Imbecility at best? Or is there another word one would prefer for sheer stupidity? Because it’s like having a procedure in place that could guide people on how to use their mental faculties when needed! The issue is so concerning that the procedures can’t just tell how to determine if there are any mental faculties in place to begin with!
Though the procedure will advise the use of mental faculties, it still won’t prevent an undesirable event. Because the risk of an undesirable event happening can only be perfectly avoided, by avoiding any and all events. Yeah, stop working if one can. Won’t that be an adequate answer to the imbecility at play?
I think so. One should stop working altogether if one thinks a procedure can prevent someone from causing harm, or it can prevent someone from colluding to cause harm, or it can prevent someone from taking undue advantage. Because best is not to get exposed to such dangers by working.
You see the whole point in having procedures subservient to policies is to establish what’s desirable and what’s not first and the objectives sit at the top. Getting to accomplish these objectives are the means to get there and come afterwards.
That’s the reason why control environment is superior to the control procedures. It’s the tone at the top. If that tone doesn’t resonate with ethical conduct, principles, rules based order, the procedures do not matter at all! One can have all the procedures one want’s it won’t matter.
And that’s the reason why governance takes precedence over risk management and controls, when discussing the internal audit’s typical scope of work, the improvement oriented interventions. A rotten governance can’t find it worthwhile investing in risk management or controls, let alone internal audit!
But it doesn’t take an undermined control environment or an impaired governance to arrive at such a brilliant conclusion of having a specific procedure in place to avoid the risk of theft. Just the people who have no idea about what a control environment or governance is or what policies are!
And more so it is about the people who have no idea that controls are more about enforcement and application rather than documentation as part of procedures. This shouldn’t then come as a surprise if such people are the reason behind regression in the control environment. At this point it’s simply consequential.
One cannot think of instilling fear of compliance in the hearts and minds of people believed to go astray and cause harm or enforcing controls compliance merely by designing and documenting more controls and not putting feet on the ground.
There’s no pleading to a control so that it gets performed. Controls are designed to be in place as infallibly as possible once the cost versus benefit equation makes sense. Controls are meant to be unavoidable. Making procedures for avoiding theft is akin to pleading to the process owners, not to steal!
Because the idea is to approach the objectives of a process holistically. A policy focuses on the bigger picture and that’s why it is hierarchically superior. Procedures specifying the blueprint for policy implementation are not intended to micromanage. Being the vehicle for policy implementation, these are designed to provide comfort that policy objectives are being met.
These aren’t designed to document a control for countering each and every potential effect of uncertainty, i.e., a risk. And having no pilferage or, conversely, having all items fully accounted for is an objective, not a risk. As such, the policy already caters for the objectives.
For instance, if avoiding pilferage is an objective, the policy will spell out clearly the principles of authorizing access, providing adequate surveillance system, or having perpetual recording and periodic physical inventory systems or having inspections prior to granting clearances, etc. The procedure under this policy will detail the precise steps that need to be carried out so that the policy requirements are fulfilled and consequently the objectives are accomplished.
So, if there’s a security policy and security procedures in place, avoidance of pilferage would already be listed as one of several other objectives or might as well be listed as a threat scenario. Or it might not have been listed altogether, simply because the entry and exit objectives would already include requirements for pre entry and pre exit clearances.
Similarly, a warehouse management policy and procedures would already have requirements for access control, surveillance, issuances based on authorizations and approvals, even scanning the issuances against a delivery order (tech intensive!), regular physical inventory and perpetual recording.
The policies and procedures are always designed comprehensively, through a holistic thought process and an overarching approach aimed at fulfillment of objectives. Once we have these in place, we don’t need to add procedures addressing individual risks. That would not just be more of the same, which would of course be of no use, instead it would become so confusing that it would undermine the whole system.
Instead, less procedures and more boots on the ground approach would enable incremental adjustments and improvements to emerging requirements, without the need for referring back to the procedures. Instead, references would be made to the policy objectives and intent by utilizing available mental faculties. The major spending in this case would be the mental faculties but guess what? These would evolve!
However, if you have read between the lines, a significant control deficiency would certainly need to be plugged. But a significant control deficiency would also mean that something significant remained missing either in the policy or in the procedures!
Well, I was confronted with a richer (read more nonsensical!) iteration of the proposal to have guideline for pilferage. The proposed guideline even specified requirements to be followed by contractors who were thought to steal, when it was common knowledge that entity’s guidelines are specific to company’s employees and only apply to contractors through contracts. Moreover, the risks proposed to be mitigated by virtue of such guidelines are never contracted out with the work!
Instead of their proposed guidelines, I proposed numerous other physical controls to deploy including inventory prior to loading, equipment identification, checklists and records. Guess what was the answer?
NONE!
Because if the executive desk makes room for people who can’t understand the difference between “NO” and “NOT APPLICABLE”, this is all too much to absorb.
Thus, imbecility is the tone at the top!
And when it’s the tone at the top, what can one say about the state of affairs from the top to the bottom?
The bottom always like to align itself with the top so that one day it could climb up the ladder to the top, i.e., if the entity is able to survive the boundless imbecility and the ladder is to somewhere, not nowhere!