This research develops a formal method for deriving control requirements that an inter-organizational procedure must satisfy to safeguard the involved parties against behavioral risk. Instead of looking at the documentary exchanges among the parties, the research examines the underlying deontic purposes of these exchanges and identifies control requirements to secure these purposes.