Though business controls can sometimes have negative connotations in the context of monitoring and taking disciplinary action against employees, the use of control can instead be seen as a process for steering the employees’ activities in the desired direction to achieve the best possible results. A well-designed system of business controls can also enable a manager to pinpoint exactly where and how the business is deviating from its plans and then take steps to correct the situation.
From a management viewpoint, the imposition of business controls enables the manager to minimize risk, optimize efficiency and effectiveness of the operation, coordinate different activities and systems, ease the task of training new employees and supervisors, facilitate the delegation of authority and tasks, and more easily measure performance and take corrective action.
This book is intended to provide a comprehensive outline and guide to the subject of business controls. At the outset, the question “Why are business controls important?” must be addressed so as to inform the reader of what can be achieved by studying the subsequent chapters.
1.1. Importance of Business Controls
Business controls range from the simplest, keeping extra cash in pocket when it’s raining, to the most complex involving detailed designed systems for certain activities. The level or type of business controls is dependent on the nature and the size of the enterprise and its activities. Many times, systematic changes or changes in the nature and size of the activity, business controls may ensure desirable changes in some activity can also lead to a change in the control. In varied situations where controls are the same, the entrepreneur can delegate the control activities to various business control specialists.
Business controls are mostly considered as a preventive or a detective, and always a corrective measure to ascertain that the enterprise is moving in the right direction. The decision to start the control would come from a comparison of the current status to some standards or goals. Because the controls are mainly to ensure that the thought or an action is giving the desired result, for instance, a change in the method of a production activity would require a comparison of its output to the desired result.
Ever since the enterprise has started its journey, there is an official beginning. The business controls can be in a built-in form or documentation stating the adherence of one activity to attain some specific policies and procedures. Business control activities can happen anytime during the change process, i.e. when the enterprise is trying to move from one level to another.
At this stage, before the company actually gets into the real activity planned, the entrepreneur needs to understand the feasibility for the intended future in terms of the resources and the challenges involved. The entrepreneur needs to identify the resource requirements and the various challenges involved to put his vision into reality. The entrepreneur would then be trying to chalk out a plan to eliminate the gap between the current status of the company and the intended future. All these activities in various forms are diverse business controls.
Business controls are the arch-rails for the journey of an entrepreneurial venture. The vision that the entrepreneur has for the company would have been derived from an insight or an ideology that the entrepreneur had at a certain point of time. There would be an orientation phase where the entrepreneur would be defining the direction in which the company would be heading. This would be an output of the insight and the learning that the entrepreneur had got through his experience and the expertise, and it would be translating into reality the vision that the entrepreneur had seen.
Advocating for Business Controls
Business controls, also known as internal controls, encompass the policies, procedures, and practices that businesses implement to protect their assets, ensure accurate financial reporting, and enhance operational efficiency. These controls, including segregation of duties, authorization processes, and regular monitoring, collectively form a robust system within an organization.
The significance of business controls escalates with the company’s size and particularly with the number of employees. This challenge is exacerbated by the shift towards remote work in the post-COVID-19 era. Many traditional controls have become outdated; for instance, physical check signing for supplier payments has largely transitioned to digital payment methods.
In a small company where a single decision-maker (typically the CEO) handles everything, each choice directly reflects on that individual. Consider a founder of a startup aiming to engage a critical software vendor. The CEO’s personal decision impacts the company’s financial and operational aspects. Seeking speed, the CEO might skip a thorough vendor selection process due to time constraints or lack of awareness.
As the company expands, the CEO faces a dilemma: continue making all decisions and risk bottlenecks, or delegate decisions to a newly hired VP of Operations. However, trust alone is insufficient and non-scalable. Without a control framework, the VP may introduce risks disproportionate to their role. Conversely, the CEO may struggle to discern which decisions to delegate and which to retain, leading to inconsistent management approaches.
A progressive internal control framework empowers CEOs to manage company risks while maintaining organizational efficiency.
Developing a Control Framework
I have devised effective internal control frameworks tailored for fast-growing companies, drawing from my experience in larger, more structured corporations. These frameworks aim to minimize losses and secure venture capital funding without compromising agility.
Document Specific Risk and Control Factors
Start by assessing and documenting key risk and control factors within your company. This fosters consensus and ensures that decision-makers establish efficient workflows while effectively managing risks.
- Operating Complexity: Evaluate factors like headcount, staffing model (remote versus office-based), operating locations, business model, and customer base. Greater complexity warrants closer monitoring.
- Technological Sophistication: Assess the company’s use of technology, which influences the design of automated controls and overall efficiency.
- Materiality: Determine the threshold for financial discrepancies or process deviations that require immediate action or reporting.
- Risk Tolerance: Define the level of risk the CEO or founder is willing to accept. This evolves over time and guides control implementation.
- Fundraising Stage: Secure funding triggers the need for a robust control framework, meeting investor expectations for larger companies.
Understanding these factors forms the basis for a progressive control system, influencing the number and effectiveness of controls in the framework.
Calibrate the Three Levers of Control
After evaluating risk and control factors, adjust controls using three key levers based on the company’s risk assessment and tolerance:
- Value Limit: Set the threshold triggering the control, impacting exceptions flagged for review.
- Cadence: Determine the frequency of control execution, from per transaction to annual checks.
- Objective: Define if the control prevents or detects unauthorized events or decisions.
These levers allow controls to align with risk considerations, balancing risk prevention and operational efficiency.
|
Lever
|
Low Risk Tolerance
|
High Risk Tolerance
|
Example
|
|
Value limit or tolerance
|
A lower value limit, which triggers a control more often
|
A higher value limit, which triggers a control less often
|
A department store may require a line manager to get approval before granting a refund. The control limit that triggers the need for authorization can be set to a lower value for higher-risk items (e.g., electronic equipment) and to a higher value for lower-risk items (e.g., clothes).
|
|
Cadence
|
Performing a control review frequently
|
Performing a control review less frequently
|
A restaurant needs to maintain tight control over food and beverage inventory. Higher-demand inventory such as alcohol and other beverages should be counted multiple times per day, whereas vegetables and frozen foods may only be counted daily or every other day.
|
|
Objective
|
Preventive control, which stops an unwanted action before it occurs
|
Detective control, which identifies an unwanted action after it has occurred
|
System authorization limits could either prevent an inappropriate credit note from being issued by requiring preapproval, or detect inappropriate issuances through a monthly report reviewed by management.
|
At smaller companies, or those with a greater appetite for risk and speed, I will set higher value limits, design controls to be executed less frequently, and rely more on detective controls.
I recently assisted a startup during its attempt to raise a Series A investment round. The company had a relatively small headcount and management was stretched thin trying to deliver on multiple objectives. Considering the practical reality of the company’s position, I designed a control framework that employed more detective controls and had management review these less frequently: We prepared a report at the end of each month detailing all overtime worked for client-facing staff; exceptions were investigated and recorded, and an executive summary and cost impact were shared with the wider executive team via email. We seldom had an issue, but during one month, overtime ballooned, and the VP of Operations responded with a number of corrective measures. While the excess cost could have been avoided, the additional time and effort to do so far exceeded the money lost from this single month.
While some controls have clear best practices attached to them (e.g., perform a bank reconciliation for all business accounts each month), most controls can be dialed up or down to suit each entity’s specific risk appetite. What is more important is that these levers be reviewed on a regular basis (annually at minimum) in the context of the overall risk assessment, and that each control be modified to match the size and complexity of the organization at that particular time.
Decide How to Delegate Authority
Once your control levers are calibrated, it’s time to consider who should be empowered to deploy them. The most common challenge for leaders of growing or medium-sized entities is delegating the responsibility for business control to middle and line management. This is especially common in companies that grew from a startup or family-run business in which the key person of influence was accustomed to performing all controls personally. The majority of smaller companies I have worked with have experienced this problem, and the result is a bottleneck that slows down the business. Even worse is that the valuable time of the founder or CEO is diverted away from high-value work to administrative tasks, an exceptionally expensive situation that is often overlooked.
To help leaders manage the transition, I recommend developing a “delegation of authority” matrix, also known as a “limit of authority” matrix. This is a policy document that instructs and guides all employees regarding approval limits when transacting on behalf of the company. This matrix serves as the foundation of a company’s governance framework by clarifying and quantifying the decision-making authority of each member of the management team.
The matrix to address all functional areas of the business is usually developed by the CFO and approved by the company’s board of directors.
Excerpt From a Typical Delegation of Authority Matrix
|
Business Area
|
Sub-area
|
Topic
|
Approval Limits
|
Approval Required
|
|
OpEx/CapEx
|
Operating Expenses
|
Nonrecurring Expenditures
|
Under $5,000
|
Line Manager
|
|
Between $5,000 and $20,000
|
Senior Manager
|
|||
|
Above $20,000
|
C-suite
|
|||
|
Vendor Contracts
|
Annualized value under $5,000
|
Senior Manager
|
||
|
Annualized value between $5,000 and $20,000
|
C-suite
|
|||
|
Annualized value above $20,000
|
C-suite and CEO
|
In this example, the delegation of authority to a line manager to incur an operating expense on behalf of the company is limited to $5,000, and any expense greater than this will require prior approval from the next most senior person noted.
As a business expands, it encounters increasing complexity as workforce size, transaction volumes, and financial sums or quantities grow. With this complexity comes elevated risk.
While many executives are familiar with delegation of authority matrices, few grasp how documenting risk factors and implementing described controls can achieve an optimal balance between risk reduction and operational efficiency. Adopting this approach not only gains wider management buy-in but also ensures better adherence to business controls, preventing finance teams from defaulting to generic frameworks that may not suit the company’s complexity or risk tolerance.
As the company scales and decision-making extends beyond the core founders, the delegation matrix’s importance amplifies. I advise implementing a simplified version early on, ideally before hiring middle or line managers, typically around 50 employees. Once established, you’ll find the framework seamlessly scalable and integral to risk management, providing assurance to investors and safeguarding against potential pitfalls. Without these guardrails, as seen in cases like FTX, Theranos, and Enron, unchecked growth can expose companies to significant risks.