GRC 101: Controls Management

Few people like to make mistakes or break the law. Companies aren’t keen on such missteps, either, especially when they result in expensive fines or significant losses or damage a brand’s reputation. 

Controls Management is the organizational function that helps companies to avoid such outcomes. It involves identifying and checking errors and taking corrective actions to prevent those errors from happening again. It’s a system of checks and balances—the guardrails that keep companies compliant with regulations and internal standards. 

The concept dates back to the 1920s as an idea pioneered by business executive, mining engineer, and author Henri Fayol. While developing his 14 management principles, he divided management into five primary functions: planning, organizing, staffing, directing, and controlling.

These Controls Management principles are as relevant today as a century ago. Based on the idea that managers must gather and analyze feedback about business processes if they want to show improvement, controls management guides the necessary tracking and adjustments. A good Control Management system also ensures that:

• The right workflows happen and the right protocols are in place to help companies stay compliant and aligned with their purpose 
• Companies can withstand outside scrutiny, such as audits
• Companies can catch errors quickly and implement corrective action 

While today’s management involves using online platforms (rather than the pen, paper, and hand-drawn charts of Fayol’s era) the goals and principles remain the same.

The breakdown

Controls management refers to understanding regulatory expectations, setting standards, measuring actual performance, and taking corrective actions when necessary. Controls involve monitoring information, processes, or compliance with regulations, and the Management part concerns what happens with the information that’s been gathered and analyzed. It involves continuous monitoring of end-to-end processes, a close link to planning, and a comparison between the actual and planned performance. Ultimately, Controls Management is a tool for achieving organizational goals.

Why is Controls Management important?

Controls Management systems allow companies to gather and use information to help decision-makers plan and coordinate business activities, and help guide or advise on the desired behavior of managers and employees. These systems help companies stay compliant within different frameworks such as the ISO 2700 series or Sarbanes-Oxley (more on these below!), offering protection in event of an audit. Effective controls also help protect employees from workplace hazards, minimize or eliminate safety and health risks, and guide employers to provide safe working conditions.

Ideally, a good Controls Management system improves collective decisions within an organization without a negative financial impact.

In fact, in providing a solid framework for risk and controls, controls management:

• Adds or updates controls without disrupting processes
• Facilitates all types of communication
• Saves time by collecting, aggregating, and reporting on all risks using a single platform
• Allows control owners to update directly to the regulatory compliance management (RCM) or GRC, with full visibility 

A good Controls Management system should adapt to organizational needs by developing, gathering, and communicating information to management within all levels of the organization, providing financial and nonfinancial information according to requirement. Over time, as each component of the process is fine-tuned, the components come together to create an effective, high-functioning machine.

Common controls

Controls differ across industries and companies. Some of the most common industry controls include:

• ISO 2700: Part of the ISO/IEC Information Security Management Systems (ISMS) standards series. These broad standards cover privacy, cybersecurity, confidentiality, and other IT/ technical security issues.
• HIPAA: The Health Insurance Portability and Accountability Act passed in 1996 mandates industry-wide standards for healthcare information on electronic billing and requires confidential handling of protected health information.
• Sarbanes-Oxley (SOX): SOX compliance includes a formal system of checks and balances designed to protect investors by improving corporate disclosure accuracy and reliability. All publicly traded companies in the U.S. and publicly traded wholly-owned subsidiaries and foreign companies who do business in the U.S. must comply with its regulations.

Companies also often impose their own internal controls as well. These controls serve similar purposes but may align more specifically to a specialized product or service offering (for example, controls to ensure an automaker’s model specifications are met or a quick-service restaurant customer receives the same service every time).

What investment is required?

Since a lack of resources can inhibit a company’s ability to manage its controls, it’s important to establish the staff, software, and accurate measurement systems. The most critical piece to executing a solid Controls Management strategy is the ability to discover and report on issues quickly. Reliable statistical software and measurement systems—and trained staff—help recognize or reduce errors. 

Control Management offers a way to direct how you manage your company’s processes and can document roles and responsibilities that affect it. Plenty of resources exist to ensure your company finds and adopts the right solution. 

The LogicGate Risk Cloud™ automates the Controls Management activities that will allow your business to grow while staying compliant. With controls embedded into your processes, external and internal audits are not stressful events that are demanding of your resources. Ensure compliance enterprise-wide with easily automated workflows and controls, so that you can actually build your business and not just manage it.