5 minute read

Controls are ubiquitous in the risk world. We identify them, document them, test them, and improve them. And when they don’t work as we hope, we curse them…

In our work and in conversations with hundreds of people across dozens of organisations, we’ve observed a common struggle.

Despite all of us agreeing the critical role controls play in managing risk, safeguarding compliance and optimising operations, almost without exception, there are struggles with controls:

  • They’re not well documented
  • There are hundreds, if not thousands of ‘things’ documented that may or may not be controls
  • They are not ‘embedded’ – or at least the ones that are documented are not…
  • Business users ‘don’t understand’ their controls
  • Testing is not mature, not well delivered, not well understood
  • Controls that are tested and deemed effective fail with sometimes spectacular impact
  • Two different people test the same control and form different views on its effectiveness (we are looking at you, internal audit)

Yet, despite this, the organisations that we work with, typically, operate within expected parameters. Payments are processed, interest is calculated, shipments are sent, invoices are raised, customer calls are taken.

While at the same time, we have all witnessed  major breakdowns in control – systems crash (Optus, McDonalds), customers don’t receive what they expect (Royal Commission), and the wide range of AML/CTF breaches across banking and gaming.

So, why do we have this disconnect?

Before we come back to this question, it’s important to talk about how we’ve been approaching our thinking about risk and resilience over recent months.

At Battleground, we are on a mission to re-think risk intelligence.  To be more practical, to provide data that is useful, that connect the dots for you. It is in this light, that we have been architecting Battleground’s upcoming new risk modules for Battleground Live.

While I’ve always provided advice on controls in context, looking at the best way for an organisation to develop from their current state, based on their capabilities, challenges, people, behaviours, tools and processes; when you’re designing a system from the ground up, it is different.  There is more freedom to focus on what the real challenges are but also more pressure.  

There are a few truths that we must grapple with, which, while relatively common-sense, may not have permeated into the methodology and practice around controls…

  • Firstly – controls are an abstraction of reality – they are models. Models of how we would do something in a complex process. We need to recognise that controls, even automated controls, don’t operate with the same effect every single time. 
  • Secondly – controls are the happy path – we document our processes and design controls for plan A.  Not enough time is spent on what happens when things go off the happy path and what controls are needed then.
  • Thirdly – controls are bounded by our understanding of what happens. Without a clear understanding of how a thing is done from end-to-end (avoiding the word process here intentionally), how can we be confident that we have the right controls in the right place.  With few individuals really understanding the end-to-end, while when different teams are brought together, they have silos which must be broken down.
  • Fourth and finally -controls are not independent, they are interconnected.  The effectiveness of one control depends heavily on how well the ones before it worked.  So, testing of individual controls is really a work of fiction – there is no world where only one control operates.

What are we doing about this?

Controls aren’t going away. 

But the data we collect about them must improve.  The way in which we check if they are working or not, needs to be very different. The way in which we connect them to what our organisation does, needs to be re-imagined. 

At Battleground, our upcoming Risk platform reflects this thinking – that controls exist in the real world, and not a contained environment.

We drive a clear connection between controls and underlying processes, systems, third parties, data and other enablers.

We are focusing on a deeper understanding of what controls should be, leveraging AI to both help think differently about what our controls can be, and also drive consistency in how we describe controls.

Perhaps most importantly, we are putting more focus on how controls work together to manage risks and support objectives.  Controls cannot be tested in isolation. 

How can you be at the forefront of embedding real controls in your organisation?

We know that improving controls can be a significant challenge, and if you are working in an existing context (rather than with the freedom to design from first principles), your freedom of action may be narrower.

However, we see all controls uplift being in one of three areas, and stemming from some key questions – ask yourself how confident you are with each of these and go from there:

  • Clarity
    • How clear are we on the purpose of our controls framework?
    • Do we have a clear definition of controls and does it really match our organisation?
    • Do we have good rules for helping us work out if we need to invest in controls?
  • Connections
    • How well connected to our business are our controls?
    • Do we consider the connections between controls when we assess them?
    • Do we consider the impact on our controls when we make investment decisions?
  • Capability
    • Do we have the capability to understand our controls end-to-end?
    • Is the capability in the right place in the organisation?
    • Does our risk software help or hinder our controls conversation?

At Battleground, we work with you and your team to discover how best to operationalise the effective governance of controls, through smart, real-world based risk software and hands on consultancy.

If you want to discuss your controls clarity, connections and capability, and how you might be able to improve them, get in touch with the team at Battleground, today.

Share this article with your network

More articles