What do we do, when we have been compliant, followed due process, but keep failing to get the outcomes we want?
We use controls to mitigate the risks to our organisation’s objectives. These can be in the form of a set of core processes, policies or procedures. Control environments can be complex. We often have a system of controls with many sub-systems which may interact or conflict with each other, such as project, procurement, contract or financial controls. This can mislead organisations to focus on one set of controls without giving others their due attention.
For example, an organisation has outsourced the delivery of their programme to a 3rd party. The contract has two elements, one to deliver the programme with a set of project controls, and another, to manage the supplier delivering the programme with a set of contract controls. The organisation focuses on the project controls, as the delivery of the programme is their outcome in focus. However, by not giving the commercial and contractual controls their due attention, a misalignment between the organisation and the contractor begins to grow, and then widen. The right behaviour of the contractor is not incentivised, and the programme delivery slips out of control. The organisation did not recognize the full control environment for the project.
Another area where organisations fail to use the right controls is where they take a one-size-fits-all approach to the control environment. For example, using traditional annual financial controls for budgeting, instead of using more regular, project specific financial controls and reporting. In this case, there is a lack of timely oversight of budget over-runs and change control that allows senior leadership to intervene.
When organisations tackle new endeavours or are introducing change, they need to consider the design of controls, and how they may need to be upgraded, tailored or be more advanced. This ensures that the right level and type of controls are being applied and will set up for success.