If you were born in my generation, “just for control” was a phrase that we commonly used to describe the power that we possessed over a situation. The meaning also reflected the boastful grip we had in a specific circumstance: because we could, why not? The phrase was a celebration of power – power we could dispense as we wished. Just writing this down took me back to fond memories of imagined “absolute power.”
When I joined the audit profession, I met another power master named “control,” a word I use daily and could easily interchange with the word “power.” One thing hidden within a control is power – it does not matter whether the control is good or bad, its power is felt by those who interact with it. It is also true that processes that lack controls are powerless; this may be the reason why they are prone to disorder and mismanagement.
The purpose of a control is to support a business process by “defending” the process against negative impacts such as waste while also promoting achievement of business goals by contributing to ordered efficiency and effectiveness. In simple terms, a control is implemented to mitigate a risk and therefore it is true to say where there is no risk, there is no need for a control. A control defends in relation to a negative (downward) risk and promotes in relation to a positive (upward) risk.
As noted above, a bad control, like a good control, still possesses power. Have you been in a situation where you know that what you have been asked to do does not add value in any way to a task you need to do, but you still go ahead because it’s a step within a process you need to do? That is the useless power of an ill-designed control – you will still do it even though it does not have any productive purpose. “Just for control.”
Risks are not static in nature and therefore controls should not be static, either. Consequently, we cannot simply say “We have been doing it like this since forever.” If you have ever sat down with an auditor, you will realize that they usually use these three terminologies to measure the value of a control. It is my considered opinion that any business leader worth their salt ought to appreciate these terminologies and can apply them to evaluate whether they are using the “power” of controls within processes productively as changes occur in their functions and or operations. These terminologies are:
- Control Adequacy – This means that the control has been designed to fully mitigate the risks identified within a process. Controls are usually outlined in policies and procedures.
- Control Effectiveness – This means a control has not just been documented in a policy and/or procedure, but it has been mobilized through implementation. What is written can be seen.
- Control Operating Effectiveness – This means the control is not only implemented certain times but consistently implemented.
As risks change, control assessments also become critical to ensure that the power within the controls is directed to productive tasks. This month, look at your processes and the controls within, and check if the power is well-balanced.