Rationalise your control framework

Controls 101 - from theory to practice

COSO defines an internal control as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance. Controls help to ensure that the necessary measures are taken to address the risks that may hinder the achievement of the entity's objectives. Once a risk is identified and assessed, you can choose to establish a control as a way of neutralising or reducing the identified risk, so that the probability of the potential threat, or the effect thereof, decreases. I consciously use the wording ‘you can choose to’ - it often escapes one’s memory that risks can also be accepted, avoided or transferred. Controls are not the only way to address risk. 

However, in practice, I regularly see attempts to address (almost) all identified risks with controls. And, just to be on the safe side, many of these controls are flagged as ‘key’ and worded in great detail, resulting in voluminous descriptions, massive checklists and quite some repetitive work. It is peculiar that control frameworks at most organisations have grown in an uncontrolled manner, causing duplication of work, inefficiencies and a lack of overview. 

The resulting shortfall in transparency may lead your people astray if they lack the deep understanding of what they do and why they do it, not to mention the costs associated with eventual inefficiencies. Hence, every now and then, it is necessary to rationalise your control framework, in the spirit of ‘cost out & value in’: rationalise controls not just for the sake of reducing costs, but also to create room to invest time, energy and mental space in something that creates new value.

What control rationalisation means and where to start

Conceptually, control rationalisation consists of four steps. The first - and arguably most important one - is to reduce the number of controls you have by (re)assessing which controls are truly necessary to address the risks you identified. Secondly, standardise what you can by harmonising the controls addressing the same risk but executed in different parts of your organisation. The third step is to simplify the remaining controls by reducing complexity and inefficiencies in processes and controls. Last, but not least, where possible, automate your standardised and simplified controls so that you can reduce manual work and the cost of manual error. 

The story becomes more interesting when you ponder on why this is not happening, or happening at a snail’s pace. You may ask yourself: why would I change something which works all right? Certainly, this question does not only apply to controls, but let’s keep the focus there. You may settle for ‘okay’ even if it leads to subpar results if priorities are elsewhere: there are always more urgent matters to deal with. However, with the imperative to cut costs, it is no longer an option to leave your controls intact. Wondering how much you can improve? I have a thought experiment for you: If you were to build your control framework from scratch, to what extent would it resemble your current version? If the gap is large, you have a business case to make, which is not only aimed at cutting costs, but also at creating space for investment.

Why and how to eliminate and simplify controls

In my previous blog I alluded to my penchant for gardening, and I would like to argue that there are some lessons Risk can learn from horticulture. Each year the gardening season ends (before winter) and starts (in spring) with what we may call in business terms ‘elimination’ - getting rid of what is not needed. From time to time, weeds are removed, old plants are taken out of the soil and trees are trimmed. These activities are needed to secure the conditions for plants to rejuvenate, grow and blossom. Going back to control frameworks, while controls may be added in a relatively ad hoc manner throughout the year, they are not removed consistently when they are not needed anymore. Therefore, annual risk cycles should entail elements similar to these gardening activities, so that such a ‘round of elimination’ happens periodically. And before you have that measure in place, a large one-off decluttering project may be needed. 

Furthermore, process simplification is key. Controls within processes are often translated into sign-offs - not one, but many. A sign-off has beautiful connotations and symbolises a sense of ownership, similarly to the way a painter inscribes their name on a masterpiece. However, giving so many sign-offs might diminish the value of a signature. As a matter of fact, too many sign-offs and formalities can actually lead to nobody feeling true ownership. Such diffusion of responsibility may easily lead to a lower level of control, or an illusion of control. Therefore, next to eliminating entire controls, I also recommend that you simplify your controls by minimising the number of sign-offs and checklists. And then empower those executing them to take full responsibility for their work. 

What you need is a combined effort of smart tooling and smart thinking 

I often get questions on tooling that can be used to automate controls. My answer is that you need to start with control rationalisation, not automation. The foundation for rationalisation is laid by process and control mapping, which helps you gain insight into your controls.  Our digital accelerator tool, Pεrspective, combines process and control mapping with data analytics. As part of this diagnostic phase, controls that are either duplicate or superfluous, and hence do not mitigate a risk, or do not safeguard adherence to a regulation, are eliminated.

But for the essence of the work, the best ‘tool’ I can recommend is called ‘Cerebrum’ - in other words, your brain. Joking aside, I firmly believe that the starting point for  elimination and simplification should be a thorough and thoughtful risk assessment. Once you know what your risks are, and what your risk appetite is for your most important risks, you can evaluate the suitability of your controls to address these risks - and get rid of the ones you do not strictly need. If you feel uncomfortable while doing this activity, you are on the right track.

Control rationalisation paves the way for continuous monitoring of risk exposure. And the total potential of continuous monitoring depends on the extent of control automation. Our Continuous Monitoring Platform (CMP) is a cloud platform where automated controls are tested real-time with full population, making manual sampling and manual testing redundant. CMP has a customised reporting dashboard showing the real time state of controls compliance, and a standard workflow for controlling exceptions to quickly identify their impact. 

I often notice that organisations start with automation. However, you will not reap the benefits of automation, especially from a cost point of view, unless you first rationalise your control framework. At the same time, using accelerator tools for process and control mapping is a must. Do note that there is no single tool or platform in the market that addresses digitalisation of the whole internal control lifecycle, from capturing compliance requirements to scoping, designing, executing, monitoring, reporting controls. The effort remains a combination of smart tooling and smart thinking. 

It’s all about the response

To conclude on a philosophical note, both Buddhist and Stoic thinkers propound that you cannot control what happens, only your response to those happenings. In the realm of Risk, control does not mean that you have to overload yourself with controls - you may have no control at all on certain happenings, even if you established controls to address those. Choose your risk response carefully and consciously - and bear in mind that this response sometimes may mean that you choose not to do something, so that you can dedicate more attention and mindspace to a risk that matters more. 

Fewer controls lead to being more in control. This may still sound counterintuitive and uncomfortable, but I also hope that as a good gardener, I have planted some seeds which will help you cultivate this thought.

Also read the earlier parts of this blog series:

• Outsourcing risk management
• Reimagine risk
• The seven ingredients of risk transformation
• Cost out, value in
• The marketing of risk management
• The taxonomy's role in transforming risk management
• Making Risk work
• Your future Risk workforce
• Risk as strategic partner