After years as a practitioner in governance, risk, and compliance (GRC), I have come to believe that the biggest obstacle to safe and reliable performance of business processes is the internal-control paradigm. In my experience, most internal controls in business systems fail to address the root cause of failure. They have a life and purpose of their own. And if the role of the CFO is to drive reliable financial processes, it is clear that CFOs need to lead the transformation of the control paradigm.
The internal-control paradigm in the age of digitalization
The embodiment of the internal-control paradigm is Sarbanes-Oxley and the accompanying audit standards. Highly simplified, the thinking goes like this: Put fire extinguishers everywhere a fire could break out. More and bigger extinguishers are always better. Count them frequently and test them often. Report missing or faulty extinguishers. Require auditors to conclude and opine on whether there are sufficient working fire extinguishers. Don’t be deterred by the resources siphoned off by this effort.
This effort is not really risk management. The only risk being managed is the risk of faulty or absent fire extinguishers. (Tautology abounds in the control paradigm.)
But the next time you are in a large gathering in a public building, look around for fire extinguishers. You may notice automatic sprinklers, but you probably won’t see many fire extinguishers. You will not see many trash cans where fires can start, but you will see “No Smoking” signs. That’s because fires are prevented only by removing sources of ignition and flammable materials. Extinguishers do not prevent fires. Nor do most controls prevent process failure. In short, highly visible and pervasive controls should make you worry. They are signs of unresolved root causes of failure. Imagine boarding a plane and being handed a parachute.
Disconnect between controls and business objectives
In my career in governance, risk, and compliance, I have spent years as a chief audit executive, as a chief risk and compliance officer, in a consulting role, helping develop and sell software, and serving on boards.
During that time, I’ve witnessed too many practitioners who are unable to articulate either a risk or a business objective related to a control. In implementing software that documents and assesses controls in a business system, no attempt is made to assess process performance either before or after controls are in place. I’ve seen internal auditors in developing their “audit universe” consider a number of factors, but totally ignore business performance as a variable driving the allocation of audit resources. We have seen audit reports concluding that controls are effective, and yet the business is going broke.
Control effectiveness ← → Process reliability
But the unintended consequences are serious. It is not uncommon in many companies to spend days getting a procurement authorized and the vendor paid. Order-to-cash processes are hindered by unnecessary controls, thus impeding progress. Critical business information arrives too late for decision-makers. Yet by contrast, fraud prevention technology in use today detects and blocks fraudulent credit card transactions even before the purchase is authorized.
We are accustomed to boarding airplanes and safely flying long distances. Whatever discomforts exist in air travel these days, flying is undeniably safe. Aviation safety is achieved not with the “fire extinguisher” approach. Instead, the focus is on identifying and monitoring everything that could cause failure. Safety performance and process reliability are the goals, not control effectiveness.
People: the essential element of process reliability
A major flaw of the internal control paradigm is the implicit belief that employees are inherently risky. (Think multiple approvals, segregation of duties, etc.) It is true that in every field of human endeavor I have seen for which statistics are kept, human error accounts for 50% to 60% of risk events. The aviation industry has dramatically reduced aviation accidents over the last decades, despite larger aircraft, more passengers, and more air traffic to more destinations. Yet the incidence of human error as the root cause of failure remains at about 50%.
The lesson to me is that it’s not possible to reduce errors in any system without properly engaging people. Pilots I have spoken with attribute the dramatic continuous reduction in aviation incidents to training. Clarity of purpose, high skill levels, clear accountability, and monitoring are the key.
It’s essential that compliance and control be embedded in people, not in systems. Digitalization should enable employees to achieve objectives and process reliability. Treat people like humans and cultivate intelligent, capable, motivated employees.
Lessons for the CFO
- Invest in digitalization combined with artificial intelligence: that is key, as well as machine learning, the Internet of Things, and predictive tools. Analyze patterns and behaviors, not transactions, to detect anomalies and thereby speed up processing and achieve reliability.
- Set quantifiable performance targets for all key financial processes. Develop metrics to track errors, loss events, and on-time performance, and track them with a real-time contextual display.
- Balance your investment in technology with an investment in developing your people.
- Insist that your control practitioners provide detailed root cause analysis of any control deemed ineffective. Solve the problem, not the symptom.
I am very interested in your response to this blog. I plan to follow up with three or four more to expand on my observations and conclusions. I do have ideas and suggestions to share. I’d welcome yours.
I will be at the IIA/ISACA Governance Risk and Control Conference August 13-15 in Nashville. Please join me and my colleagues Stephanie Gruner, Anne Marie Colombo, and James Chiu at booth 317.