All four stages of the Operational Risk Framework are critical and of equal importance in maintaining a secure environment. Yet, most of an op risk officer's time is spent, if not stuck, in the Monitor phase - reviewing audit logs, preparing management reports, assessing compliance with internal procedures, conducting penetration testing and vulnerability scans, managing SOX 404, HIPPA and other audits, etc. In a perfect world, the over emphasis on the Monitor phase is understandable. If the business has adequately focused on conducting risk assessments and implementing controls, then most of the ongoing resources can be devoted to monitoring activities and not constantly addressing errors. In the real world, most resources are focused on Monitoring, because businesses do not understand the importance of establish a strong foundation through assessment and controls. This approach becomes a self-fulfilling prophesy - by focusing on the Monitor phase risks are inappropriately prioritized and control resources are misallocated, resulting in high failure rates, requiring a heightened level of Monitoring.