An operational risk manager at a large retail bank is asked to review the framework for the bank's risk mitigation controls. As part of this review, the manager classifies the risk controls as preventive, detective, corrective, or directive. Which of the following should the manager classify as a directive control?