As digital transformation accelerates, companies confront a pressing question: Does the balance we strike between speed and control align with our strategy? CFOs are key stakeholders in that ongoing determination, and more finance leaders are assuming stewardship of these deliberations. This emerging responsibility involves assessing and managing the impacts to internal controls that arise from business and digital transformation activities—and determining the extent to which this speed-versus-control balancing act aligns with the organization’s business strategy. While the challenge this balancing act poses is certainly not new, it is exacerbated by the increasing demands and accelerating pace of change of the digital era.
Speed has always been a fascinating concept in business. In the analog age, elapsed time was often benchmarked against competitors as a way of driving continuous process improvements, under the theory that taking time out of a process made it more efficient and flexible. In the digital age, time and speed have evolved beyond the tactical to emphasize a more strategic and holistic view with the objective of challenging conventional thinking and disrupting recognized ways of working and long-established value chains.
Driving value for the customer is a constant, never-ending pursuit to reimagine and improve business models and processes in an ever-changing operating environment. It is fueled by attention to speed in gathering and learning from feedback and making and executing high-quality decisions in deploying digital technologies and tools to deliver the value customers want and expect. Anything short of that is not a very smart play in a digital economy in which markets progress at a rapid pace.
While the development and adoption of advanced technologies reside beyond the finance organization’s traditional span of control, it is vital to recognize that more of these activities also take place beyond the IT group’s purview thanks to citizen developers, low-code/no-code offerings, shadow IT projects and related forms of decentralized technology deployment. As a result, the extent to which high-speed technology development and adoption activities affect the organizational controls environment is often unknown. Addressing this issue is squarely in the CFO’s wheelhouse.
Accordingly, CFOs should understand those elements of transformation that tend to exert the greatest impacts on the control environment, including which internal controls are most at risk of neglect, and how they can help the enterprise monitor and, when needed, recalibrate its speed-versus-control balance.
Where and how internal controls may be overlooked
Everyone knows that digital transformation-driven speed is beneficial and increasingly necessary from a competitive standpoint. That said, several transformation activities and approaches throughout an organization tend to have substantial impacts on internal controls. These include, but certainly are not limited to, the following:
- Citizen developers: A growing number of organizations are using citizen developers, decentralized software development approaches and other forms of shadow IT to accelerate the creation and deployment of new digital tools, products and services. This speed often comes with a cost given that these methods can introduce new risks and control issues.
- The Internet of Things (IoT): As companies and their third parties continue to increase their use of IoT sensors, devices, applications and data, information security risks multiply. In addition to questions about security controls, IoT advances are raising strategic questions concerning data ownership, privacy and security as organizations race to monetize the data from increasingly instrumented assets.
- “Reactionary” transformation: Much of the digital transformation work that has taken place during the global pandemic has been more reactionary than strategic. These advances are often hugely beneficial in solving emergent problems, but they are not necessarily part of a long-term plan—nor were they implemented with internal controls top of mind. Now, many of these reactionary transformation activities need to be reevaluated from a control and risk perspective to determine how they fit with the organization’s long-term transformation plan and investment model.
These and other digital transformation accelerants often neglect, or conflict with, segregation of duties controls. More IT-specific controls related to change management, data security, availability and other application development practices also tend to receive insufficient attention as more software development and technology deployments are conducted outside of the IT function.
Consider, for example, how a manufacturing plant’s monolithic technology systems were traditionally built on-premises by the IT group in strict accordance with carefully crafted development processes and standards. Today, that manufacturing plant’s engineers and production employees likely have access to nifty citizen developer tool sets that enable them to quickly create and deploy their own customized applications.
Similar low-code or no-code offerings are available to operations teams in financial services and most other industries as well as to accounts payable and most other functional teams. These nimble applications go live and/or to market more quickly but often lack the necessary internal controls.
Your mission, should you choose to accept it
For several reasons, the governance of this speed-versus-control balance is not only a fit but also a responsibility for the CFO.
First, CFOs are a key part of leading the development and execution of the organization’s strategy. While that does not make them the sole leader accountable for governing speed versus control, they are, at the very least, an important stakeholder in the process. And they are certainly accountable where speed versus control intersects with the production of data that is ultimately included in financial reporting.
Second, CFOs are responsible for allocating the company’s capital, whether that means investing in people, products or technologies. As I have noted previously, CFOs assess which talent and skills investments are most likely to enable the enterprise to operate at the right size, and in the right manner, to best address current and future disruptions and opportunities. Finance leaders fulfill a similar role with regard to technology and digital investments. Part of ensuring that those investments enable the enterprise to operate in the right manner requires striking the right speed-versus-control balance.
Third, CFOs are uniquely positioned to determine how the speed-versus-control balance in digital transformation aligns with another, related balance that must be struck between the front office and the back office. Today, digital transformation activities often occur discretely, in the external-facing areas of the business and in the functional areas that support operations, which is the CFO’s domain.
In recent years, the front office has acted with increasing independence in developing and implementing digital advances. Doing so helps the organization outpace (or catch up to) competitors in ways that would not be possible if they waited for their back-office partners to develop and deliver similar capabilities. But moving quickly without the proper controls in place—or even a recognition of which controls should be in place but are not—can result in significant breakdowns, like those among supply chains and those related to customer service that have been widespread over the past 12 months or so.
CFOs’ legacy risk and control mindset, combined with their involvement in the development and execution of organizational strategy, makes them ideally suited to ensure that digital transformations in the front and back offices are better aligned. By adopting stewardship of the speed-versus-control balance, finance leaders can ensure their companies evolve quickly and wisely.