Beyond The Workaround Culture
Management controls must be carefully calibrated and reviewed regularly to ensure they’re working, a discipline that is not often seen. According to a study by Alec Cram of Bentley University and Kathryn Brohman and Brent Gallupe of Smith School of Business, leaders tend to underestimate the potential emotional impact on workers when instituting a new control or changing existing controls. If leaders see controls as applying to others but not them, the result is that no one takes ownership to fix the system. The researchers suggest practitioners think about the context in which the management control is being implemented, the people it's affecting, and how it will be refreshed over time. [Download link for toolkit at end of article]
When you consider classic management functions, some are exalted (strategizing), some are career enhancing (planning and resourcing), and some are socially challenging (supervising). And then there’s the management function that’s often as futile as rousing a teenager from sleep (controlling).
There are all sorts of management controls designed to ensure transparency, efficiency, or quality. They can be enterprise-wide or project-specific — think of controls governing who has access to data, how products are tested, or what standards need to be set. Controls are essential to successful execution; when they fail, they can scupper system implementation projects and even corporations. The problem is that, for employees, managers, and leaders alike, controls are often associated with red tape and viewed as something to be avoided or worked around.
“Organizations with lagging controls leave themselves exposed to the risk of poor performance and broader business failures,” says Alec Cram of Bentley University.
That would make plenty of organizations exposed. Management controls need to be carefully calibrated — not too tight, not too loose — and reviewed regularly to ensure they’re working, a discipline that is not often seen. The need for such an approach is particularly stark in the information systems (IS) environment, where enterprise security is paramount and projects are complex and prone to failure.
Cram teamed up with Kathryn Brohman and Brent Gallupe of Smith School of Business to learn more about the interconnected steps involved in changing IS management controls. They conducted six case studies at four firms in banking, insurance, health, and manufacturing. Their results were published in Information Systems Journal.
Holistic View of Controls
The researchers took a holistic view, studying not only the means of control but how controls are executed, when they’re changed, and how people respond and deal with them.
One of their insights is that people really don’t like to think about controls beyond what they have to institute to satisfy industry regulators. While controls are driven by oversight needs and risk aversion, “the whole idea of how to implement controls effectively so they don’t bind organisations and create red tape is the story that came out of these case studies,” says Cram.
“Managers who appreciate what controls can do for them, both for efficiency and effectiveness, realize that they just can't be complacent”
When managers and leaders do decide to institute a new control or change existing controls, they tend to underestimate the potential emotional impact on workers on the other end. Simply making everyone aware of the need for change won’t guarantee compliance, they say, particularly when some controls, such as those that determine who can access what data, have the potential to shift power.
Organizations use controls to try and influence how people behave, and people adapt to absorb that control into their daily routines, Brohman says. “So when the control changes, there can be a significant cost,” she says. “People also find ways to appease the control without really embracing the desired behaviour. Our team continues to explore how many controls introduced with a certain purpose actually operationalize the true desired behaviour.”
Who Takes Ownership?
Leadership looms large. If leaders see controls as applying to others but not them, the result is that no one takes ownership to fix the system. This is particularly so in enterprise cases, where there is a dispersion of responsibility over controls. “I was talking to a group of 27 CFOs about this exact issue,” says Brohman. “They said that to get anything done you have to go around the system because there's so much red tape and control. My question to them was, who owns the system? One CFO responded, I guess it's us, as CFOs we have the power to own the system.”
Brohman says that led to a thought-provoking discussion that expanded beyond financial controls to a broader reflection on what CFOs could do to address organizational control challenges.
The answer is not necessarily to load up on off-the-shelf solutions such as Six Sigma but for leaders and managers to treat controls with the same discipline as they do other functions such as budgeting and strategy.
To help practitioners, Cram and his colleagues developed an integrated model that can be used to improve the effectiveness of IS controls. The model defines six stages of changing controls: identifying the control issue, developing a remedy, implementing the control with staff and management, refining the control, winning acceptance, and optimizing.
The model has a clear message for practitioners: think about the context in which the management control is being implemented, the people it's affecting, and how it will be refreshed over time.
“Good managers, managers who appreciate what controls can do for them, both for efficiency and effectiveness, realize that they just can't be complacent,” says Gallupe. “They know that circumstances change and that one control for one situation does not last forever.”
— Alan Morantz