By Tom McLeod Managing Consultant, McLeod Governance
Recently, I was standing in line at the airport security, duly observing what is surely one of modern life’s tribal dances.
Pull the computer out of the bag. Place the computer in the tray. Declare to the security guard that there are no weapons. Declare that I am not planning to perfume myself while standing in line – thereby making sure that I had declared any aerosol.
And declare that I was close to losing the will to live having to do this so often. As we danced the dance of modern security, a gentleman approached the security check-in point and said in a hurried voice: “I checked in about an hour ago and had to go out – do I need to check in again?”
Without missing a beat the security guard – who also appeared to be losing the will to live after what I can only imagine was a long shift – looked up and said: “No exception.”
One would have thought that may have been the end of the conversation and the natural moment that we all moved one step forward in the progression towards the airport’s secure kingdom. Alas no. Our friend decided that at that time and at that place he was going to question the logic of the airport security with a person that had no interest (or known incentive) to change; no ability to change and no experience in change.
“This is appalling,” said our friend. “What you are saying is that you don’t trust my word!” he continued indignantly. “No exception,” was the deadpan reply.
The interaction was sufficiently conspicuous that it drew the attention of what appeared to be two supervisors to our line. It was at that point that the loudly articulated exasperations of his fellow travellers and the fact that the security guard had numbers – not to mention logic – on his side that the gentleman submitted himself to the dance.
As he was collecting his worldly possessions from the other side of the security check-in point the gentleman turned to me and said: “It has worked before!”
The incident and the interaction was a beautiful microcosm about what constitutes (and what does not constitute) a strong control environment and – paradoxically – the importance of training.
Let’s examine the control environment element
Despite their global inconsistencies in design and execution the world over, we now have an expectation that when we travel we will be searched before we board the plane or indeed before we are allowed to be in the general proximity of the plane and passengers. That is the first stage of developing a strong control environment. What are stakeholders’ expectations with regards to how well controlled the area/process should be? If you don’t set this well – and early – what can happen is that no one understands the need for the control in the first place.
Translating this experience to the work environment when management seek to change a process, they need to be demonstrating that change has been properly socialised and communicated. The role of a well-functioning board here is to ask the most basic of questions – why? Why is there a change? Why was the previous control environment not sufficient? How will we make sure that the new control environment is as strong as what we currently have? How will stakeholders know the control environment has changed? “When management seek to change a process, they need to be demonstrating that change has been properly socialised and communicated”
There is a time and a place for not alerting people to a change in an underlying process but those times nearly always start and end with the suspicion of fraud or malicious misadventure. So, assuming that now is not one of those times, one needs to consider how the control environment and indeed the change to the control environment is communicated.
Tell the stakeholders that there is a change likely and what you will find more often than not is that the desired behaviour becomes the norm in anticipation of the change. At the airport security check-in that our friend visited, the control environment is communicated by the physical presence of signs, machines and human resources.
It is telling – indeed screaming to – even the least observant traveller that this is a moment in their journey where they have to submit themselves to what is effectively a risk assessment before they are allowed along their way. Communicating strengthened accounts payable processes in an enterprise-wide accounting system rarely has the communication signals luxury that is afforded a security check-in point.
In such instances, the best way to communicate is then often by the exultations of senior management. Boards should be asking of senior management what the executive leadership team has done to be a spokesperson for the improvement of the organisational control environment.
If the answer is nothing or very little, not only will you will never have a strong control environment, but, as a board member, you are also more than likely to be overseeing an organisation that is lacking an aspirational tone at the top.
Measuring the control environment
The next area that we need to consider is the measurement of the control environment. How many people each and every day at the checkpoint that I was queuing at to seek to bypass the intended security controls? How many people actually bypass the security controls?
The first question should be a relatively easy measurement to determine –it is, after all, a case of pure maths. The number of people passing through the gates against the number of those that raised a concern about passing through the gates. The second question is much harder to measure but measure it you must. A strong control environment can tell you how often it has failed. How often the expected control has not operated in the way that was expected of it.
Remember how our traveller friend said: “It has worked before!” While I have never been privy to the intimate workings of an airport security checkpoint I am making an educated guess that there is surveillance policing our every move. The visual deterrence element of the surveillance has obviously not worried my fellow traveller previously. Would, however, his behaviour change if he knew that there was a post security check-in analysis of the footage to identify and monitor those who have fatigued the security control system to the point that it has failed? A strong control environment has layers – if one layer fails there is another layer that is designed to stop or modify the undesirable behaviour.
Before we discuss the importance of training, one needs to give consideration to the role of continuous improvement in the establishment and maintenance of strong and robust control environments. Sadly, as a result of malfeasance of deranged individuals, airport security has had to improve to reflect the changed circumstances. Assume for one moment that hadn’t happened. The airport security check point control would deteriorate over time if it stayed the same. The reason? People would start to understand how to game the system. They would – like our friend – start to work out what works and does not work.
One of the most successful ways to counter this natural deterioration is to constantly self-assess the strength of the control environment. Self-assessment in this context could be an examination of the totality of the process or indeed a mere fraction thereof. This then leaves us with the importance of training.
The need for training
As our friend tried to beat the airport security check in system you will recall he was met with (what was a very stony faced, non expressive) “no exceptions”. This response could have been the automatic response but I suspect not. It was more than likely the result of good, regular, clear and comprehensive training.
Many years ago we found ourselves with a day to spare in Dallas, Texas. We decided to spend it retracing the important historical monuments in the assassination of the 35th President of the United States of America, John F Kennedy. After walking the Grassy Knoll and visiting the Texas School Book Depository we decided to see how long the drive was to Parkland Memorial Hospital. In a memorial section just inside the hospital we came across one of the most impressive pieces of correspondence that we have ever read. It was the reproduction of a memo written four days after the murder of President Kennedy (see panel).
There is stanza contained within it that sums up what enables a strong control environment:
1. People whose education and training is sound
2. People whose judgement is calm and perceptive
3. People whose actions are deliberate and definitive
Our security guard at the airport check-in was the beneficiary of good training that enabled him to state clearly and calmly that there was to be no exception to the rule that everyone had to be checked. His actions were deliberate and definitive – there was no ambiguity in his behaviour or in his response to the mischievous actions of the traveller.
Next time you stand in line at an airport security check-in, remind yourself that for all its frustrations it is a great example of what a strong control environment should be.
About the Author:
Tom McLeod is considered one of the world’s leading Chief Audit Executives having been the Global Head of Internal Audit for Rio Tinto, one of the world’s largest mining companies and Head of Internal Audit and Fraud at one of Asia’s largest telecommunication companies. He now operates a boutique internal audit, corporate governance and fraud prevention consultancy called McLeod Governance which advises globally with Boards, Audit Committees and Chief Audit Executives.
