Beware of Poor Control Design

This blog is a second abstract of my new book “Operational Risk Management: Best Practices in the Financial Services Industry” (Wiley, 2019). Chapter 10, pp 109-110.

Experience shows that many controls in firms are ineffective by design. This leads at best to a waste of resources and at worst a false sense of security in vulnerable environments. There are three very common types of poor controls:

  • Optimistic controls: these require either exceptional ability or exceptional motivation from the controller to be effective. Because they are cursory rather than thorough, they are often referred to as “tick-box” controls. One example is sign-offs for large volumes of documents just before a deadline;
  • Duplicative controls: “four-eyes check” is the most common form of duplicative control. Though widespread, having more than one person check the same information can dilute accountability. Also, because too much trust may be placed in collective control, individual attention and focus may be less rigorous, increasing the overall risk. Four-eyes checks are more effective when carried out by a manager and a subordinate, or by people from different departments, and more generally, when accountability is clearly attributed to those performing the tasks.
  • More of the same: this means responding to a control failure by adding a control of the same design, even though the previous one has failed. Two real-case examples clearly illustrate the flaws of this approach: 
  • A firm sent the wrong mailing to a group of clients, due to failure of the four-eyes check between the mailing third-party supplier and the firm. In response to the incident, management added a third person to the process control, turning the four-eyes into six-eyes. Unsurprisingly, the process failed again and the incident reoccurred. Adding a third person simply diluted the accountability and weakened the process even further. 
  • A firm with sensitive customer information built a strict process for third-party onboarding. But the process was so cumbersome that employees tended to bypass it to onboard suppliers more quickly. In response, the firm made the onboarding process even more stringent, further encouraging employees to bypass it. As a result, large volumes of the firm’s client data ended up being held by a third party without a proper, enforceable, third-party contract. 

More controls do not necessarily mean less risk. Poor control design can increase the vulnerability of a process to various risks. 

Conversely, proper process design reduces inherent risk by the simple fact of organizing tasks properly, without the need to add controls. In the field of health and safety, the concept of “Prevention through Design” (PtD), focuses on minimizing occupational hazards early in the design process. The next section explores the more general question of preventing non-financial risks by using better design of processes. 

To continue reading: