In the aftermath of several notable startup scandals, it’s crucial to debunk the misconception that business controls hinder growth. While excessive or poorly executed checks and balances can restrain a rapidly expanding company, it’s entirely feasible to devise a forward-thinking control framework that enables a growing enterprise to achieve the seemingly conflicting goals of risk management and agility.
Learning from Mistakes: FTX’s Cautionary Tale
The repercussions of neglecting controls are evident, as exemplified by FTX. When John Ray III assumed control of FTX post-CEO Sam Bankman-Fried’s arrest, he labeled the corporate controls a “complete failure.” Inadequate governance, irresponsible cash management processes, and centralized authority within an inexperienced group of decision-makers were cited as contributing factors.
An Auditor’s Perspective: Unveiling the Common Pitfalls
As a KPMG-qualified auditor with 17 years of experience in senior finance roles at large enterprises and fast-growing venture-backed startups, I’ve observed the prevalence of lax controls among smaller businesses and early-stage startups feeling the pressure to scale rapidly. Unfortunately, these entities are particularly vulnerable to avoidable losses due to poorly designed or implemented controls.
The True Cost of Lax Controls
Beyond the immediate drawbacks, lax controls incur opportunity costs. Record interest rate hikes have significantly elevated the cost of capital, making fundraising more challenging. This environment compels investors to conduct more rigorous due diligence. In a recent Series A funding round, I encountered unprecedented scrutiny, exemplified by inquiries into payment release strategies and approval levels within the payment processing solution.
In the following sections, I will demonstrate how embracing a meticulously crafted progressive control system can not only mitigate risks but also instill confidence in investors.
Building the Case for Business Controls
Business controls, also known as internal controls, encompass policies, procedures, and practices implemented to safeguard assets, ensure accurate financial reporting, and enhance operational efficiency. Components like segregation of duties, authorization procedures, and regular monitoring contribute to the comprehensive system of business controls.
Scaling Significance: Controls with Company Growth
The importance of controls is directly proportional to the company’s size and, more specifically, the number of employees. This significance is magnified by the rise of remote work post-COVID-19. The shift in organizational design has rendered traditional controls obsolete, with digital payment release strategies replacing physical check signing.
In a small company with a single decision-maker, every choice directly impacts the CEO. However, as the company expands, the CEO faces a dilemma: retain all decision-making or delegate to new hires. Without a control framework, delegating decisions may introduce disproportionate risks. A progressive internal control framework empowers the CEO to manage risks effectively while maintaining the organization’s rhythm.
Effective Control Frameworks for Rapidly Growing Companies
In the dynamic landscape of business growth, establishing a robust control framework is paramount. Drawing on my experience in crafting intelligent and forward-thinking internal control frameworks, I’ve tailored strategies from my background in larger, more structured corporations. These frameworks not only mitigate avoidable losses but also play a pivotal role in securing venture capital funding, all while preserving the crucial element of agility.
Unveiling Key Factors: A Blueprint for Success
To embark on the journey of developing an effective control framework, it is imperative to delve into specific risk and control factors unique to your company. This initial step ensures a collective understanding and consensus on pivotal topics, fostering the creation of streamlined workflows while effectively managing risks.
Operating Complexity: Navigating the Organizational Maze
Understanding the intricacies of operating complexity is the cornerstone of an efficient control framework. Factors such as headcount, staffing model, operating locations, business model, and customer base must be meticulously assessed. A more complex organizational structure demands closer monitoring, making it crucial to tailor controls accordingly.
Technological Sophistication: Empowering Controls through Innovation
The level of technological sophistication within a company becomes a linchpin for deploying automated controls. In larger organizations, technology permeates across departments, adding complexity but enabling the design of efficient automated business controls. This, in turn, enhances the overall effectiveness of the control framework.
Materiality: Setting Thresholds for Financial Harmony
Determining the materiality threshold is pivotal in tolerating financial discrepancies, errors, or process deviations. This threshold, whether financial or nonfinancial, establishes the trigger for immediate action or reporting. A lower materiality threshold demands tighter controls, ensuring a vigilant approach to discrepancies.
Risk Tolerance: Crafting a Resilient Foundation
Risk tolerance, a nuanced aspect of materiality, allows leaders to define their judgment and risk acceptance subjectively. Documenting this tolerance, especially considering both financial and nonfinancial impacts, sets the tone for control framework design. A higher risk tolerance permits more flexible controls, aligning with the company’s growth trajectory.
Fundraising Stage: Elevating Controls for Investor Confidence
As companies progress through fundraising stages, the need for a secure control framework intensifies. Larger investments demand higher expectations, making it imperative for companies to fortify their business controls. Understanding the nuances between noninstitutional and venture capital investors is crucial in tailoring controls to meet stringent requirements.
Leveraging the Trifecta: Value, Cadence, and Objective
With a comprehensive understanding of risk and control factors, the next step involves calibrating controls using three pivotal levers: value limit or tolerance, cadence, and objective. These levers serve as dynamic tools in aligning controls with the overall risk assessment and risk appetite of the company.
Value Limit or Tolerance: Precision in Triggering Controls
Adjusting the value limit or tolerance directly impacts the number of exceptions flagged for review. Fine-tuning this lever ensures controls are triggered at the optimal threshold, striking a balance between vigilance and operational efficiency.
Cadence: Orchestrating Control Frequency
From per transaction to various intervals, the cadence of control execution plays a vital role. Choosing the right frequency aligns controls with the pace of business operations, preventing bottlenecks while maintaining a proactive risk management stance.
Objective: Crafting Controls for Impact
Defining whether a control is preventive or detective sets the tone for its impact. While preventive controls excel in minimizing risks, detective controls offer a balanced approach, seamlessly complementing core controls for a comprehensive risk mitigation strategy.
| Lever | Low Risk Tolerance | High Risk Tolerance | Example |
| Value limit or tolerance | A lower value limit, which triggers a control more often | A higher value limit, which triggers a control less often | A department store may require a line manager to get approval before granting a refund. The control limit that triggers the need for authorization can be set to a lower value for higher-risk items (e.g., electronic equipment) and to a higher value for lower-risk items (e.g., clothes). |
| Cadence | Performing a control review frequently | Performing a control review less frequently | A restaurant needs to maintain tight control over food and beverage inventory. Higher-demand inventory such as alcohol and other beverages should be counted multiple times per day, whereas vegetables and frozen foods may only be counted daily or every other day. |
| Objective | Preventive control, which stops an unwanted action before it occurs | Detective control, which identifies an unwanted action after it has occurred | System authorization limits could either prevent an inappropriate credit note from being issued by requiring preapproval, or detect inappropriate issuances through a monthly report reviewed by management. |
Enhancing Business Control: A Strategic Approach for Startups
In the dynamic landscape of smaller companies, where risk and speed are paramount, strategic control frameworks play a pivotal role in steering the ship. Let’s delve into an insightful journey where I recently guided a startup through its Series A investment round, highlighting the significance of tailored control mechanisms and the delegation of authority.
Navigating Risk: Tailoring Controls to Company Dynamics
In the realm of smaller enterprises, or those daring enough to embrace risk and velocity, recalibrating control strategies becomes imperative. Recognizing the unique challenges faced by startups with limited resources, I crafted a control framework that prioritized detective controls and streamlined management reviews. A monthly report meticulously detailing client-facing staff overtime was generated, exceptions investigated and recorded, with a concise executive summary and cost impact shared among the executive team. This proactive approach averted most issues, but a specific month witnessed a surge in overtime, prompting corrective actions from the VP of Operations. While the financial setback could have been prevented, the investment of time and effort outweighed the losses incurred during that singular month.
Control Flexibility: Adapting to Risk Appetite
Not all controls follow a one-size-fits-all approach. While some, like monthly bank reconciliations, adhere to clear best practices, many controls require a nuanced adjustment to align with the entity’s risk appetite. What holds paramount importance is the regular review of these control levers, at least annually, contextualized within the overall risk assessment. The adaptability of each control to match the organization’s evolving size and complexity is key for sustained effectiveness.
Empowering Through Delegation: Unleashing Control Levers
Calibrating control levers sets the stage for the next crucial step – determining who wields the authority to deploy them. A prevalent challenge for leaders in growing entities is the delegation of control responsibilities to middle and line management. This is particularly common in companies transitioning from a startup or family-run structure, where a single influential figure handled all controls. Addressing this bottleneck is essential for avoiding business slowdowns and preventing the diversion of valuable leadership time towards administrative tasks.
To facilitate this transition, I advocate the development of a “delegation of authority” matrix, also known as a “limit of authority” matrix. This policy document serves as a compass for all employees, outlining approval limits when transacting on behalf of the company. Developed by the CFO and ratified by the board of directors, this matrix becomes the cornerstone of a company’s governance framework, defining decision-making authority across all functional areas.
| Business Area | Sub-area | Topic | Approval Limits | Approval Required |
| OpEx/CapEx | Operating Expenses | Nonrecurring Expenditures | Under $5,000 | Line Manager |
| Between $5,000 and $20,000 | Senior Manager | |||
| Above $20,000 | C-suite | |||
| Vendor Contracts | Annualized value under $5,000 | Senior Manager | ||
| Annualized value between $5,000 and $20,000 | C-suite | |||
| Annualized value above $20,000 | C-suite and CEO |
Business Risk Management: The Crucial Role of Delegation of Authority
In the ever-evolving landscape of corporate dynamics, effective delegation of authority emerges as a linchpin for sustainable growth and risk mitigation. This article delves into the intricacies of delegation, shedding light on its pivotal role in navigating the complexities that accompany a burgeoning business.
Understanding Delegation Thresholds
In the corporate realm, empowering line managers with the authority to incur operating expenses is a strategic move. However, it’s imperative to establish clear limits. In our scenario, the delegation threshold is set at $5,000. Any expenditure exceeding this cap necessitates prior approval from the next senior figure in the organizational hierarchy.
Managing Complexity in a Growing Business
The correlation between business growth and organizational complexity is undeniable. As a company expands its workforce, handles larger transaction volumes, and deals with substantial sums or quantities, complexity and, consequently, risk elevate. Recognizing and addressing these challenges become paramount for sustained success.
Unraveling the Delegation of Authority Matrix
While many businesses comprehend the basics of a delegation of authority matrix, the real challenge lies in leveraging it effectively to strike a balance between risk reduction and operational efficiency. Documenting risk factors and implementing strategic levers can be instrumental in achieving this delicate equilibrium.
Gaining Buy-In and Ensuring Adherence
Implementing the outlined approach not only aids in risk management but also garners support from the broader management team. This, in turn, fosters greater adherence to implemented business controls. It acts as a proactive measure, steering finance teams away from generic control frameworks that might not align with the unique complexities and risk tolerances of a specific company.
Timely Implementation for Long-Term Impact
As your company grows, and decision-making authority extends beyond the founding core group, the significance of a well-structured delegation of authority matrix intensifies. I recommend initiating a simplified version early in your growth trajectory, ideally when hiring middle and line managers—typically around the 50-employee mark. Establishing this framework early on proves unobtrusive and seamlessly scales with evolving needs.
Safeguarding Your Business Future
A robust delegation of authority framework not only streamlines operations but also fortifies your company against potential risks. Investors gain confidence, and your business is better equipped to thrive. Historical corporate lessons, from FTX to Theranos and Enron, underscore the perils of unchecked growth. Implementing effective guardrails through delegation of authority ensures your company navigates growth securely, safeguarding against both internal and external risks.
