As a continuation of the topic on the importance of critical controls management, another fundamental step in this task is the definition of objectives and performance requirements.
At this point, activities that will impact control performance are identified. These provide an aid to understanding how these critical controls should be verified in practice and a mechanism for monitoring the health of the critical control.
Start by defining the objective of the critical control
Defining the objective of the critical control is important and will help you understand the role, expectations and outcomes of the control. The objective of a critical control is a specific description of what the control needs to do. To help define the critical control objective, consider the following:
- What is the result you are trying to achieve by implementing this critical control?
- How will the critical control prevent the undesirable material event?
Establish the performance requirements for the critical controls
Performance requirements are the standards to which a control must perform. They should contain an action (either preventive or maintenance) and a specific acceptance threshold value. Also, a performance requirement needs to consider the context of the control.
Performance requirements for a control may already exist within a company’s documents. This can be determined by reviewing relevant processes, procedures, maintenance manuals, and other supporting documents. Other supporting materials that will serve to determine performance requirements are industry standards. Caution should be exercised in this regard as there are a variety of standards in companies and these are often not specific or not directly related to the context of the control.
In the event that there are no performance requirements for a critical control, these should be developed. If so, the requirements must be:
- Specific: they should be clearly defined and not vague.
- Measurable: performance requirements should be quantifiable when necessary.
- Appropriate: performance requirements should be aligned with the critical control objective.
- Realistic: requirements should be achievable in the operational context.
Subsequently, the critical control performance level should be defined that can initiate immediate action to close or change the operation, or signal that the critical control needs to be improved. The process for defining this performance level is the same process used to identify requirements.
In addition, a review or evaluation of the objectives should be conducted by answering the following questions:
What are the specific objectives of each critical control?
What performance is required of the critical control (This is sometimes called a performance standard)?
What support or enabling activities does the critical control require to be performed as needed and specified?
What verification is needed to verify that the critical control is meeting its required performance? how frequently is verification needed? what type of verification is needed?
What would initiate immediate action to stop or change an operation or improve the performance of a critical control?
And finally, prepare a report
In it, you should specify for each critical control the following information:
- The name of the critical control
- What are the specific objectives of the critical control?
- What performance is needed from the critical control?
- What activities support the control performance in the standard?
- What verification activities are needed to ensure that the critical control is achieving its required performance?
