Here at the Radical Compliance home office, every morning my job is to rouse my toddler son from bed, make him breakfast, and take him to preschool. As winter approaches here in New England, that also means ensuring that he’s properly dressed for cold weather.
Little did I know that such a simple exercise is also a great example of risk assessment, business process, and manual versus automated controls.
The business process in question keeping my son’s hands warm, and the tool to do that was a pair of mittens. One cold morning last week, I put both mittens on his hands and took our son to school. I dropped him off at school. I put each mitten in one pocket of his coat, like I do with my own gloves. I left.
My wife’s job is to pick up our son in the afternoon. She did. Then the inevitable message appeared on my phone: “WHY DOES HE HAVE ONLY ONE MITTEN?”
The tool had stopped working. We had a control failure.
At this point, let’s describe the mittens in question. They are thick and warm, with long sleeves to go over the wrist. In other words, they are perfectly fine tools for the process of keeping my son’s hands warm. See photo, below. Imagine there are two of them.
My wife, apparently, had at least some sense that our son might lose a mitten. So she sent me another message: “WHY DIDN’T YOU CLIP THEM TO HIS POCKETS LIKE YOU’RE SUPPOSED TO?”
And now we get to the guts of the control failure. I didn’t know you could clip the mittens to the pockets of his coat. That evening, my wife demonstrated how one is supposed to do this. See photo, below. Imagine I did that in the morning.
But that’s a manual control: one that does work, but only when the employee executes the control. What we needed here was an automated control: one that works by default. In this case, it would be two mittens strung together, where the connecting string runs up each sleeve. See photo, below. Imagine that we had bought these in the first place.
After all, with mittens implemented into the coat like that, our son couldn’t lose them, even if he were in high school.
Deciding Manual vs. Automated Controls
The risk to the process of keeping our son’s hands warm was that he might lose one of his mittens. So in hindsight, that was our first mistake: a flawed risk assessment. I figured he would probably stay indoors that day, or if the teachers did take him to the kiddie playground, his mittens wouldn’t fall out of his pockets. So putting them in his pockets would be a perfectly fine control.
Erroneous. I now understand that most children won’t keep their mittens together until they are, like, 25. The risk of mitten loss was much higher, so we needed a stronger control. My risk-based approach to this issue was incorrect.
Now, my wife did anticipate a higher risk of mitten loss, so she purchased mittens that had a strong manual control: clipping them onto the coat. Then again, one could argue that this was faulty control design: a manual control that required someone to clip the mittens into place, when the automated control of strung-together mittens would have removed the onus from the business process owner, who was me.
This is the exercise internal auditors, compliance officers, and operations executives go through every day: they review business processes to see how controls might fail, and usually the failure is human error in operating the control. Then we try to automate how the control works, to reduce (or eliminate) the chance of human error.
If we could do it all over again, we should have spent more time on the risk assessment and control design— namely, confirming that we should buy mittens with a connecting string so they won’t get lost. The business process owner, me, should have raised that concern with the business controller, my wife. (I suspect most households operate like this.)
The risk-and-control planning would have taken more time at the beginning, but saved the time and expense of our mitigation plan implemented that evening: another trip to Target and $16.95 dropped on a new pair of mittens.
The longer I stay in this business, the more I realize that all you need to know about ethics and compliance, you can learn from raising small children.