Research by the US National Transportation Safety Board (NTSB) suggests that 80% of aviation incidents are caused by human error.
Internal control professionals looking through the lens of internal control paradigms might conclude that this situation is “totally out of control”. Aviation experts rely on risk management paradigms. They measure these things. They focus on outcomes, not control objectives. Aviation is indisputably safe and getting safer all the time because it relies increasingly and correctly on human behavior, not despite it. Reliance on people is intentional.
Do we have it all wrong? Is it possible to achieve “control effectiveness” without appropriate human behavior and without measuring performance? Is the notion of “control effectiveness” just a tantalizing tautology?
Risk Management Has Been Hijacked
The “internal control” and the enabling “assurance” paradigms promoted by Radical Control Activists (RCAs) and embedded in the standards and practices they impose have set risk management practices back decades, stunted its growth and development and contributed to countless failures.
Business executives have consistently rated the importance of risk management as “high” and simultaneously expressed dissatisfaction with its current state. That is not a contradiction. Business leaders are not happy with the state of risk management because they are not getting risk management. They are getting control management. And it is not working.
The RCA movement has hijacked risk management and addicted us to “controls”.
Control Addiction Defined: When Control Failure is the Risk, Too Many Controls are Never Enough.
The overwhelming majority of “controls” implemented, tested and audited by Radical Control Activists are based on COSO’s “Control Activities”.
Segregation of duties, reconciliations, authorizations, and various forms of physical safeguarding are simple to implement, tangible and verifiable.
The overwhelming root cause of failure in human endeavor is human error or conduct, not control failure. This is true for aviation incidents, SOX deficiencies, auto accidents, fires in the home, industrial accidents, and every other activity where research exists. We will likely find it true for Covid-19 as well.
RCA standards believe “controls” are “effective” when they do not “fail”. When control failure becomes the test of “effectiveness” then, “ineffective” controls become the de facto cause of failure.
In simple terms, if fire extinguishers fail to function they can be deemed the cause of fires, and more are considered necessary. The risk is not longer the fire. The risk is the failed control. Tautologies can be tantalizing.
Unnecessary Control activities and monitoring block learning and impede performance.
Business risk management has not only been hijacked by the RCA movement; they have addicted us to a paradigm that does not work.
Control Addiction Causes Risk Blindness
Fire extinguishers only work if a fire occurs. If you rely primarily on fire extinguishers to protect you from fires, you are accepting the risk of a fire. You will find plenty of fire extinguishers within reach in oil refineries, but never as a primary response. If you look hard, you will find them in hotel auditoriums as well. But they are less visible. Fire safety standards in public buildings rely on eliminating flammable materials and sources of ignition, not on fire extinguishers. They manage risk at the source, not after the fact.
When segregation of duties as the primary response to fraud risk, we are accepting the risk of fraud. When we rely on safeguarding access to prevent theft, we are accepting the risk of theft. There are a limited number of business risks where control activities are a cost effective and suitable primary response to risk. When control activities become the become the primary response risk is being accepted, not prevented.
In order to reduce risk, we must understand the events and conditions that give rise to the risk event and manage the risk at that points. That is risk management. In proliferating control activities as a primary or sole response strategy, radical control activists promote excessive, implicit risk taking.
Would you feel comfortable if you were given a parachute when you boarded a commercial flight? Would you feel safer if the pilot assured you that the parachute had been tested and was guaranteed not to fail? Would two parachutes be better? How about a SOX type certification in the seatback pocket?
The most catastrophic risks arise from known or foreseeable external sources, such as natural events, political events, disruptive technology pandemic or economic conditions etc. These risks usually “surprise” us.
By focusing on control activities as a primary response, our RCA colleagues blind us to most external risks. Cyber risks, third party risks, disruptive technology and most other external risks have regularly been “surprises”.
When control activities and monitoring those activities are the primary responseto risk, its usually a sign that risks of control failure have been deemed are acceptable. Those “controls”could kill you.
When control activities are the primary response to business risks, it means that only a small fraction of possible risks have been identified and assessed. We are blind to most risks because they cant be “controlled”.
How Smokey the Bear Succeeded by Using COSO
In 1944 (about 3 years after the origin of the IIA and decades before the initial COSO framework) the US Forest Service developed a campaign to prevent forest fires.
They created Smokey the Bear and his slogan “Only You Can Prevent Forest Fire”. Let us compare the Smokey the Bear Approach with the Radical Control Activist approach
COSO was created as a framework to explain the root cause of failures of financial institutions in the 1980’s. Using it to tag Smokey’s tactics with a COSO element, we can see he used COSO Control Environment and Risk Management. Radical Control Activists use Control Activities and Monitoring. Smokey correctly channelled human behavior to manage the risk of fire. He defined the causes of fire as the risks to be managed.
|Smokey the Bear Says||Radical Control Activists Say|
|Objective||Prevent forest fires||Control objectives|
|Establish accountability||YOU – the Objective Owner||Control Owner*|
|Primary Risk||Sources of ignition, combustible materials||Control failure|
|Primary COSO Category||Control Environment/Risk Assessment||Control Activities/ Monitoring|
|Primary Category Type||Objective communication, clear accountability, capability building, incident/root cause tracking||Segregation of duties, approvals, passwords, access controls, deficiency reporting.|
|What is Monitored||Incidence of fires||Control failure|
*Just a note on Control Owners. I have seen thousands of job descriptions and resumes. I have never seen anyone requiring nor claiming to be a Control Owner.
If Smokey the Bear adopted the practices of todays Radical Control Activists, he would have recommended a primary strategy of hanging fire extinguishers from trees and planting them a little further apart (Segregation of trees).
Doing the Right Thing Wronger and Learning or Doing the Wrong Thing Righter?
The distinguished systems theorist Russ Ackoff describes the trap we are in as ‘doing the wrong thing righter’. ‘The righter we do the wrong thing,’ he explains, ‘the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.’ Most of our current problems are, he says, the result of policymakers and managers busting a gut to do the wrong thing right.
RCAs take us one step further. We are doing the wrong thing righter and then locking it in place with technology.
Curing Control Addiction – Starter Points
- Calculate the number of risks and controls you have documented.
If your ratio of risks to controls is 1:3 or more then you are addicted to controls and have risk blindness. Consider a policy prohibiting the implementation of new controls unless existing controls are being replaced. A healthier ratio of risks to controls is in the range of 3:1 or more.
Specialized institutions may require special consideration. But if the ratio is more than 1:5 I hope you are managing a prison.
- Tag each control with its COSO category
If you rely on Control Activities as a primary response you are under the influence of Radical Control Activists. (If you find this difficult and if you are making SOX certifications, you may wish to consult an attorney).
- Compare the number of controls added vs. eliminated in the past year.
If you are continuously adding new controls and not eliminating old ones, you are addicted. If decades of adding controls has not resulted in sufficient controls, we will never have enough.
- Begin to tag each “deficiency”, “issue” or “finding” with its root cause
COSO was developed as a root cause model, not a control model. Use COSO categories to identify root cause of issues, deficiencies etc. For example, if failure to comply with a policy occurred because the policy has not been communicated, or because accountability is not clear, it is a Control Environment root cause. The solution lies in improving the Control Environment, not adding, or improving Control Activities.
- Tag each new recommended control with its COSO category
If you are primarily adding Control activities or Monitoring, reconsider. Consider another approach.
- Formally assess your Control Environment
This will require some subjectivity and judgement. Compared to Control Activities and Monitoring, the Control Environment covers a lot of intangible and abstract ground. The Institute of Internal Auditors have issued guidance for auditing the Control Environment. If you are not a member, they will sell their guidance to you. Its probably a good place to start. But Goodwill, Intangible assets, and Deferred taxes, like “control effectiveness” are also intangible and abstract and are quantified in financial statements. You do not need to quantify Control Environment. Just describe it for now.
- Eliminate Orphans and Connect the Dots.
Every significant data element must be linked to an objective or performance target, and as much as possible to each other. We need to be able to explain the impact of risks, controls, issues, loss events on business objectives and performance. We need the ability to perform root cause analysis, to compare and predict. We need a taxonomic structure equivalent to a chart of accounts. And we need consistent calibration across the participants.
Consider the methods your company uses to set and communicate and align objectives, create motivation and commitment, develop necessary capabilities and monitor performance. If those elements of control environment are not in place, make the necessary recommendations to address them.
- Technology can help
Technology exists today to enable virtually every element of the Control Environment. Adoption of technology by RCA today are slow. Worse, it is often counterproductive. We have incredible technology to identify possible collaboration. We use it to block collaboration.
Once risk management is freed from controls expect a smaller, more analytical forward-looking , data based function offering insights with clear value adding potential.
Even better, control management will change for the better as well. Expect control management to shift from control assessment to control portfolio design driven by data and digital innovation . Expect far closer alignment with business management and far more respect.