Many organisations continue to use tactical solutions to support and facilitate their Internal Control and Compliance framework.
Tactical solutions typically consist of an unholy and uneasy co-existence of spreadsheets, word documents, access databases, emails and SharePoint sites with large amounts of supporting documentation kept in hard copy.
Two negative features, and natural by-products, of such a tactical approach are that: –
- Information is decentralised and fragmented
- Activity & responsibility is overly centralised
Decentralised Information – Tactical Approach
Information around process, risk and control documentation, the performance, self-assessment and evidencing of controls, planning and execution of testing activities and the remediation of deficiencies is scattered throughout the organisation.
Critical information is fragmented across multiple disparate sources and often haphazardly duplicated across the organisation. This makes reporting difficult and effective monitoring and analysis near impossible. Such a framework ultimately becomes cumbersome, inefficient and unsustainable. Many ‘hidden’ costs are associated with such a setup, not to mention the demoralising aspect of staff getting bogged down supporting the technical & administrative aspects of a creaking process.
Centralised Activity & Responsibility – Tactical Approach
Furthermore, activities, ownership and responsibility tend to be overly centralised within the 2nd line of Defence functions. Responsibility for ownership and maintenance of process, risk and control documentation is often done by the 2nd line on behalf of the 1st line. This places a heavy burden on 2nd line, blurs the distinctions between the lines and impedes the 2nd line’s ability and capacity to carry out their internal governance role.
Overall, this structure is the exact opposite of what an efficient and mature approach should look like.
The ideal situation is where: –
- Information is centralised
- Activity & responsibility is decentralised
Centralised Information – Strategic Approach
With a strategic solution, information is captured and maintained in a single central repository that serves all three lines of defence across the entire organisation. This ensures relevant up to date information is easily accessible at the right time, in the right place, in the right format by the right people.
Decentralised Activity & Responsibility – Strategic Approach
A strategic solution also supports the ‘managed decentralisation’ of internal control and compliance activities. Ensuring that ownership and responsibility is devolved to the relevant 1st line of Defence areas while ensuring an appropriate level of oversight is maintained by 2nd and 3rd lines of defence.
This ‘managed decentralisation’ drives positive changes in behaviour, and plays a critical role in helping to embed control & compliance activities into the day job of 1st line of Defence.
Only by using a strategic solution to support the internal control & compliance framework can an organisation make this switch and centralise what is currently de-centralised, while de-centralising what is currently centralised.
Download a PDF of the graphic below herecentralise_decentralise_graphic