Much of leadership – from innovating, to strategizing, to leading teams – can be invigorating and challenging.
But one function – setting and monitoring management controls – is fundamentally uninspiring and often overlooked. In fact controls are often associated with red tape and viewed as something to be avoided or worked around.
A new study from Smith School of Business and Bentley University highlights the need for management controls to be given the same level of senior management attention as given to budgeting and strategy.
Management controls are used to ensure transparency, efficiency, or quality. They can govern who has access to data, how products are tested, or what standards need to be set. When controls fail – think Volkswagen or BP – they derail projects and even corporations. Organizations with inadequate or outdated controls leave themselves exposed to the risk of poor performance and business failures.
Management controls need to be carefully calibrated — not too tight, not too loose — and reviewed regularly to ensure they are working, a discipline that is not often seen. The need for such an approach is particularly stark in the information systems (IS) environment, where enterprise security is paramount and projects are complex and prone to failure.
According to the researchers, professors Kathryn Brohman and Brent Gallupe of Smith School of Business Queens University and Alec Cram of Bentley University, leaders tend to underestimate the potential emotional impact on workers when instituting a new control or changing existing controls. Also if leaders see controls as applying to others but not them, the result is that no one takes ownership to fix the system.
Taking a holistic view of management controls, the researchers suggest leaders think about the context in which the management control is being implemented, the people it is affecting, and how it will be refreshed over time and how to implement controls effectively so they don’t bind organizations and create red tape.
When leaders decide to institute a new control or change existing controls, simply making everyone aware of the need for change won’t guarantee compliance, they say, particularly when some controls, such as those that determine who can access what data, have the potential to shift power.
“So when the control changes, there can be a significant cost,” says Brohman. “People also find ways to appease the control without really embracing the desired behaviour. Our team continues to explore how many controls introduced with a certain purpose actually operationalize the true desired behaviour.”
Considering the question Who Takes Ownership? Brohman quotes a conversation she had with a group off 27 CFOs. “They said that to get anything done you have to go around the system because there's so much red tape and control. My question to them was, who owns the system? One CFO responded, I guess it's us, as CFOs we have the power to own the system.” Brohman says that led to a thought-provoking discussion that expanded beyond financial controls to a broader reflection on what CFOs could do to address organizational control challenges.
To help practitioners, the team developed an integrated model that can be used to improve the effectiveness of IS controls. The model defines six stages of changing controls: identifying the control issue, developing a remedy, implementing the control with staff and management, refining the control, winning acceptance, and optimising.
“Good managers, managers who appreciate what controls can do for them, both for efficiency and effectiveness, realize that they just can't be complacent,” says Gallupe. “They know that circumstances change and that one control for one situation does not last forever.”
Related executive programs at Smith Business School:
> IT Management 2-7 October
> Execution 13-18 November
Read the full study: Information Systems Control: A Review and Framework for Emerging Information Systems Processes. Journal of the Association for Information Systems