“Minimum” controls: how much is enough?

It is more important than ever for companies to be forward thinking in the value they place on controls and to be proactive in how they explain that investment to their stakeholders.

A well run business, underpinned by an effective control environment, that maximises the use of technology, is more likely to win in a challenging and disrupted market, adding more value to its investments and managing its costs.

A modern approach to financial control, that focuses on “what could go wrong?” and leverages technology whilst understanding the incremental risks it brings, is an asset to any business that will save cost year on year and support a strong business culture of getting it “right first time”.

What’s the business case ?

It can be difficult to attribute the benefits of financial controls to a return on investment, at least until it’s too late and losses have occurred.  The gap that failed will be plugged, but where the culture is not about getting it right, there will always be another costly surprise ahead.

Focusing on the right controls at the right level of depth will:

• save the time and cost spent on fixing issues later
• enhance profitability by making systems, processes and people more efficient;
• build stakeholder credibility; and
• support a strong business culture of getting it right first time.

In the same way a company invests in an insurance policy to safeguard its business, protecting cash and assets from future losses is a component of sustainable success.  

Using a net present value model can calculate the benefit or cost, however given the difficulty of reliably estimating the probability, timing and quantum of future losses, the value of such decision making tools, in all but the most mature control environments, is limited. 

One only need look at recent news headlines and ask “had controls had been in place, would the company have issued a profit warning?”, “would a fraud have been prevented?” or “could the company have survived?”.  There were 89 profit warnings, across all FTSE indices, in Q1 2019 with 44% of these making warnings in the previous 12 months. Whilst these might not be directly attributed to weak control environments, the precedent in the US for fraud and failures being addressed through a strong control environment is well understood.

Controls are essential to any strong company and there is no robust argument that appropriate controls are not cost effective and an essential component of value.

How much is enough?

If “minimum controls” means “de-prioritised”, “ad hoc” or “not evidenced” then that’s not enough.  If “minimum” means “enough to prevent or detect errors” that’s good. Clearly “minimum” is a subjective term and we prefer “Key” or “Critical”, but the real answer lies in defining and communicating what is right for your business.

Starting with a thoughtful financial risk assessment is hugely important. In our experience, financial risk assessment is regularly performed at too high a level, often as part of a wider business risk assessment, to enable the Board to properly understand the financial risks or to identify the essential financial controls.

There truly is no ‘one size fits all’ approach although it is widely accepted that there are a number of good practices that can be applied across many organisations. However technology change is bringing new risks and opportunities. Good practice is shifting towards automated preventive controls away from manual detective controls and control data analytics regularly provide more insight than a traditional review.  Not all companies are quick to eliminate traditional, but now redundant, controls.

Key features of a modern controls framework are transparency evidencing ongoing effective operation, focus on culture, standardisation, consistency, automation, removal of redundant controls and sustainability.   Controls should reflect the way the business is run, not be a separate compliance exercise. 

Documentation is about sustainability and reducing key man risk, consistency, transparency and rigorous thinking in terms of how the control addresses the risk which we’d argue has value to any business.  Knowing your team is doing a really good job and being able to demonstrate that, is more valuable than believing nothing has gone wrong so far. 

Ultimately, ‘enough’ is determined by each organisation through a high quality financial risk assessment and the identification and tailoring of automated vs manual controls.  We believe that ‘minimum controls’ should include ‘enough’ to protect from reputation damaging fraud, significant error and ultimately failure.   This requires a level of built in contingency to be strong enough to withstand unexpected events and issues and a regular reassessment of risks.  Company stakeholders in the current climate want to be reassured by language such as strong, not minimum.

By implementing a strong financial controls framework a business will be in a confident position to drive the business forward to success supported by their stakeholders who are assured of the sustainable future performance of the business.