I saw this headline recently and it got me thinking . . . .
Many organisations have been encouraged, and in some cases required, to focus their financial risk efforts on controls, developing an internal control system, regularly assessing the efficacy of controls and reporting against that for audit and compliance purposes.
Any good internal control system is risk based, but the excesses
of the early SOX years forced many companies to over-engineer their focus on controls, often goaded by their external auditor. This resulted in the growth of largely administrative teams and departments to manage the process, ensure self-assessments were properly documented and produce evidence to satisfy external review. The internal control system became a goal in itself, not the mechanism to understand and manage risk. GRC tools emerged and were deployed to help manage the complexity and ease the documentation challenge of multiple versions of the truth. The whole ‘SOX process’ became so heavy that executives who really needed to focus on risk management were required to delegate this to teams who were less well versed in the business.
We are all glad these days of excess have passed, but many organisations still suffer from its legacy.
The key issue is RISK. Identifying it, assessing it, monitoring it, managing it and mitigating it to keep the company driving in the right direction and on an ‘even keel’.
The problem with controls, be they manual or automated, in mitigating risk, is that there are unintended consequences to them. These consequences include over confidence in the process and a naive belief in the effectiveness of embedded controls in systems to name but two!
To consider the unintended consequences, think about the road system. As roads became more congested in the 1950’s and 1960’s, the occurrence of road accidents increased, and planners tried to work out how to reduce this. A new control system of laws and a ‘code of conduct’ on the road was developed and implemented with road signs and rules. Then traffic lights were deployed at busy intersections. The occurrence of traffic lights, and indeed ‘roundabouts’ exploded in the following decades. Although accidents and injuries reduced, they kept creeping back up. So we implemented speed bumps, radar traps and so on.
The interesting and unanticipated side effect of these ‘controls’ is that they have become ‘received wisdom’ and are used widely. However, observation and anecdote tells us, that while these controls ‘work’ they are not quite as effective as we would like to think. For example, drivers now tend to accelerate up to traffic lights to avoid the red, they speed between bumps and radar traps. So while these controls ‘work’, the level of dangerous driving may actually increase in certain cases. Add to this that the pedestrians feel a greater sense of security around these control systems, and any aberrations by drivers can have decidedly unpleasant consequences.
The irony is that a growing number of experts have suggested reducing the number of traffic lights to both reduce risk and ease traffic flow. Less controls to reduce risk? That's a novel idea!
Coincidentally, there has recently been a parallel thrust in the area of internal controls over financial reporting (ICFR) focussed on 'controls rationalization'.
OK, analogies are dangerous. Let’s consider risk and control in financial processes in the corporation.
One of the risks we seek to minimise is that of inappropriate overhead expenditure, whether it is due to waste or fraud. So we implement a spend control of say ‘all items over 1000 dollars require senior management sign off’. It gets defined and communicated as a policy and even the ERP/Financial system is configured to ensure all spend above 1000 dollars are routed for secondary approval. Great! So we are all fixed right?
Well, not really. We all know how that one gets dealt with. Employees trying to fast track important projects or just save time to meet business targets, make 2 or 3 purchases within their allowance and no-one is any the wiser. Worse still, our belief in our control system can make us blind to the extended risk.
The point is we need to continue to educate and reinforce that the issue is ‘RISK’ and not just ‘CONTROL’.
So what mechanism should we use to address the underlying risk?
In part 2 of this post, I will come to this . . .
http://consider-ations.blogspot.se/2012/06/stop-controls-madness-part-deux.html
Thanks for reading . . . .
Subscribe to:
Post Comments (Atom)
Nice one Dan! Could not agree any more. But...
ReplyDeleteHow do you know if your risk prevention investment is sufficient? What are the tell signs that you are "balanced" between control waste and risk poor?
Cheers