Surveys suggest that more and more things seem to be going wrong. Either there are more risks than ever, or there are more “things.”
If there are more risks, then we need to examine our risk management practices.
If the risks are the same, but they’re happening in more places, then we need to examine our control management practices.
The art of successful governance, risk, and compliance (GRC) management is looking in the right places for risks and doing the right things to respond to them.
In a recent blog on the Three Lines of Defence, I discussed the Three Value Questions. That discussion was intended to focus GRC professionals on the right “things.” Or in other words, finding the things that matter.
So let’s turn our attention to control management and away from risk management. Let’s assume we know where to look for important things that can go wrong and let’s examine our ability to respond to them. My working hypothesis is that we don’t respond well.
Is there such a thing as control management?
The first clue is the phrase “control management.” Is there such a thing in the professional literature? I have not found any reference to the concept of “control management” in either the Institute of Internal Audit Professional Practice Framework (IPPF) or the Public Company Accounting Oversight Board Audit Standard no. 5 (PCAOB AS5). Plenty of literature exists on “risk management,” little or nothing on “control management.”
Is this a mere oversight or is it a fundamental flaw? Let me ask it another way: Are internal controls a manageable dimension of the business and do we understand how to manage them? Among the questions we need to know (vs. believe) are:
- How many controls are enough?
- In any situation, which kinds work best?
- What unintended consequences must be anticipated?
- What is the impact of a set of controls on business performance?
- How will technology help improve control effectiveness and drive down cost?
A new perspective on effective control
Here’s an example of what I mean: For a number of years I was required to take daily doses of powerful prescription eye drops. Were the eyedrops “effective,” I asked myself? The manufacturer of the eyedrops actually offered a money-back guarantee (in jurisdictions where it was allowed) if a specific outcome was not achieved. That sounded reassuring. But looking further into the research that supported the approval of the medication, I found some interesting statistics.
According to the research required to get approval for the drug, the side effects of the medication caused about 30% of users to miss 15% of their required doses. A small number, about 10%, stopped taking the medication entirely. A very small percentage suffered severe side effects and were hospitalized.
Question: Was the medication effective? Yes or no, please. No “opinions.”
Whenever I visited my ophthalmologist, he invariably said, ”Remind me what eyedrops I have prescribed for you?” Eventually I figured out he was “testing” the control. If I couldn’t remember he would conclude I had stopped taking the drops.
I struggle to think of any internal control effectiveness opinion I have ever written or read that contained such an analysis.
My point is that when we can answer these questions, we will be “managing” controls.
What does the future hold? How will technology help?
Shifting to a fact-based view of controls
Technology should enable a shift from a belief-based approach to control management to a fact-based approach. Continuous monitoring of all the variables we need should begin to provide a precise measure of how controls work, individually and in combination, what “adverse” reactions occur and why, and should tell us the number, location, and nature of controls we need.
I can’t imagine precisely the impact of technology on controls, but I do foresee we will be managing controls, not just adding and testing them.
Imagine in your business an in-memory computing-based, cross-system analysis of all invoices processed last month anywhere in the world to scan for duplicate payments, coding errors, or other anomalies. Imagine getting the results in 30 seconds. What controls would you be able to eliminate in a procure-to-pay process? How would it impact on vendor selection and payment terms?
Apply the same tools to customer invoices and inventory management.
What “controls” can be eliminated? How will business performance be improved?
The benefit of in-memory solutions, such as SAP HANA, is not just speed. It allows fundamental change to take place.
That change will take place over time, but for now let’s turn to the 4 Quadrant diagram I introduced in my blog on the Three Lines of Defence. Let’s imagine the roles each Line of Defense will play in managing controls in the future.
See more at SAP.