In the prosperous 90’s, rising revenues and a booming economy hid many operational problems. Organizations were willing to place controls on the back burner because rising sales masked painful inefficiencies. The economy of the new millennium coupled with the collaborative relational enterprise movement has complicated control requirements. The failure of existing “assumed” control processes has shown that the traditional reactive controls approach doesn’t work.

•  Top management teams are now personally responsible for the control of their organizations.

•  Nearly every organization has business control problems because this has been a traditionally overlooked topic.

•  Business control is not just a “finance” topic. It is a core competency requirement for every manager and supervisor.

•  Internal or external auditors are not best positioned to provide business controls assistance. Organizations require independent specialists with established processes and resources.

•  There are six “out-of-control incubators” that virtually guarantee control issues exist.

•  There are five business controls best practices that can help organizations get back in control.

•  Business control must be a permanent organizational core competency.

Today’s organizations are struggling with control issues. This isn’t just the deliberate deception of the big-name catastrophes. This includes lost sales and excess costs caused by lack of business control in honest and hard-working organizations. Whether intentional or unintentional, control problems affect organizations throughout their operations.
For example:

•  Ford writes off $1 billion in unnecessary palladium inventory because R&D wasn’t talking to the purchasing department about materials requirements, and purchasing buyers were unfamiliar with commodities hedging techniques. (WSJ, 2-6-2002)

•  A Lehman Brothers Holding employee keystroke error in London costs the firm $6 million in trading losses. (WSJ, 5-5-2001)

•  The U.S. government issues 300,000+ departmental procurement credit cards and quickly loses millions of dollars from purchasing misuse.
(LA Times, 3-3-1996) Six years later, there is similar misuse at the pentagon. (BBC News, 7-18-2002)

•  W Hotel loses $175,000 honoring 413 on-line reservations for 749 nights posted at $25 instead of $259. (WSJ, 1-3-2002)

•  United Airlines loses an estimated $100,000 from incorrect on-line fares. (ComputerWorld, 2-26-2001) United later absorbs losses from an on-line vendor listing round-trip U.S. fares for as little as five dollars each. (St. Louis Post-Dispatch, 5-16-2002)

•  Inexperienced IT negotiators from the State of California sign a $95 million database licensing deal that auditors estimate is a $41 million over-expenditure. (InfoWorld, 6-24-2002)

•  PacBell is fined $27 million for mishandling and erroneously charging customers for DSL service. (St. Louis Post-Dispatch, 7-6-2002)

The list could go on and on. The disturbing thought is that, before these events, every one of these organizations’ Board of Directors, CEO, and senior management team probably felt that their control processes were adequate. Good times can breed both over- confidence and complacency. Successful organizations learn from the mistakes of others. While headlines sell newspapers, they also can be a leading indicator to spur change.

When most professionals hear the word “control,” they think of financial controls.
The traditional position is that controls are the responsibility of the CFO and/or controller.

While there was certainly monetary impact in the examples above, the situations are
far more than simple financial issues. Truly controlling the assets and processes of an organization requires more than controlling financial management and reporting. As seen in Figure 1, financial controls are a subset of the overall topic of business controls.

Figure 1

Merely relying on Finance to proactively anticipate or reactively correct all business control weaknesses creates a false sense of security. In the seven examples above,
only one or two are solely in the Finance area. The majority are additional issues of system design and maintenance, improper training, poor communication, incorrect features, not responding to previous problems, and so on.

This is why control must be looked at from a “total business” basis. Control cannot be just Finance’s responsibility, or the organization is certain to be out-of-control.

An interesting question is, “Did the organizations in the examples above pass their audits?” Yes? Evidently they felt secure due to their internal checks and balances, and based upon successful internal and external audits.

External auditors share these concerns, plus generate additional reservations in providing business controls guidance. External auditors have a highly profitable existing audit relationship to consider, which creates a conflict of interest. This results in an unavoidable “self-tattling” environment where they might have to identify control exposures for operations that had previously passed their own audit. External auditors can be very expensive, and may not have a controls practice specialty providing the required business controls support, consulting, and educational services.

Finally, audit functions focus on the internal organization rather than the complete “relational enterprise” of organization, partners, suppliers, vendors, customers, outsourcers, etc. As Figure 2, shows, traditional financial audits address only a small portion of the relational enterprise.¹ As with the United Airlines example, members of the relational enterprise who go unaudited can have a significant impact on an organization’s overall operational and financial performance.

Figure 2

BizControl Solutions research has identified six organizational situations that are root causes of loss-of-control. The first two of these, seen at the center of Figure 3, are continuously present in all organizations. The remaining four are trigger events.
When any of these “incubators” are present, changes in the resulting control environment must be addressed.

New IT system. As the above on-line fare problems illustrate, any new IT system creates control issues. This occurs both from the “hidden decisions” within the software and from how the system is used.

Restructuring/reorganization. Changing where people work, where they report, and what they do can invalidate existing controls. New processes, personnel, and work assignments require new controls.

Downsizing. Many organizations use downsizing for “de facto reengineering.” The hope is that reducing the number of people will force remaining workers to change what they do and how they do it. This ignores the principle of “conservation of work,” which states that no matter how many people are cut, there is still a critical minimum amount of work that must be done by someone. If it isn’t, then the organization gets out-of-control.

Figure 3

Outsourcing. Moving work to outside organizations does not eliminate control concerns, it only modifies them. As the United Airlines fare example above illustrates, vendor partners can have a major impact on sales, costs, profitability, customer satisfaction, employee satisfaction, and so on.

Merger/acquisition/divestiture. Any change in large functional components leads to out-of-control situations. The resulting new organization is now a hybrid requiring that existing controls be adapted to the changed structure.

Today’s fast pace of business ensures that one or more of these incubators are present in nearly every organization—with predictable results:

•  Departmental linkages are broken and people who should be talking to each other don’t.

•  Processes aren’t designed. They instead evolve in a “de facto” manner.

•  “Instant expertise” is assumed and people are required to work outside their personal competencies.

•  Personal commitment gets replaced by a “What’s in it for me?” mentality.

•  There is an abdication of fiduciary responsibility and no one takes proper care of organizational assets.

A passive approach to business controls ignores the inevitable. The question becomes, “How much pain can a business live with prior to becoming aggressive on preventative controls?” If a dynamic organization does not have time to do controls right the first time, where will it get the time to fix controls in the future?

BizControl Solutions research has identified best practices of organizations that are effectively controlling their business. These include:

Control mentality. In-control organizations position business control as a core organizational value. They include it in their organizational value and culture statements, and support it in their operational decisions and subordinate coaching sessions. It is a regular topic during meetings and discussions.

Continuous assessment. In-control organizations continuously assess business controls to anticipate changing conditions. This is a proactive approach rather than a reactive response that assumes an “end of problem.”

Dedicated function. In-control organizations have a permanent cross-functional business controls team, headed up by a full-time business controls professional. The team is made up of high-potential individuals from all disciplines who look at overall organizational controls and help each other with specific departmental control issues.

Candid about dysfunctions. In-control organizations learn from their mistakes rather than bury them. They reinforce the “Don’t fix blame, fix the process” culture that is required for continuous controls improvement. This means formally sharing control problems, errors, and successes across the organization to all stakeholders who can affect controls.

Follow-through. In-control organizations make certain that everyone knows "we really mean it." This guarantees that business controls will not be seen as the latest fad, but are a permanent consideration for managing the organization effectively.

Business control starts with the Board of Directors. The Board expects senior management to maintain an internal control structure, and the CEO stipulates to the effectiveness of that structure in the annual report. In a properly run organization, the Board will not let senior management abdicate its control responsibility for the latest management fad, i.e., empowerment, first-to-market, increasing sales at all costs, and so on.

CEOs then naturally expect all managers throughout an organization to responsibly control the assets and processes of the entire enterprise. Unfortunately, business control is not treated as a core competency in management and supervisory development programs. Professionals in most organizations—if they learn anything at all about controls—must pick it up on-the-job and from outdated manuals. So there is a disconnect between the control needs and expectations of the organization and the knowledge and skills of management to design and execute effective business controls.

Senior management will not succeed unless their respective organizations consciously incorporate a control element within every business process. All managers must have a well-defined understanding of controls and also know what is expected in day-to-day operation.

Robert J. Stuckey is the managing partner of BizControls Solutions. He has lectured and consulted worldwide on business controls, and has over 25 years experience as a finance executive.

Kenneth Carlton Cooper is a  partner in BizControls Solutions. He has consulted on organizational development and process improvement since 1976, and is the author of The Relational Enterprise (AMACOM 2002) and Effective Competency Modeling and Reporting (AMACOM 2000).

BizControls Solutions is a St. Louis, Missouri USA based consulting firm specializing in business controls assessment, consulting, implementation, and training.

All companies, brands, products, and services mentioned in this Briefing are the trade names or registered trademarks of their respective owners.

Information in this report was obtained from sources BizControl Solutions believes to be reliable.