A few days ago in the midst of driving around to do last minute errands before Christmas, I glanced at my dashboard. The needle on my gas gauge was below the Empty mark. A small amber light was flashing, but it had not caught my attention.
Like most cars these days, there are lights or buzzers to notify us when just about anything is amiss. There are buzzers in my car to tell me if the seat belts are not fastened. A bell sounds if a door is ajar. Years ago, when cars had far less automation (or I could not afford the ones that did) I listened carefully to the sound of the engine, checked my tires pressure routinely with a pressure gauge, and personally checked the engine oil level with a dipstick every time I bought gas. Now, when it comes to driving I have become control complacent; I assume any pending danger will be preceded by a warning. 99% of the time that is true. The 1% can be a huge risk. It must be managed.
Control complacency arises when we take our controls for granted and we forget the risk they were designed to protect us from.
This is not a new phenomenon. Many of the risks we face lend themselves to apparently effective and easy to install “controls”. The proliferation, visibility and testing of controls has made us control complacent.
COSO Guidance on Monitoring Internal Control Systems is an example of professional guidance that I believe may lead to control complacency if applied too literally or too narrowly. This COSO guidance does not focus sufficiently on risk assessment or business performance.
History has many examples of control complacency. Control complacency did not begin with the botched December 25 attempt to blow up a Northwest Airlines passenger jet en route from Amsterdam, to Detroit.
Prior to WWII, the French established the Maginot Line, a series of concrete fortifications, tank obstacles, artillery casemates, machine gun posts, and other defenses to provide time for their army to mobilize in the event of a direct German attack. The French were confident in their defensive strategy. But the German army simply flanked the Maginot Line by invading through Belgium. France surrendered in weeks.
Whether the risk is an empty gas tank, terrorism, military invasion or any of the risks facing business today, I believe unexamined risks will always prevail over control complacency. Controls don’t make risks go away. The 1% risk is always present.
In one of my earlier blogs I outlined what I called the 3:1 Risk Rule, arguing that we should know 3 times more about our risks than about our controls, and arguing for far fewer, more top down and far more precise controls.
In another blog I raised the question “Who is testing the risks?” to make the point that risks must be continuously be identified and assessed in order for controls to be reliable.
How many controls are enough? We hire auditors to express opinions on “control effectiveness”, often based on an examination of the controls in the absence of any consideration of risk. My concern is that “effective control” can quickly lead to control complacency.
The only way to eliminate control complacency is to spend at least as much time and effort manging the risk side of the equation. The new ISO 31000 Risk management — Principles and guidelines on implementation provides some help as does the Society of Actuaries recent publication A New Approach for Managing Operational Risk. But I sense that the vast majority of our assurance and regulatory resources are still focused on the control side of the equation, and like airport security, they risk leading us to control complacency.
