Control View Augmentation

CEO of a large electronic products company received an email from his colleague seeking his ratification for some exceptions which were said to be related to some routine activities. CEO, who was not aware of existence of such activities, instead of ratifying, asked for the purpose of carrying such activities in first place and how these were relevant to the business?

On further inquiry, it was occurred to CEO that these activities were not adding any economical value to the business but consuming a lot of time of the company resources. Then he called Internal Auditor of his company who replied that although his role has been enlarged to improve processes but it is impossible for him to know details of each activity carried out in the organization. Not satisfied with his answer, CEO approached CFO to seek his views on current risk management efforts and responsibilities of identifying and plugging such problems.

When CEO came with his query, CFO was talking to his friend, a risk consultant, who had come to his office to meet him. Soon thereafter all three started talking on the subject. The risk consultant recited how a company has implemented activity based responsibility management, the methodology that provided the internal auditor with the ability to identify and eliminate activities that do not contribute economic value to a business. The management techniques have resulted in flatter organizational structures, the elimination of hierarchies, and fewer internal controls. Managers have taken on a new role as facilitators and coaches instead of supervisors. The old, rigid hierarchical structures have little place in the era of innovation and process improvement.

Advocates of process improvement cannot be allowed to arbitrarily dismiss the concept of extensive checks and controls. The new methodology champions audit trails, clear activity definitions, appropriate separation of duties, and well-defined performance measures. New internal controls take the form of information sharing and trust instead of internal controls inherently based on mistrust.

The approach enables management to actively participate in the process of systematically describing activities, decisions that have to be accomplished, and to clarify the responsibility that each plays in relation to those activities and decisions.

After due responsibility charting, issues are required to be addressed as follows:

• Can or need the individual(s) stay on the top of so much? Can the decision/activity be broken into smaller or more manageable functions?


• Does Individual(s) need to be involved in so many activities? Are they a gatekeeper or could management by exception principle be used?


• Should this functional role or activities be eliminated? Have processes changed to point out where resources should be re-utilized?


• Does proper segregation of duties exist? Should other group be accountable to ensure proper checks & balances?


• Does the type & degree of participation fit the qualification of this role?

After risk consultant stopped talking, CEO smiled and with a pause invited both of them to join him for dinner as it was already 8:30 PM in the evening.