GRC Tuesdays: Shifting GRC to the “Left of Launch”
I recently read a news story explaining the new United States antimissile approach, known as “left of launch.”
The story explained that the idea now is to strike an enemy missile before liftoff or during the first seconds of flight. The old approach waited until much later— after swarms of warheads had been released, had traveled thousands of miles, and were racing toward targets at speeds more than four miles a second.
We must accept the inability to prevent enemies launching missiles and the fact that even one successful missile strike can be so disastrous that merely detecting and relying on responding to launches after the fact is too little too late.
So the First Line of Defense against enemy missiles has shifted to “left of launch”—detecting and responding to the events and conditions that precede missile launches and anticipating them. The limits of reliance on effective launch detection and response have been reached.
Defining the Limits of Control Effectiveness
The unspoken premise of internal control frameworks is that enough of the right kinds of “control” is the key to preventing risks from occurring or detecting and responding to them quickly should they occur. More control is always better.
Auditors and business people look at the “design” and “operation” of controls and report “significant deficiencies” and “material weaknesses.” Effective controls are assumed to prevent or detect the “launch” of a risk.
Unlike missile defense practices, internal control thinking is almost completely aimed at the “right of launch.” Internal controls are considered a barrier to risk. The implicit assumption of “right of launch” thinking is that missile launches, or business risks, can be tolerated because those that can’t be prevented can be detected and thwarted before they have a significant impact.
Digitalization and globalization mean that even if we reduce the frequency of risk events, their magnitude is so severe that they are intolerable. We have reached the limit of control effectiveness.
Are control deficiencies the best indicator of control effectiveness?
Looking Left of Control
What’s the answer? Two things are necessary.
First, it would be foolish to abandon the best controls now in place. But it’s essential to automate them and streamline them. There is huge opportunity to do so and the technology is available now.
Second, we need to begin to develop “left of launch” analytical capabilities to build the capabilities to discern the events and conditions that precede risk events.
Last week, I watched part of the National Football League annual draft. Professional sports have developed powerful analytical tools and metrics to rank and predict the success of athletes based on their physical and personal attributes. I’m not suggesting we rate and rank employees in this way nor am I suggesting that would even be useful to do so. But surely we can look at streams of transactions and external events to discern troubling patterns or anomalies. Certainly, we can predict the impact of compensation schemes on behavior and the impact of regulations and policies on business performance.
GRC professionals have lagged in their adoption. Virtually all recent published research suggests that internal audit must improve its skill sets in this area.
Moving “left of control” needs analytics, but that’s only the beginning. The control effectiveness paradigm will take time to displace and replace. It permeates all aspects of GRC. New tools and conceptual frameworks are necessary.
Where Are You?
I’m interested as always in your comments and reaction. Are you left of control? Do you want to shift there?