You are feeling a little rebellious today. Someone has asked you to sort out that ‘controls stuff’ – but why create an effective control framework when you can have some fun and create some truly terrible controls that look good on paper but don’t actually do anything? Here are some tips on how to be truly terrible at controls management.
If you’d rather be boring and find out how to create controls that are effective, check out our controls assurance webinar on demand:
Don’t capture any controls information
Who needs information anyway? Write the control name in a spreadsheet next to a risk, job done. No details, no validation, no fuss. This is best done during a risk workshop, when shouting out random controls is totally acceptable.
Control ownership, the more the merrier
Ownership? Let’s just assume the right people know what to do. A solid alternative is to put multiple people’s names on it. It’s the illusion of accountability with none of the follow through. If anyone complains, just remind them it’s all about teamwork.
Call them controls… but don’t capture controls
The good news is you’ve got plenty of latitude here. Call out things that don’t actually modify risks (the things you are meant to be controlling). Saying you have a committee is a great example – it makes it sound like you are doing something about it, without actually describing what the committee does (whose actual activities hopefully have little to do with the risk).
Call out resources, capabilities, or characteristics. Suggest ‘our people’ as a control and hope that everyone nods and agrees – surely they don’t want to imply that your people are ineffective at managing risks?
Whatever you do, don’t let anyone talk you into coming up with naming conventions, taxonomies or ways to classify controls, or all of your hard work might come undone.
Don’t capture control objectives
The pinnacle of undermining controls management. Firstly, if the control objectives are not documented, people have to guess what it is meant to do. Secondly, if performance of the control shifts or degrades over time, people won’t ever know what the initial intention was. Third, people can waste time disagreeing about what it is meant to do, resulting in inconsistent application or testing. Wins all around!
If someone insists on capturing control objectives, don’t link them to risk. Either make the objective simply ‘to comply’, or describe technical details about what the control does rather than why it exists.
Don’t define what good looks like
You might not be able to avoid capturing ‘effectiveness’ ratings for controls. Try and limit it to a drop-down box and call it a day. Then people can use tarot cards, rolling dice, or another preferred method to make a selection. If you have to come up with criteria for what ‘good’ looks like, try and keep it vague and subjective.
Set and forget
Subtly reinforce that controls will always continue to work effectively. You documented the control back in 2005, isn’t that enough? Reviewing it might hurt the feelings of the person who came up with it. If you work for an annoying organisation that has change management processes in place, sneakily remove any reference to updating or reviewing controls.
Testing – keep it casual
Exec want assurance? Fine. Just don’t standardise, and don’t automate. Try and keep it as inconsistent as possible, so you can undermine continuous improvement and benchmarking efforts. Checking a box is basically the same thing as a test, right?
Testing – keep it rigid
If you are forced the other way – you have to test controls rigorously and maintain documentation – apply a single over-the-top level of rigour and frequency to every control. Whatever you do, don’t make it risk-based or dynamic. This can help you drown the organisation in cumbersome testing, and people will be impressed with your level of intensity.
Put all your eggs into one basket
This is a pro tip if people are onto your underhanded ways, and you can’t avoid well documented controls. Double down on a type of control to reduce resilience. For an individual risk, try and focus multiple controls onto a single cause. Nothing says ‘well-managed’ like multiple controls being circumnavigated all at once. Keep the focus on the total number of controls to hide single points of failure.
Don’t train your people
This one is great because it helps undermine everything else. If you’ve been forced to assign control owners or testers, don’t actually tell them what their responsibilities are. Avoid training like the plague that tells your people what controls are, or how to design an effective controls framework.
Use ineffective tools
You probably can’t get away with using stone tablets, but everyone has access to spreadsheets and documents. Conduct testing in separate documents, so they aren’t linked. Even if the tests themselves might be annoyingly effective, it’s impractical to benchmark, report on trends, or find areas for improvement. You don’t want Execs to see what percentage of controls you’ve tried to keep manual, do you? Avoid tools that can provide this information.
Conclusions and next steps for your organisation
You’ll need to strike a tricky balance by making it look like controls management is in place, while being ineffective in practice. Do it well, and you just might make your organisation the next headline (all news is good news, right?).
Another alternative, and one that we would recommend at Protecht, is to create a functional controls management process, to enable your organisation to sustainably achieve its objectives
If you are interested in developing your controls capability at a people level, you may want to try our Controls design and assurance course on Protecht Academy for your risk team, or training the whole organisation on Risk fundamentals for everyone.
If you’re looking for more on implementing controls, our From controls chaos to controls assurance webinar on-demand provides a great intro to how you can structure the process effectively: