From Startup to Success: Mastering Business Controls for Growth
In the wake of a number of high-profile startup frauds, it’s high time to dispel the myth that business controls impede growth. While excessive or poorly implemented checks and balances can hold back a rapidly scaling company, it is possible to design a progressive control framework that empowers a growing company to achieve the seemingly contradictory objectives of risk management and agility.
Business Controls for Growth We’ve seen what happens when controls go out the window—just look at FTX. When former Enron recovery chair John Ray III took control of FTX following CEO Sam Bankman-Fried’s arrest, he described the company’s corporate controls as a “complete failure,” citing inadequate governance, irresponsible cash management processes, and the concentration of authority within a small, inexperienced group of decision-makers, among other issues.
Unfortunately, these companies are particularly susceptible to avoidable losses due to poorly designed or implemented controls.
Business Controls for Growth There are opportunity costs to lax controls too:
The cost of capital has jumped sharply following record interest rate increases, making fundraising considerably more difficult. That increase also makes investors much more cautious, incentivizing them to perform more rigorous due diligence than ever before. I recently assisted an early-stage company with a Series A funding round and found that the breadth and depth of the diligence were stronger than any other process I had experienced before. For example, the investor asked about the payment release strategy and wanted to know what approval levels the company had in place within the payment processing solution. In the past, this level of detail was uncommon at this investment stage.
In this article, I show you how embracing a thoughtfully designed progressive control system can support your company’s success, both by minimizing risk and reassuring investors.
The Case for Business Controls
Business controls—or internal controls—are the policies, procedures, and practices designed and implemented within a business to safeguard its assets, ensure accurate financial reporting, and promote operational efficiency. Each internal control component, such as segregation of duties, authorization procedures, and regular monitoring, contributes to the overall system of business controls.
Business Controls for Growth The importance of controls grows proportionally with the size of the company and, more specifically, with the number of employees working in that organization.
In a small company with a single decision-maker (the CEO), every choice and action directly reflects that individual’s responsibility. Take the founder of a pre-seed startup looking to contract with an important software vendor. When they personally decide which vendor to partner with, the repercussions of a poor choice fall squarely on their shoulders, affecting both finances and operations. In pursuit of speed, the CEO might choose to forego a rigorous RFP process and accept the associated risks.
How to Develop a Control Framework
I have created smart, progressive internal control frameworks for rapidly growing companies by adapting my training and experience at larger, more formally organized corporations. These frameworks are designed to reduce avoidable losses and help secure venture capital funding without sacrificing agility.
Document Specific Risk and Control Factors
My best-practice advice is to begin by assessing and documenting the following risk and control factors for your company:. Doing so will ensure that consensus and a common understanding are reached on these key topics and will allow decision-makers to build efficient workflows while managing risk appropriately.
- Operating complexity considers the current headcount, Business Controls for Growth staffing model (remote versus office-based, W2s versus contractors, onshore versus offshore, etc.), operating locations (single trading location, number of countries, etc.), business model, and customer base. The more complex a company is, the greater the need for closer monitoring.
- Technological sophistication allows a company to deploy a wide range of automated controls and is a key pillar for streamlining a control framework. A large organization typically employs more technology across all departments, which increases complexity but allows for great efficiency in the design of automated business controls.
- Materiality is the threshold below which you would be able to tolerate financial discrepancies, errors, or deviations in your processes. Anything above this materiality threshold must trigger immediate action or reporting. When considering materiality, I will look at both the financial and nonfinancial impacts (e.g., loss of reputation or customer trust). A lower threshold for materiality demands greater control.Business Controls for Growth
-
Business Controls for Growth
- Risk tolerance is a form of materiality that is especially useful when it’s difficult to estimate a monetary value. It also allows a CEO or founder to define their judgment and risk tolerance, even if only subjectively, as if to say, “I’m prepared to tolerate unauthorized subscription discounts from the sales team as long as we’re growing.” This sentiment will likely evolve over time, and documenting it now provides a useful comparison for reference. A higher risk tolerance allows for looser controls.
- A fundraising stage is a common and important trigger for a more secure control framework to be implemented, as investors will have higher expectations for larger companies. Angel and other noninstitutional investors will seldom inquire about business controls, whereas a Series D VC fund leading a $100 million round is likely to review the company’s business controls in some detail before closing the round.
These factors also directly influence how I use three fundamental levers—value limit (or tolerance), cadence, and objective—to design each control for each area of the organization.
Calibrate the Three Levers of Control
Once the documentation and evaluation of risk and control factors are complete, I use three key levers to calibrate each control with the overall risk assessment and risk appetite of each company:
- Value limit or tolerance: This adjusts the amount or value that triggers the control. Changing this limit greatly impacts the number of exceptions flagged for review.
- Cadence: This adjusts how often a control is performed, from per transaction to daily, monthly, or even annually.
- Objective: This defines whether the control is designed to prevent or detect unapproved events or decisions. While preventive controls are superior at minimizing risk, less disruptive detective controls are a great compromise and work well in conjunction with other core controls.
The three levers can be changed according to a risk continuum:
|
Lever
|
Low-Risk Tolerance
|
High-Risk Tolerance
|
Example
|
|
Value limit or tolerance
|
A lower value limit triggers a control more often
|
A higher value limit triggers a control less often
|
A department store may require a line manager to get approval before granting a refund.
|
|
Cadence
|
Performing a control review frequently
|
Performing a control review less frequently
|
A restaurant needs to maintain tight control over its food and beverage inventory.
|
|
Objective
|
Preventive control, which stops an unwanted action before it occurs,
|
Detective control, which identifies an unwanted action after it has occurred,
|
System authorization limits could either prevent an inappropriate credit note from being issued
|
