Controlling Controls Conflict

“Global village” is about seeing the world as a single community. During the past, we have been dreaming about the high flying potentials of how the connectedness transforms our lives. Failing to go against the nature, we continue to see bad dreams as well. Sometimes, they become the realities. Connectedness has brought us what appeared as a crisis at a distant part of the world to our door steps. Let the guest come in and greet him with a slice of your IT budget and a cup of previously valued controls in view of the increased love you have made with cost cutting and executives starting to stare at compliance expenses.

While some argue that the present crisis in its initial stage was a false creation with 90% or the American housing loans continuing to pay back without issues even though the prices plunged (creating big negatives in the company balance sheets since they accounted for the market value), some others blame the poor governance practices and insufficient controls.

The present question dealt with at the international scale is how to reverse the cadence of crisis events. At small, within the localized environments, to survive. For some organizations, the favor for risk aversion has changed their operations to conservative modes.

At tough times, it's natural to revisit the present norms. What are the best processes to retain and what processes or process elements can we omit? Controls are in addition to the money making business processes. May be a big chuck can be saved there. What controls are really required? Can we get rid of some, if not all?

For any non-trivial business, getting rid of all the controls is not an affordable option. Where will you end up if more controls are made defunct where the crisis is said to have originated due to insufficient controls in the first place? Is the solution to add more controls than to reduce? We end up with the dubious state where more controls are preferred to reduce the risk, less controls are preferred to reduce the cost (or to survive).

Hence, the need arise for “more informed” risk management. How many of us have been the practitioners of “cover your ass” risk management? “Cover your ass” risk management is buying in a risk management framework (whether a standard or not) from anywhere you like, implement with no further thinking and claim “Look folks! We have the best risk management practices around.... Controls, more controls, and further more controls and ours is the best!”. That helps to “cover your ass” since no one can question about what is left open. You have covered your ... and you have done your part as a respected corporate member. Let the rest of the organization be troubled with your clothes or let them cover their ... too!

What should be the opposite and what makes “more informed” risk management? That's where you challenge the norms, frameworks and what is said by others and identify the “true” needs of your organization. For example, something that struck my attention recently was about brining down the expenses of external auditors. It said “... than to produce the 500 page process document you follow, give the external auditors a report on the control points and the past measurements you have collected at those points...”.

Harder the questions you raise and tackle, the better the outcomes should be. Can we classify our controls into three baskets?

1. Essential controls (for example those that prevent fraud)
2. Controls that help increase the productivity of the organization
3. Else

Of cause there are these mandatory controls enforced by the law that you need to abide by. They will also fall into one or more of the above categories. What falls into the “Else” category may need some serious look at. Processes can also be handled in a similar way. “Informed” also means challenging whether the just said classification is good, bad, or need modifications. If it is to be modified, how and why?

Keeping an eye on the new developments also helps. New tools and techniques emerge replacing the old and the unproductive. For example, many IT services organizations (and clients as well) have started embracing the agile techniques that challenges the conventional heavy weight processes. Note that “agile” has a different meaning when it comes to project management – specially the IT projects – than “sloppy”, the day-to-day spoken English meaning.

The good about a crisis is that it really tests you and your organization. It questions the validity of the fundamentals you previously accepted as the norms. At the end, what were correct will remain. At the end, who were correct will remain.

--

About Author:

Kamal Wickramanayake is an IT/Software Architect and a Trainer from Software View. He can be reached via kamal@swview.org.