If you have any familiarity at all with internal control concepts, you probably have an understanding of the traditional designations of preventive, detective and corrective controls that relate to discouraging, finding, or correcting errors and irregularities. In the modern business world, I submit that this approach to internal control is simply not enough, and both the names for these groups of controls and the definitions of them must evolve.
Today, organizations are seeking Principled Performance – defined as reliably achieving objectives while addressing uncertainty and acting with integrity – and they want to address both downside threats and the upside offered by identifying and grasping opportunities. Nowhere is this clearer than in the context of the controls we establish for governance, risk management and compliance (GRC) capabilities.
The OCEG GRC Capability Model notes:
“To achieve Principled Performance, the organization must proactively encourage conduct and events that support its objectives and prevent anything that threatens meeting those objectives. It also must be able to detect ongoing progress toward objectives and determine if undesirable conduct, conditions and events have occurred, or appear likely to occur. Finally, the organization must respond appropriately to desirable and undesirable conduct, conditions and events.”
With the growing availability of technologies that allow for fast and user-friendly analytics, the way we structure controls can offer so much more than detection of errors. We can use an integrated and layered system of various control types – including process, human capital, technology and physical controls – based on risk assessments and analyses to increase an organization’s confidence in its actions.
In some frameworks and professions, the concept of control is narrow; in effect it is the “check” on actions management has put in place. For example, someone with such a view of control would say that a company policy or training program is not a control, but the review of metrics that shows whether the policy or training has been distributed according to plan would be a control. In other frameworks and professions, the policy and training would also be considered controls, because they are designed to ensure the desired conduct.
I don’t really care which view you take of the vocabulary, and to argue it is probably a waste of time. OCEG addresses this divide by referring to “management actions and controls” together. Whatever terminology you apply, the outcome needs to be the same. We need to classify management actions and controls under headings that reflect the ways they are used to help the organization achieve Principled Performance.
We have published a great new infographic in the GRC Illustrated Series about performance of GRC actions and controls as presented in the GRC Capability Model 3.0.
I propose that the modern categories for controls are those set out in the OCEG GRC Capability Model – Proactive, Detective and Responsive.
- Proactive management actions and controls include prevention but go beyond it. Proactive management actions and controls should be used to encourage desirable conditions and events and prevent those which are undesirable.
- Detective management actions and controls determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions and events.
- Responsive management actions and controls do more than correct errors. Theyhelp us to recover from undesirable conduct, events and conditions; fix identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions. They support our ability to grasp opportunities.
What do we do differently if we think about management actions and controls in this way? First, we examine the objectives set by leadership, whether at the entity level or for a particular program or project, and establish actions and controls not only to address whatever might prevent achievement but also for what might enhance the likelihood of meeting those goals. Our entire control framework starts from that holistic perspective. Second, we build a control structure based on the understanding that each action or control can serve more than one purpose. This leads us to establish a layered range of controls to avoid a single point of failure for high risk areas, while neither under-control nor over-control anything based on a risk assessment. Third, we recognize that we can, and must, be both proactive and responsive at the same time. Technology available to us today, and the resulting analytics and reports, allows us to be constantly reevaluating and rebalancing the full range of actions and controls. When we take such an integrated approach to the internal control environment, we are well positioned to achieve Principled Performance.