Many people confuse control with bureaucracy, and I often hear that "bureaucracy kills business." But that isn't true.
Bureaucracy, in its essence, is not a bad thing. If we look at Max Weber’s theory, we understand that it was conceived as a form of human organization based on rationality, ensuring impersonality, a clear hierarchy, and meritocracy. It ensures that the process depends on the rule, rather than the mood of whoever is executing it.
I always say that bureaucracy is simply the formalization of what
is already working.
The real problem isn't bureaucracy itself, but "bureaucratic excess", when the ritual becomes more important than the result.
An
internal control system based on best practices, right sized to keep risk
factors within acceptable levels, is essential for operational efficiency. It
creates order and prevents the "rigidity" that often blinds an
operation.
We know that internal control is an action designed to mitigate the
cause of a risk before it materializes. It manifests in the "doing":
in the review, the verification, the recalculation, and the careful approval.
If there is no confrontation between "what should be" and "what
is," the risk continues to walk freely through your company’s hallways.
For a control action to be more than just figurative, it requires four
non-negotiable attributes:
- First, the Objective, which is the very reason for its existence and must target the risk factor. For example, if the risk is the use of incorrect labor hours, the objective is to ensure that the hours in the payroll system are consistent with the time-tracking system.
- Second, Practical Action, such as a data verification. It is vital to formalize how this action is performed so that a "prudent person" could re-perform it.
- Third, the Evidence, because a control without a trail is invisible. It could be a sign-off, a system log, or an email. To an auditor or an internal controls specialist, a lack of evidence implies the control does not exist. Finally, the Frequency, which must match the speed of the risk, whether it be daily, monthly, or per event.
When we talk about Control Modeling, the starting point is knowing the risk factor and the magnitude of what we are mitigating, allowing us to define the necessary attributes to keep the operation within the organization's risk appetite.
These same attributes allow us to evaluate Design Efficiency, concluding whether the control has the
theoretical capacity to mitigate the risk.
This is why these attributes must be formalized, at the very least, in an Internal Control Matrix.
Recently, the market witnessed a testimony that serves as a stark
warning. A former bank director admitted to signing documents without reading
them. More than a momentary lapse, his confession revealed a void: despite
heading the department, he did not perform monitoring or prevention duties.
Here we have the perfect "Window Dressing Control"—the evidence and
frequency exist, but the execution of the action is null.
Unfortunately, this is not an isolated case; it is present in many
corporations where management still mistakenly views control as mere
bureaucracy.
To conclude, I leave you with a thought for reflection:
"The effectiveness of a control depends on action, evidence, and frequency, but it only stops being a house of cards when the integrity of the person executing it is greater than the convenience of simply signing."
Be happy!
