Best practices for setting up a framework of internal controls and their practical implementation with specialized software.
The term “controls,” originally used in the GRC (Governance, Risk, Compliance) domain to describe mechanisms for managing risks and ensuring compliance, is now applied more broadly to strategic planning.
In this article, we’ll share best practices for setting up controls and their practical use.
Introduction to Internal Controls
In essence, a “control” is a response or prevention mechanism used to manage risk and ensure compliance.
Example control: “Employee left company”
- Action plan: Redirect emails
- Action plan: Notify customers
- Effectiveness metric: Logins disabled [Evidence-Driven]
- Effectiveness metric: % of customers notified
- Risk: Disruption of Workflow
Components of Control
Controls have specific components:
- Definition of the control.
- Internal mechanics to ensure the control works properly (metrics, action plans, monitoring).
- The results of applying a control that are reported and provide input for a learning loop.
From the automation perspective, a control might be:
- As simple as an action plan with aligned progress metrics or
- As complex as a hierarchical set of controls and sub-controls, each with its own set of metrics, risk estimations, mitigation plans, contextual dependencies, and owners.
Controls have specific application areas, defining when certain controls should be activated.
Let’s explore the tools we can use for implementing controls in strategic planning.
1. Definition of Control
At the initial stage, our goal is to properly map the past experiences of the management team into controls or formal response mechanisms.
General Properties
The basics of identifying a control include giving it a meaningful name and explaining its purpose in the description. Define:
- Conditions that trigger the control,
- Scope of the control.
In BSC Designer:
- Use the Add button to create a new item.
- Identify the control via the name and description fields.
- Cross-link the control with relevant past goals, events, or regulatory requirements.
Supporting Documentation
In BSC Designer:
- Add documents to a control via the Description dialog.
- Add documents to the control’s action plan via the Initiatives dialog.
Custom Properties
In BSC Designer:
- Define required properties of controls via custom fields.
- The new fields will be available for controls, metrics, and initiatives.
Ownership
For example, software maintainability controls may automate updates, but an IT specialist is needed to resolve conflicts if an update fails.In BSC Designer:
- Add responsible persons for the control as users; assign the person to a team.
- Assign the person or team as the owner of the control via the Owner field.
Owners will receive notifications relevant to the control.
Certification / Approval
In BSC Designer:
- Use custom fields to define properties of control such as “Certification state” and “Certified by.”
- When attesting the controls, the management team can update these properties.
- Use filters in reports to identify controls without proper certification.
To disable uncertified control but keep it in the scorecard:
- Select a control.
- Switch to the Performance tab.
- Activate the Raw data indicator checkbox.
Alignment of Controls
In BSC Designer:
- Copy and paste items between scorecards.
- When prompted, use the connection by context option to link two items.
Catalog of Controls
In BSC Designer:
- Create a scorecard dedicated to controls.
- Use a hierarchical structure to organize controls.
- When needed, copy the control to the active scorecard.
2. Quantification of Controls
Effectiveness Metrics
Using metrics for the controls makes the control more specific and avoids different interpretations.Define metrics to track:
- Adherence to the standards
- Effectiveness of the control
- Progress of action plans
For example, in incident reporting:
- The efficiency metric might be the “% of personnel trained in incident reporting.”
- The effectiveness metric might be “% of incidents not communicated properly.”
In BSC Designer:
- Use the Add button to add metrics inside the Control item.
Overall Performance
In BSC Designer:
- Select a metric
- Switch to the Performance tab
- Change the weight of the metric
The performance/progress of the control will be displayed in the corresponding column.
Efficiency Metrics
Depending on the context use leading metrics. Unlike lagging metrics, leading metrics won’t contribute to the overall performance of the control directly, but will suggest valuable insights in understanding the efficiency of the control.
In BSC Designer:
- Select a metric
- Switch to the Context
- Change the type of the metric to Leading
Risks Estimation
A control can include a risk definition or be aligned with risks from a risk register.
Risk estimation can be:
- A trigger for the execution of the control or
- A condition for selecting a certain course of action.
In BSC Designer:
- Create a new indicator
- Change its type to ‘Risk’
- Update risk Probability and Impact indicators
Binary Control
The possible states of binary indicators:
- Unassigned – the part of the control was not executed yet
- Yes – to indicate that the part of control was executed successfully
- No – to indicate that the part of control wasn’t executed successfully
Example: “Business continuity plan updated taking into account a newly identified threat” can be automated with a binary indicator.In BSC Designer:
- Select an indicator
- Switch to the ‘General’ tab
- Change its measurement units to “Yes/No”
Qualitative Control
Qualitative indicators are used for the controls when a more specific quantitative estimation is not developed yet, or it is not cost-effective to develop one.
Example: a control Policy Management and Communication can be assessed with a qualitative metric Effectiveness of Communicating Compliance Policies with possible states:
- Highly Effective (100): Employees clearly understand compliance policies.
- Moderately Effective (60): Some employees understand the policies.
- Ineffective (10): Employees are generally unaware of policies.
In BSC Designer:
- Select an indicator
- Click the Edit button next to the measurement units to add custom measurement units
Quantitative Control
For making the controls more specific, quantitative or numeric indicators are used. For quantitative indicators we can define their performance formula, e.g., how the current state of an indicator impacts the output performance.
Example: to assess the effectiveness of the implementation of a specific control, we do an internal audit to track the % of Policy Compliance. In this case, the performance formula is linear maximization, with target = 100%.Another example can be Mean Time to Detect metric, configured as linear minimization with a target of 24 hours.
In BSC Designer:
- Switch to the ‘Performance’ tab to define the performance function.
- Switch to the ‘Data’ tab to define the indicator’s current state, baseline, and target.
Evidence-Driven Control
Evidence indicators will change their state according to the number of uploaded documents/evidences.
For example, backup and recovery test control might require uploading test results or logs as proof of successful execution of the control.
In BSC Designer:
- Select an indicator
- Change its measure units to Evidence
- Upload document to the indicator to change its state
3. Initiatives for Controls
Action Plans
In BSC Designer:
- Use the Initiative tool to add action plans to the controls.
- Align risks and efficiency metrics with the initiative.
- Assign an owner to the initiative; the person will receive notifications when the status changes.
Tracking Action Plan
In BSC Designer:
- Add a new initiative to the control.
- Open the initiative dialog.
- Select the progress KPI in the ‘Aligned KPI’ field.
4. Tracking Controls Over Time
Periodic Controls
Example of revision of mechanics of the control:
- Revision of Compliance Checklists – annual revision
- Knowledge Retention, % – quarterly revision
Examples of periodic application of the control:
- Vulnerability Scanning – monthly revision/update
Examples of control initiated once:
- Initial Risk Assessment – to be updated once
In BSC Designer:
- Use the Update Interval setting of the indicator to schedule regular revisions.
Updating State of Control
In BSC Designer:
- Select a control’s metric
- Select a date in the internal calendar
- Switch to the ‘Data’ tab
- Enter the new state in the ‘Value’ field
Inheritance of Control’s State
Some indicators used for controls will inherit their previously known state, while others will use only specifically entered updates.
For example:
- % of Employees Trained – is likely to be an inherent indicator, as we can assume that the percentage of employees trained in May will remain the same or increase in June.
- Monthly Sales Revenue – is likely to be a non-inherent indicator, as we are interested in tracking actual sales data over months.
In BSC Designer:
- Select an indicator
- Click on the Values Editor button
- Change the inheritance type of the indicator
5. Reporting Controls
Controls on Dashboards
In BSC Designer:
- Switch to the Dashboard tab.
- Add relevant charts, including Gantt charts for initiatives, risk diagrams, and diagrams listing controls and their states.
Controls for Risk Estimation
In BSC Designer:
- Connect the lagging part of the control with the Risk Impact or Risk Estimation metrics in the risk register by data.
Controls in Reports
In BSC Designer:
- Use the ‘Report’ menu to generate various reports
- Use the ‘Schedule’ button in the ‘Report’ menu to send reports to the stakeholders automatically
Accountability
In BSC Designer:
- All activities related to the design and execution of controls are recorded in the audit log.
- The administrator of the account can access audit logs via Menu > Users > Audit Trail.
Practical Example of Using a Control
Let’s discuss a practical example. Consider the control activated when an employee leaves the company.
Example structure:
Controls Library
In the controls library, I have an HR section where one of the controls is “Employee left company.”
This control has three action plans:
- Redirect emails.
- Contact customers.
- Knowledge transfer plan.
It also has two metrics:
- Logins disabled (evidence-driven).
- Percentage of customers notified.
Another metric is used for the periodic revision of controls:
- Knowledge Retention (%)
A risk is defined for the control as:
- Risk: Disruption of Workflow
- Mitigation plan: Document critical functions
Events Scorecard
I have a scorecard named “HR events” where relevant HR events are logged. The scorecard is organized by event type.
Applying the Control
Here are the steps to follow when an employee leaves the company:
- Create a new event in the Events scorecard, e.g., “Alex left company.”
- Copy and paste the appropriate control from the controls library to the Events scorecard.
- The person responsible for the control will be automatically notified about new action plans created.
- Upload evidence (screenshots) that the logins were disabled.
- Notify customers and update the “% of customers notified” indicator.
- Update the status of the action plans to “In review.”
More Examples
You can find more examples of using controls in articles about:
What's next?
- Sign up for a free account at BSC Designer to access the scorecard templates, including 'Library of GRC Controls' discussed in this article.
- Follow our Strategy Implementation System to align stakeholders, strategic ambitions, and business frameworks into a comprehensive strategy.
More About Strategic Planning
Alexis is a Senior Strategy Consultant and CEO at BSC Designer, with over 20 years of experience in strategic planning. Alexis developed the “5 Step Strategy Implementation System” that helps companies with the practical implementation of their strategies. He is a regular speaker at industry conferences and has published over 100 articles on strategy and performance management, including the book “10 Step KPI System”. His work is frequently cited in academic research.