Internal Controls Design
consulting and research for internal control with risk management
"Intelligent Internal Control and Risk Management": Favourite paragraphs
Here are some of my favourite, short excerpts. They give a flavour of the writing style and content:
The introductory paragraph:
"What we have here is an opportunity to create value — actually a wagon-load of opportunities to create value. The rapidly merging fields of internal control and risk management often look established, standardized, and even dull. Experts in these fields cultivate that impression but the truth is that we're still at the Wild West stage. Most people working in this territory are pioneers trying to get by with a handful of crude tools. We're just getting started and many risk and control programmes are hanging on to survival by their fingernails. There are snake-oil salesmen who will sell you a cure for all your ills, and Coso is a barmaid at the Sarbanes-Oxley saloon."
From page 8, summarising the difference that aiming for value can make:
"Consider the differences between the abysmal implementation of Section 404 of the Sarbanes-Oxley Act and the clearly beneficial contribution of revenue assurance. Both were aimed at financial processes, but while one generated millions of hours of audit work the other focused on value, then achieved it by improving controls and by using effective tools, including computers and statistics.
Risk control can provide major, measurable value. It is much more than a comfort blanket, if we make the effort to pursue that value and use the right techniques and tools."
Warming to this theme on page 10, after describing a different application of risk control:
"Again there is a huge contrast between high- and low-value approaches to risk control. This time it is the type of controls used that makes the difference. While bureaucratic, defensive controls can be a route to stagnation and eventual failure, controls based on intelligence, learning, and adaptiveness offer a way to more opportunities and improved performance. Clearly the best recommendations may not be the traditional favourite control mechanisms of checking and restriction.
Used well these controls are more interesting to managers. Instead of inwardly groaning at being asked to produce another document, sign their names somewhere, or fill in another checklist, the control ideas coming forward seem more like clever management techniques than dreary controls."
Moving into the section on integrating risk management and internal control, on page 23:
"The way controls are planned is particularly interesting and it is through the idea of dynamic generation (i.e. controls generating other controls over time) that we can begin to integrate internal control and risk management into one.
The actions that put controls in place are themselves controls, and may involve explicit thinking about risk. For example, a company might have a policy that every IT project has to have an initial security assessment performed that identifies further security work needed before new systems can be made live. That initial assessment is a contol and it generates more controls, some of which will also generate yet more controls, ultimately resulting in routine security procedures for the new system and the people using and supporting it."
Design is a strong theme in the book. Here's a paragraph that introduces the need for more creativity and better controls design methods, going beyond risk registers:
"Controls get put in place by a variety of people at different times for different reasons and using different methods. The defining characteristic of effective risk control is that risk is controlled effectively, not that one particular mental process is used to do it. For example, just listing risks and writing controls against them will not design a control system worthy of the name, not because it is a useless thing to do but because it is not enough and does not work well in many common situations."
Another strong theme in the book is our human tendency to think and act as if more certain than we really are, as a result of which we tend to do too little in the face of uncertainty. Chapter 4 discusses some real cases of this, one of them being the way the UK government argued for war against Saddam Hussein in Iraq. In this section our cultural difficulty with uncertainty in salesmanship is mentioned:
"We expect a salesperson to be 'confident' and this often translates into making statements about costs and benefits of something that are confident statements. People trying to be confident replace timid words like 'might' and 'could' with their confident alternative, 'will.' It's a communication skill.
It is also lying. It is pretending that something is more certain than it really is."
On design approaches
The introduction to Part 2, with its massive collection of risk control mechanisms, says:
"The corollary of 'garbage in; garbage out' is 'great stuff in; great stuff out'. If you feed your mind with good ideas for controls then, when you need to design a control system, good, creative ideas will flow more easily.
The control ideas in this part are organized into bite-sized chunks so that you can dip in where you like, or just cram everything in, whichever you prefer. Doing so will change the ideas you consider first in a design situation, almost certainly towards higher-value mechanisms."
Several alternative ways of designing risk control systems are presented. On page 57 it says:
"In the last two decades increasing attention has been paid to using perceptions of risk as an input to design of control systems. This is appropriate, but of course risk is not the only consideration. We also care about costs, the time needed to implement controls, and even strategic and cultural fit. Moreover, most risk assessments are unavoidably unreliable."
Here's a simple but important point from the pattern on 'cognitive ergonomics' (also known as 'usability') on page 162:
"Ergonomics is the most overlooked yet most important subject in internal controls design."
On getting change to happen
Part 3 is about getting good change to happen. Early in the part, at page 189, I write:
"To some extent it is possible to drive behaviour by laying down formal procedures, implementating systems, and providing tools. Beyond that we need to nurture helpful skills, beliefs, and preferences."
How this can be done is discussed at length with many specific suggestions. On page 190, the focus on realistic human behaviour is illustrated by this:
"Much of human behaviour is driven from moment to moment by what is in front of us — whatever our good intentions, 'to do' lists, and day planners may say. It's human nature and almost certainly a product of the way we acquire and use knowledge."
Chapter 13, on barriers to improvement, begins with this:
"Previous chapters have pointed out the huge scope for increasing the value of risk control and explained many efficient control mechanisms that most organizations could and should make more use of. We can imagine organizations made up of people who skilfully manage risk and uncertainty using their own skills and also corporate mechanisms that are light, agile, smart, helpful, efficient, and continually improving.
If only getting to this situation was as simple as everyone reading this book and chanting in unison: 'Yes, that's what we all want to do so we will all make time for it and help in any way we can.'
Sadly, even if you are the most important person in an organization — in fact even if you are the only person in an organization — such easy progress is a remote possibility."
Chapter 16 is about unhelpful ideas that sometimes block good risk control improvements and offers some unusual approaches for tackling them, justified as follows:
"I believe that unhelpful and incorrect ideas are part of the reason why organizations sometimes implement practices similar to those in the second caricature. Many of these beliefs come from textbook theory, but not all.
However, the link between beliefs and actions is not straightforward. There are inconsistencies between beliefs and between behaviours and beliefs. Theories about risk and uncertainty are often controversial and hard to understand.
After decades of largely futile arguments I have concluded that debates in risk control, like politics, are usually too complicated and fraught with misconceptions to be resolved by conversation. Therefore, directly tackling those unhelpful beliefs should usually be a strategy of last resort.
However, there are several other strategies to try first, usually relying on the fact that most people are rational and intelligent if given the right conditions."
And the last paragraph in the book?
"Let's enjoy this Wild West, the frontier territory of risk control, with its many opportunities for innovation, while it lasts."
If you just want to buy the book then please do so from Gower's website HERE.