Are your risk and management controls capable to keep you between lines?
The purpose of risk and compliance is to keep companies operating between the lines so that they do not fall in a ditch on their way to mission success. To ensure that this does not happen risk and management controls are put in place to act as guardrails (protect against loss) as well as to drive processes and practices towards targeted outcomes in response to stakeholder obligations.
Stakeholders include: customers, suppliers, shareholders, employees, government, and the public at large.
Requirements (mandatory) and commitments (voluntary) are derived from obligations contained within internal policies, guidelines and code of conduct; regulations and standards; contracts, and product and service specifications.
Obligations include: conformance, performance, achievement, and outcome based specifications.
Traditional approaches (1950-1970s) to organizational design are based on the notion of (1) "Organizations as Systems" comprised of: general systems theory and contingency theory, and (2) "Hard Systems Thinking" comprised of operations research, systems analysis, systems engineering and cybernetics.
In the field of cybernetics (the science of communications and automatic control systems in both machines and living things) there are two models of the organization: management cybernetics and organizational cybernetics.
Management Cybernetics: treats organizations like machines and organisms congruent with the philosophy of hard systems thinking.
Organizational Cybernetics is concerned with management and organizations that break from the mechanistic and organistic thinking, and is able to make full use of the concept of variety (Stafford Beer).
The concept of controls comes from these theories of systems. The most common form of a control process is the feedback control loop used to apply corrective actions in response to system output deviations from target values. The control loop serves to keep the system between acceptable operating limits (ex. constraints, performance levels, etc). Although used within almost every system (technical or socio-technical) the audit-fix cycle is most familiar to those in the compliance function.
We can use organizational cybernetics, specifically the Law of Requisite variety developed by Ross Ashby, to help understand what is required for a control loop to be effective.
When the variety or complexity of the environment exceeds the capacity of a system the environment will dominate
The larger the variety of actions available to a control system, the larger the variety it is able to compensate
The capacity of the control system cannot exceed the capacity as a channel of communication
The response time of the control system must meet or exceed the speed of change
These principles provide important insights to improving the effectiveness of feedback control loops specified by many standards and regulatory bodies and used in the majority of management systems. However, there is one significant weakness of the feedback control loop in that it requires outputs to be measured first. When it comes to uncertainty and risk obligations feedback-management-control is too slow and too late specifically with respect to safety. In this case it is better to eliminate the possibility of deviation before it happens. This requires the use of feedforward cybernetic control which will be the topic of a future article.