Controls: The Good, the Bad & the Ugly
Necessities for Effective Risk Management
What is it?
A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. (Source: IIA/IPPF)
There may be different definitions, but I personally like this one as it includes all the key points:
- What is it actually? It is an action, first and foremost. Not a procedure or a document.
- What is its purpose? To mitigate risk.
- Why is it there? To support the achievement of commercial objectives.
Types of Controls?
Preventive: A control that limits the possibility of an undesirable outcome.
- e.g. Access controls limit who can access sensitive information.
Detective: A control that identifies errors, after the event.
- e.g. Reconciliations to identify discrepancies.
Corrective: A control triggered after issues are detected by detective controls. Designed to correct and resolve the effects of errors.
- e.g. Backup systems restore data after a loss.
Directive: A control designed to cause or encourage a desirable event to occur.
- e.g. Training to ensure employees are aware of their roles and necessary controls in place.
The Good
What does good look like?
- Aligned: Effective controls align seamlessly with strategic business objectives, enhancing operational agility and resilience.
- Key: Often mentioned, a key control is a critical control that is relied upon to mitigate risk. You may have 3 controls doing the similar things but 1 is probably critical and if it fails will most likely be the root cause of a risk event.
- Automated: Controls are either manual or automated. Not all controls can be automated but it is certainly preferred if they are.
- Clearly defined: A good control is clearly understood so that there is no ambiguity in Why it exists, Who Owns it, How it is performed, at What frequency, and Where it is evidenced.
The Bad
What does bad look like? Largely the opposite of what good controls look like. Some common pitfalls include:
- Over-Control: Too many controls can bog down processes, creating inefficiency and frustration among teams. Controls are there to mitigate risk. That is their sole purpose.
- Outdated Methods: Controls that fail to evolve with technological advances or business models are more likely to fail. Certainly, too many manual controls is a recipe for disaster.
- Poor Design: Ineffectively designed controls can miss their target, failing to mitigate the risks they were meant to manage.
- Lack of Ownership: This is a common trait. Accountability is critical for the successful operation of a control.
The Ugly
When controls are non-existent, poorly designed or just fail, the consequences can be significant. Here are a few examples.
- African Gold Acquisition Corp.: Internal control failures enabled the former CFO to misappropriate $1.2 million, leading to false filings and a significant penalty from the SEC.
- FTX: Lack of governance and internal controls contributed to the misuse of billions of dollars and the company’s dramatic collapse.
- Abraaj Capital: This was primarily due to significant control failures and poor governance including mismanagement of its $1 billion healthcare fund and misuse of investor funds to cover operational shortfalls and unauthorized loans.
Current Trends
Innovations in controls, their design, use and approaches are coming through such as:
- Behavioural Science: Organisations are now better able to understand risk perceptions, influence risk behaviours, and improve decision making. This approach helps to design controls that align with human behaviour.
- Data Analytics & AI: Leveraging big data and AI to create controls that better mitigate risk due to better prediction and analytics. Predictive analytics, real-time monitoring and machine learning algorithms can all be used to enhance the control environment.
- Automation & Integration: Adopting a holistic, pervasive approach ensures that risk controls are interconnected across all departments, products, and services enhancing overall effectiveness and efficiency.
Reach out to us if you need help with Control frameworks, Risk Management or Internal Audit.
Ghassan Zeidan, Founder & CEO of Paragon Consulting Partners
linkedin.com/in/ghassan-zeidan
Risk Management, Internal Audit and ESG Consulting Firm (paragonconsulting.partners)