The notion that internal controls hinder growth is a misconception. When designed properly, smart checks and balances can effectively manage risks, enabling your company to flourish.
Author Credentials
Brian is an experienced finance leader who shifted from large enterprises to lead finance operations for various startups, including his own. A qualified auditor from KPMG, he has guided fraud and risk analyses for companies of all sizes.
Introduction
In light of several recent high-profile startup frauds, it’s crucial to debunk the myth that business controls stifle growth. While poorly implemented or excessive checks can indeed impede a fast-growing business, it’s entirely feasible to create a dynamic control framework that fosters agility while mitigating risks.
Consider the case of FTX, where inadequate corporate controls led to significant failures. John Ray III, who took over after CEO Sam Bankman-Fried’s arrest, highlighted the company’s governance failures and overly centralized decision-making among inexperienced individuals.
As a KPMG-qualified auditor with 17 years of experience in finance—spanning large enterprises to rapidly growing startups—I’ve often encountered lax controls in smaller companies under pressure to scale. This lack of robust controls can lead to avoidable losses, especially now that fundraising has become increasingly difficult due to rising interest rates, necessitating even greater diligence from investors.
In this article, I’ll illustrate how an effective internal control system can minimize risks and enhance investor confidence, ultimately supporting your company’s success.
The Importance of Business Controls
Business controls, or internal controls, are structured policies and procedures designed to protect assets, ensure accurate financial reporting, and enhance operational efficiency. Each aspect of internal controls—such as segregation of duties, authorization, and monitoring—plays a vital role in the overall business control system.
As a company grows, so too does the necessity for controls, particularly with a larger workforce. The shift toward remote work has rendered many traditional controls outdated, emphasizing the need for a digital approach to payment releases and approvals.
In a small company where the CEO makes all decisions, personal responsibility is clear. However, as the organization expands, the CEO must either continue micromanaging or delegate choices to a VP of Operations. Without a control framework, this delegation can lead to excessive risks, as the new VP may not adhere to a consistent selection process.
A progressive internal control framework allows CEOs to balance risk management with the demands of a growing organization.
Creating a Control Framework
Drawing from my experience in larger corporations, I’ve developed smart internal control frameworks tailored for fast-growing companies. These frameworks aim to minimize losses and secure venture capital funding without sacrificing agility.
1. Document Risk and Control Factors
Start by assessing and documenting critical risk and control factors. This process ensures that decision-makers share a common understanding on managing risks while promoting efficient workflows.
- Operating Complexity: Examine your organization’s headcount, staffing models, business models, and customer base. Greater complexity necessitates closer monitoring.
- Technological Sophistication: Evaluate your use of automated controls; larger organizations can leverage technology to design efficient automated business controls.
- Materiality: Determine thresholds for tolerable discrepancies in financial processes. Anything above this threshold should prompt immediate action.
- Risk Tolerance and Fundraising Stage: Understand how your risk appetite evolves with funding stages. Investors at higher stages will have heightened expectations for business controls.
2. Calibrate Control Levers
Once you’ve documented your risk factors, use three key levers to tailor the controls to your organization’s risk assessment and appetite:
- Value Limit: Adjust the monetary threshold that triggers control measures, impacting how often exceptions are flagged.
- Cadence: Specify how frequently controls should be performed—daily, monthly, or annually.
- Objective: Define whether a control is preventive (stopping unwanted actions before they occur) or detective (identifying issues after they’ve occurred).
Adaptation of these levers is essential as the organization’s risk tolerance changes.
Delegating Authority
With calibrated control levers, consider who should implement them. A common challenge in growing companies is the reluctance to delegate responsibility for business controls, often leading to bottlenecks and inefficient use of the founder’s or CEO’s time.
To facilitate this transition, establish a “delegation of authority” matrix, detailing approval limits for all transactions. This document clarifies and streamlines decision-making across the organization.
Conclusion
As your company grows, maintaining an appropriate balance between risk reduction and operational efficiency becomes increasingly vital. Implementing a structured control framework not only safeguards your business but also enhances the confidence of investors. This proactive approach equips your organization to thrive, minimizing exposure to risks associated with uncontrolled growth, as underscored by recent cautionary tales in the startup landscape.