Beware of Poor Control Design
This blog is a second abstract of my new book "Operational Risk Management: Best Practices in the Financial Services Industry" (Wiley, 2019). Chapter 10, pp 109-110.
Experience shows that many controls in firms are ineffective by design. This leads at best to a waste of resources and at worst a false sense of security in vulnerable environments. There are three very common types of poor controls:
§ Optimistic controls: these require either exceptional ability or exceptional motivation from the controller to be effective. Because they are cursory rather than thorough, they are often referred to as “tick-box” controls. One example is sign-offs for large volumes of documents just before a deadline;
§ Duplicative controls: “four-eyes check” is the most common form of duplicative control. Though widespread, having more than one person check the same information can dilute accountability. Also, because too much trust may be placed in collective control, individual attention and focus may be less rigorous, increasing the overall risk. Four-eyes checks are more effective when carried out by a manager and a subordinate, or by people from different departments, and more generally, when accountability is clearly attributed to those performing the tasks.
§ More of the same: this means responding to a control failure by adding a control of the same design, even though the previous one has failed. Two real-case examples clearly illustrate the flaws of this approach:
§ A firm sent the wrong mailing to a group of clients, due to failure of the four-eyes check between the mailing third-party supplier and the firm. In response to the incident, management added a third person to the process control, turning the four-eyes into six-eyes. Unsurprisingly, the process failed again and the incident reoccurred. Adding a third person simply diluted the accountability and weakened the process even further.
§ A firm with sensitive customer information built a strict process for third-party onboarding. But the process was so cumbersome that employees tended to bypass it to onboard suppliers more quickly. In response, the firm made the onboarding process even more stringent, further encouraging employees to bypass it. As a result, large volumes of the firm’s client data ended up being held by a third party without a proper, enforceable, third-party contract.
More controls do not necessarily mean less risk. Poor control design can increase the vulnerability of a process to various risks.
Conversely, proper process design reduces inherent risk by the simple fact of organizing tasks properly, without the need to add controls. In the field of health and safety, the concept of “Prevention through Design” (PtD), focuses on minimizing occupational hazards early in the design process. The next section explores the more general question of preventing non-financial risks by using better design of processes.
To continue reading: https://www.amazon.co.uk/Operational-Risk-Management-Practices-Financial/dp/1119549043/ref=sr_1_1?s=books&ie=UTF8&qid=1544088005&sr=1-1&keywords=ariane+chapelle
Index specialist
3 年This is a very interesting book as it is covering a good explanation about risk mitigation, in my point of view. my question would be the link between cognitive biases and poor control. as you mentioned about optimistic controls in risk mitigation, do you think that this problem is also stemming from the optimistic bias that the controller might have in his/her controlling process? Thank you so much in advance!
Senior Risk Expert at the Swedish Financial Services Authority
6 年Insightful as always. I am very much looking?forward to the book. I am curious, is the book?addressing functions-based vs process based risk analysis somehow? Poor process design (or understanding of activities/processes) often leads to poor risk statements, which leads to poor control design. Efficient and effective processes is also one of the main objectives of internal control, but I have rarely seen process-based risk analysis (e.g. along product-lines). In Sweden and Finland the FSAs has put rather detailed requirements on significant processes to be documented, see Chapter 5 of SE-FSAs regulatory code. https://fi.se/contentassets/e9720562371742808d03dbae519473cf/fs1404_eng.pdf?still firms have responded to this in a number of ways, but rarely with an end-to-end perspective. Can functions-based risk analysis really work, except perhaps in smaller organisations with relatively few an short value-chains?Best of luck for a successful launch of your book. Christer Wessman