Detect events in good time to do something positive about them

  
  The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last
 

Time theory

The Time Theory asserts that an effective system of internal control detects both opportunities and events in sufficient time to do something positive about them. In the case of opportunities, the objective is to exploit them to create a benefit before the window of opportunity expires. Likewise, in the case of events, the objective is to prevent the occurrence of a consequence (or recover gracefully from that occurrence should prevention fail).

Let us examine how this works. We will first look at the case of opportunities and benefits, and then at the case of events and consequences.

Opportunities and benefits

We often talk about windows of opportunity: an opportunity happens and a window of time comes into existence within which we have to exploit that opportunity in order to reap the benefits that the opportunity offers. If we fail to respond in time the opportunity passes us by and is gone for ever. Of course, another, perhaps related opportunity could immediately surface, but we will treat that as a new opportunity.

In the diagram below we show a graph of money against time in order to illustrate the point. The graph shows two lines traversing from left to right. The lowest (in blue) represents the cost of doing business. The uppermost line (in purple) represents revenue.

 

The opportunity is exploited successfully and in time

At some point in time (TO) an opportunity arises. We discover this a little later (at time TD) and are able to respond successfully (at time TR) well within the window of opportunity, which expires at time TW.

There is a cost associated with responding to the opportunity (CR) and a benefit, which has a value, Val. We hope that Val > CR otherwise pursing the opportunity may not have been a good idea but, of course, there may have been other benefits and to determine the overall effect we would need to model them as well. This is dealt with in the topic of opportunity exploitation plans.

Let us now, however, consider the case where we fail to respond in time. In this case (see figure below), we detect the opportunity with the time window but fail to respond in time. The result is that there is a cost to respond but no benefit.

 

The opportunity is not exploited in time

In practice, there are are three similar cases. The first is that we detect the opportunity too late to respond. In this case there is no benefit, but also no cost. The second is that we detect the opportunity in time but our response is too late. In this case there is a cost as well as no benefit. The third case, which has exactly the same end result, is that we detect and respond in time but fail to exploit the opportunity.

Comparing the two diagrams, everything else being equal, P1 > P2.

Event and consequences

Events and consequences behave in an exactly analogous way. In the diagram (below) we again show a graph of money versus time. This time we show three lines showing the cost of doing business (lowest in blue), the cost of the control (middle in orange) and revenue (uppermost in purple). The orange line was not included in the previous graphs because the cost of doing business in the absence of controls is actually the cost of the sprites.

At some point in time (TE) an event occurs, which nobody notices. As if some unseen hand stretches forth at this time and inverts an hour glass, at some time (TW) later when the sand runs out, a consequence occurs with severity Sev. This, of course, is totally the opposite effect to that which occurred in the first opportunity exploitation case that we discussed above.

Still nobody notices, but it is perhaps at a regular management meeting (TM) that somebody does. Action is taken, at a cost, CF, and takes effect at time, TF. In this case, the action taken is partially successful as shown by the increase in slope of the revenue line following the application of the corrective action.

 

The event is detected too late to prevent the consequence

We now turn our attention to the diagram below which shows exactly the same event and the expiry of its associated time window (at TW). This time, however, the internal controls detect the event at time TD and cause corrective action, either automatically or through human intervention to be successfully applied at time TF. Time TF < TW and therefore the consequence does not occur. There may cost be a cost associated with the corrective action. This cost is not part of the running costs associated with internal control as it would not have occurred had the event not occurred.

 

The event is detected in time to prevent the consequence

In these two cases, everything else being equal, P1 < P2.

In summary, these four cases demonstrate that an effective system of internal control is one which enables the prompt detection of opportunities and events in sufficient time for an organisation to successfully exploit the opportunity for gain or prevent the occurrence of a consequence and thus a loss. Taken together the two concepts facilitate discussion concerning alternative business strategies where one offers high rewards for high risks whereas the other offers lower rewards for lower risks.