Taking Control of Internal Controls

To some degree or another, most of the large financial institutions have been looking at implementing some kind of internal controls framework in the last few years. Whether it’s driven by a focus from the regulators, external audit or just a focus on formalising controls as a robust way to mitigate risk, they have become a de-facto mechanism in an organisation’s toolbox to manage risk. In many cases we’ve seen the idea struggle to deliver full benefits, however. How do you move this from a ritualistic, bolted-on-the-side, box-ticking exercise to controls fully embedded in processes, with meaningful metrics and really adding value to risk reduction?

Stay current on your favourite topics


Some years into the controls journey and we at Citihub have learned a lot about what works and doesn’t work as we’ve seen our clients struggle to implement good practical controls frameworks that add value. It’s not been an easy path for most. Based on our experiences over the last few years, we’d like to propose a few observations and ideas that might help to refocus any programs that have lost their way.

Idea #1 – Remember why you’re doing this

Controls can feel a bit abstract and they don’t make sense in isolation. For them to add real value you have to consider them in the context of the risks they are there to mitigate. It may sound obvious if you are one who truly understands controls and how they are designed to work but often the folks at the operational sharp end (and also senior management) struggle to make the mental leap to see the value of a control and what it is aiming to achieve. If you can articulate the risk along with its impact and then how the control mitigates or modifies either the impact, probability (or both) of that risk occurring – you’ll often see the light bulb switch on.

Idea #2 – Think about governance

Risk governance has gone through some fundamental change in the last few years. Many organisations are adopting the three lines of defence model but it’s been difficult to implement as a few have publicly stated. For control frameworks, many saw the model as a way to reinforce that accountability for at least the operation, if not the design of the control, rests with the first line. The problem is that the first line often lacks the skills to define controls well and the demarcation created by 3LoD can work against what you are trying to achieve. Second lines of defence need to provide adequate support both in terms of frameworks and tools but also advice and support. If the second line takes too much of an assurance stance, they start to become too much like the 3rd line (audit) and leave the 1st line isolated. It’s a tough balancing act for the 2nd line but a crucial role to get right if the model is to work well. The trick is to ensure that everyone is aiming for the same outcome and governance and leadership rather than just the organisation model, are key to making this happen. See also my comments about culture and behaviour below. Governance processes also need to constantly re-evaluate the effectiveness of controls and ensure that controls are effectively mitigating risks to acceptable levels.

Idea #3 – Embed controls in processes

Controls are most effective if we don’t even think about them. They are just there. Embedded in processes, part of what we do every day. Ideally automated and with metrics also embedded to fire off alerts as a pre-defined threshold approaches. Operational managers will soon appreciate the value of being able to monitor control effectiveness in this way and it will encourage intervention earlier to avoid controls breaching those pre-defined limits. For access controls enforcing segregation of duties, for example, create automated workflows that remove the need for manual intervention and ensure that segregation is guaranteed. In some cases, some lateral thinking is helpful too. Consider the trends coming from DevOps or Continuous deployment. Automation is key here but inevitably there may be some manual checkpoints required for manual code reviews, for example. Reviewing little and often will help to reduce the potential bottleneck and thinking of creative ways to remove the manual step from the critical path can also really add value. See also the white paper from my colleague Erhan Sen.

Idea #4 – Address the cultural and behavioural issues

The organisational changes imposed by a three lines of defence operating model are not sufficient to change behaviour and in fact, as mentioned above, can conspire to inhibit the collaboration needed to ensure that controls add value in the organisation. A legacy of looking to IT Risk professionals in specialist Risk organisations reinforces the attitude that Risk (and controls) is the business of Risk folks. Equally, Risk specialists often see themselves as filling an assurance role and that their role is to identify where controls are not working rather than getting involved to help them work. A range of interventions is needed to support the operating model.

  • Leadership – clear signals need to be sent and reinforced from senior management that risk is everyone’s business and that the risk professionals are essential advisors and part of the team to help the first line to get this right
  • Awareness – document some simple but direct and easy to understand examples of what can go wrong when risks are not addressed or controls do not operate properly and also the repercussions at all levels of control failures.
  • Training – set up roadshows to help people to understand the principles, the specialist language and some good examples of controls. Ideally, have these run by the senior leadership team
  • Role Models – find some good examples of where controls have been well designed and implemented and use them as role models. Consider using the individuals involved in the training and awareness outreach

Stay current on your favourite topics


Idea #5 – Raise the bar

Controls need a feedback loop and constant adjustment to ensure that they are meeting the moving risk landscape. Monitor metrics and adjust to compensate for changing circumstances, introduce new controls as the risk landscape and regulatory focus changes and don’t hesitate to raise the bar as the organization matures.

I sometimes find it helpful to use an industrial control metaphor when thinking about internal controls. Valves, thermostats, pressure gauges, thermal cutouts, pressure release valves etc. are all good examples of instrumentation and controls in an industrial context. Pressure and temperature can be monitored with instrumentation and manually or automatically adjusted as dangerous limits are approached. Safety cutouts exist to shut things down if limits are breached. The same principles can be applied to internal controls as long as we design them well, embed them in our processes and ensure that the instrumentation is there. There is one important dimension that we cannot ignore, however, internal controls are usually in place to influence human behavior, rather than the flow of an industrial chemical or the efficiency of a machine. In this respect, the cultural and behavioral aspects cannot be ignored and training, awareness, and not least leadership are crucial to ensure that it’s easy to do the right thing and hard to do the wrong thing.

Would you like to know more about our work?

The author

Graham Fletcher

Graham Fletcher

Associate Partner, New York

Graham, a Certified Information Systems Security Professional (CISSP), has over 30 years diverse experience in IT, specialising in IT Risk and Security project leadership. He is the firm’s competency lead for Technology Risk & Information Security.