Myths in Risk Management - With Controls, Too Much of a Good Thing Can Be Bad

Bruce McCuaig

Mobile devices are wonderful things. They’re light, easy to use and operate, accessible, and available — and they’ve revolutionized the way we manage our personal and business lives.

But for most of us, the mobile devices provided by our employers have very strict “controls”. Most are designed to turn off if they’re idle for just a few minutes. I can reset the timing on mine, but five minutes seems to be the maximum. During a typical conference call when I need to refer to my iPad, it’s common for me to have to sign in with a password four or five times. I suspect I sign into my mobile devices several dozen times a day. I don’t lock the door to my home that often.

Shouldn’t Mobile Devices Always Be “On”?

I watch my colleagues sign in time and time again during business meetings. No one complains or even seems to notice. This inconvenience appears to be accepted by everyone.

But what about usability? In my business life, my devices provide me with an “usually off” experience. But in my personal life, my devices are “usually on”. How many other “controls” like this exist in our business and personal lives? And how should they be set?

More Isn’t Always Better

I’ve spent much of my career as a control professional. I’m here to tell you we’ve gone too far. I’m not saying controls are bad. Controls are absolutely essential. But I am saying controls should be treated like medication. Automated controls that impact the way we work should be treated like prescription narcotics. They should be prescribed carefully and taken only as needed.

Each control should be designed to mitigate one or more specific risks, and everyone should understand what the risks are and manage the control accordingly. It might be a good idea to have a “sunset” clause on controls– just like the prescription that can’t be refilled without a periodic doctor visit, these controls’ existence would have to be justified on a periodic basis.

“Just Because We Can” Controls Are Harmful and Addictive

Now we add controls just because we can, not because we need them. Then we evaluate and test them just because they’re there. In many cases, where controls are automated, they can be added remotely by people we don’t see and don’t know, for reasons that we don’t understand.

Mobile devices should be easily accessible and available. That’s why we call them mobile. If they were handed out to us chained to bricks, with the requirement that we reattach them after every use, we would laugh and object. It wouldn’t make sense. I suggest that many controls we’ve learned to tolerate are equally silly and could be eliminated or, at least, be dramatically redesigned.

Controls are expensive and disruptive. Once in place, control “experts” and auditors become addicted to them. Their continued use is seldom questioned. They go on forever and the cumulative impact is huge in economic and human terms.

Analytics May Be the Answer

The good news is the power of analytics. My view is that analytic tools, especially predictive analytics, may be able to replace controls or vastly reduce the burden they impose. It should be possible for me, as a user, to assess the specific risks associated with my use of my company-provided mobile devices and adjust the controls accordingly. It also should be possible for the company to detect any inappropriate use of my device and shut it down quickly.

Let’s Drive Out Bad Controls

Technology should provide us with the tools we need to reduce our reliance on traditional controls. Controls aren’t inherently good just because technology has made it easy to add them. Some controls are harmful, addictive, and have serious adverse side effects. We can and should be smarter.

Control experts today should be judged on how many controls they can eliminate.

I’m interested in your views on controls. What controls in your business bug you the most? Are there controls that have unintended negative consequences? What process does your organization have for flagging bad controls?

This post is part of a series on Myths in Risk Management. Check out the others on: Exposing the Flaws of Risk Heat MapsCan Risks Be Registered?Can Risks Be Owned?, and You Don’t Need To Start with a Risk.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is the Director of Solution Marketing, Governance Risk and Compliance at SAP. His specialties include Enterprise Risk Management, Governance, Management Consulting and Strategy.