Once a risk owner has decided to implement a control to mitigate risk, it is most important to develop a process for measuring and reporting control performance. This process helps to monitor and evaluate the actual results and outcomes of the control, compare them with the expected or desired objectives and standards, identify any gaps or issues that may affect the control’s effectiveness or efficiency, and report them to the relevant stakeholders for decision making or improvement actions.

An alternate control design in case of failure of the identified control is a contingency plan that can be used to reduce the impact of a control failure or breakdown. It is not the most important thing to develop after implementing a control, but rather a backup option that can be activated when needed.

A process for bypassing control procedures in case of exceptions is a mechanism that allows authorized users to override or circumvent a control in certain situations, such as emergencies,errors, or special requests. It is not the most important thing to develop after implementing a control, but rather a risk response that can be applied when necessary.

Procedures to ensure the effectiveness of the control are the steps or actions that are required to implement, operate, and maintain the control in accordance with the risk owner’s expectations and requirements. They are not the most important thing to develop after implementing a control, but rather a part of the control design and implementation process.

The references for this answer are:

Risk IT Framework, page 13

Information Technology & Security, page 7

Risk Scenarios Starter Pack, page 5