Should Be Stewards of the Organization’s Speed-Versus-Control Balance
By Jim DeLoach, Former Andersen Partner and current
Managing Director at Protiviti
This article was first published
by Forbes CFO Network and has been reprinted with their permission
digital transformation accelerates, companies confront a pressing question: Does
the balance we strike between speed and control align with our strategy? CFOs
are key stakeholders in that ongoing determination, and more finance leaders
are assuming stewardship of these deliberations. This emerging responsibility
involves assessing and managing the impacts to internal controls that arise
from business and digital transformation activities—and determining the extent
to which this speed-versus-control balancing act aligns with the organization’s
business strategy. While the challenge this balancing act poses is certainly
not new, it is exacerbated by the increasing demands and accelerating pace of
change of the digital era.
has always been a fascinating concept in business. In the analog age, elapsed
time was often benchmarked against competitors as a way of driving continuous
process improvements, under the theory that taking time out of a process made
it more efficient and flexible. In the digital age, time and speed have evolved
beyond the tactical to emphasize a more strategic and holistic view with the
objective of challenging conventional thinking and disrupting recognized ways
of working and long-established value chains.
value for the customer is a constant, never-ending pursuit to reimagine and
improve business models and processes in an ever-changing operating
environment. It is fueled by attention to speed in gathering and learning from
feedback and making and executing high-quality decisions in deploying digital
technologies and tools to deliver the value customers want and expect. Anything
short of that is not a very smart play in a digital economy in which markets
progress at a rapid pace.
the development and adoption of advanced technologies reside beyond the finance
organization’s traditional span of control, it is vital to recognize that more
of these activities also take place beyond the IT group’s purview thanks to
citizen developers, low-code/no-code offerings, shadow IT projects and related
forms of decentralized technology deployment. As a result, the extent to which
high-speed technology development and adoption activities affect the organizational
controls environment is often unknown. Addressing this issue is squarely in the
CFOs should understand those elements of transformation that tend to exert the
greatest impacts on the control environment, including which internal controls
are most at risk of neglect, and how they can help the enterprise monitor and,
when needed, recalibrate its speed-versus-control balance.
and how internal controls may be overlooked
knows that digital transformation-driven speed is beneficial and increasingly
necessary from a competitive standpoint. That said, several transformation
activities and approaches throughout an organization tend to have substantial
impacts on internal controls. These include, but certainly are not limited to,
developers: A growing number of
organizations are using citizen developers, decentralized software
development approaches and other forms of shadow IT to accelerate the
creation and deployment of new digital tools, products and services. This
speed often comes with a cost given that these methods can introduce new
risks and control issues.
Internet of Things (IoT): As companies and their third
parties continue to increase their use of IoT sensors, devices, applications
and data, information security risks multiply. In addition to questions
about security controls, IoT advances are raising strategic questions
concerning data ownership, privacy and security as organizations race to
monetize the data from increasingly instrumented assets.
transformation: Much of the digital
transformation work that has taken place during the global pandemic has
been more reactionary than strategic. These advances are often hugely
beneficial in solving emergent problems, but they are not necessarily part
of a long-term plan—nor were they implemented with internal controls top
of mind. Now, many of these reactionary transformation activities need to
be reevaluated from a control and risk perspective to determine how they
fit with the organization’s long-term transformation plan and investment
and other digital transformation accelerants often neglect, or conflict with,
segregation of duties controls. More IT-specific controls related to change
management, data security, availability and other application development practices
also tend to receive insufficient attention as more software development and
technology deployments are conducted outside of the IT function.
for example, how a manufacturing plant’s monolithic technology systems were
traditionally built on-premises by the IT group in strict accordance with
carefully crafted development processes and standards. Today, that
manufacturing plant’s engineers and production employees likely have access to nifty
citizen developer tool sets that enable them to quickly create and deploy their
own customized applications.
low-code or no-code offerings are available to operations teams in financial
services and most other industries as well as to accounts payable and most
other functional teams. These nimble applications go live and/or to market more
quickly but often lack the necessary internal controls.
mission, should you choose to accept it
several reasons, the governance of this speed-versus-control balance is not
only a fit but also a responsibility for the CFO.
CFOs are a key part of leading the development and execution of the
organization’s strategy. While that does not make them the sole leader
accountable for governing speed versus control, they are, at the very least, an
important stakeholder in the process. And they are certainly accountable where
speed versus control intersects with the production of data that is ultimately
included in financial reporting.
CFOs are responsible for allocating the company’s capital, whether that means
investing in people, products or technologies. As I have noted previously, CFOs
assess which talent and skills investments are most likely to enable the
enterprise to operate at the right size, and in the right manner, to best
address current and future disruptions and opportunities. Finance leaders
fulfill a similar role with regard to technology and digital investments. Part
of ensuring that those investments enable the enterprise to operate in the
right manner requires striking the right speed-versus-control balance.
CFOs are uniquely positioned to determine how the speed-versus-control balance
in digital transformation aligns with another, related balance that must be
struck between the front office and the back office. Today, digital
transformation activities often occur discretely, in the external-facing areas
of the business and in the functional areas that support operations, which is
the CFO’s domain.
recent years, the front office has acted with increasing independence in
developing and implementing digital advances. Doing so helps the organization
outpace (or catch up to) competitors in ways that would not be possible if they
waited for their back-office partners to develop and deliver similar
capabilities. But moving quickly without the proper controls in place—or even a
recognition of which controls should be in place but are not—can result in
significant breakdowns, like those among supply chains and those related to
customer service that have been widespread over the past 12 months or so.
CFOs’ legacy risk and control mindset, combined with their involvement in the development and execution of organizational strategy, makes them ideally suited to ensure that digital transformations in the front and back offices are better aligned. By adopting stewardship of the speed-versus-control balance, finance leaders can ensure their companies evolve quickly and wisely.