritized and control resources are misallocated, resulting in high failure rates, requiring a heightened level of Monitoring.


Detailed procedures for monitoring processes and systems are beyond the scope of this site. There are an abundance of resources on best practices that can provide assistance, such as COBIT, the FFIEC IT Handbook, COSO, FIRST, Information Security Forum, NIST, and SANS. Some further advice:

  1. Best practices resources, like the ones referred to above, and detailed monitoring procedures tend to focus on systems, since it is easier to develop and implement monitoring and testing on objective, repeatable processes. The problem is that most losses occur, not when systems fail, but when people fail. It easier to implement a test to monitor whether employees are changing their passwords within the period specified in the business' policy and standards than it is to determine whether management has created an environment where employees understand the necessity for protecting their passwords. It is not unusual to find businesses where employees regularly change their passwords, but management chooses to ignore frequent password sharing. Any good Monitoring process must include a component that looks for the human element, the more subtle control failures, such as the following.
  2. In my experience, the truly monumental losses suffered by corporations are caused to a significant degree by the "Golden Boy" syndrome. Every business has a "Golden Boy", someone who generates significant revenues for the business and who has an equally oversized ego. As the Golden Boy generates greater revenues, his manager usually benefits as the bonuses and other incentive compensation come raining down. In the never ending pursuit of greater revenue, the Golden Boy will eventually push the limits of prudent risk and the manager will be faced with a dilemma - insist on compliance and the ever growing bonuses will come to an end or accede to the Golden Boy's demands and bend the rules. If the manager gives in to greed, the rules will be bent and there is a significant risk that when the rules ultimately break under the strain, the losses will be measured in the millions and, occaisionally, billions of dollars. There is no objective test for the Golden Boy syndrome, but it is a situation you need to monitor, typically through maintaining a network of employees throughout the business who are willling to share their concerns and observations with you.
  3. A strong testing program is a necissity in any business. But to avoid misallocating your resources, you need to have a good understanding of the appropriate test for each situation (see the next page).

©2009 ISRMC, LLC