The control environment protects customers and the business from risk. More than a safety net, it prevents issues from occurring avoiding customer detriment, financial loss and reputational damage.

The reality is often very different, and the control environment is not as effective as it could or should be.

What is a control?

A control is action taken by management, the Board, and other parties to manage risk and to increase the likelihood that the client will achieve their goals and strategic objectives. Whilst management define the framework, responsibility of control design and operation usually sits with the Ops Managers and their teams. Examples of controls include verification of customer identity, payment authorisation and validating bank account details into which a customer payment will be made. All will be designed based on risk appetite, regulatory requirement, and customer impact.

Resolving common control environment issues

With the backdrop of Ops Resilience, Consumer Duty, and an ongoing challenge on resource capacity – we look at the common failings and importantly, what can be done to improve.

A common controls issue…..

Controls are back ended

It is common for controls to be undertaken when the process nears completion. This is inefficient and misses opportunities to prevent errors earlier in the process. Onward impact from back ended controls include adjustment of system records, rework of customer outputs and longer customer response times. These are usually ‘detective’ controls and therefore reactive by design.

Controls are reliant on ‘checking’

Many processes are reliant on checking and sometimes through several layers. This is often a “safety net” but can sometimes be due to lack of capability. It can result in single points of dependency, bottle necks, elongated processes and ultimately cultural issues with empowerment and accountability.

Poorly understood controls

Poorly documented controls and misalignment with RCSA can result in SMEs confusion as to the control required, operated or even reason for having the control.  Similarly, it is hard to assess a poorly articulated control or where the risk being mitigated is unclear.

Missing controls or duplicate controls

The controls environment is often built up over several years, a consequence of responses to complaints, risk events and regulation. This can result in duplication or layering of controls. This is inefficient for operations and oversight.
Missed controls are also common – resulting in risks not being addressed within the process.

Reliance on manual controls
Whilst some controls will be manual because of IT estate or functionality, often control environments rely too heavily on manual controls. These are a resource overhead but also high risk.

… which would be improved by

Maximised use of preventative controls

The control trigger and operation of controls should be as early in the process as viable with the intention of prevention.

Controls should not be post process completion unless low risk.


Clarity of accountability and appropriate checking

Checking should be minimised with sample checks driven by risk appetite and in support assurance of the process.
Capability issues should be tackled at source, equipping the right resources with the training and support needed to empower them to deliver the customer outcomes.

Clear control articulation

Assessing if controls are operating effectively should be carried out on a regular basis. It is essential that controls are documented including the rationale for why a control is needed, in clear SMART (specific, Measurable, Achievable, Relevant, Time Orientated) language agnostic of the process knowledge. This allows resources to operate the controls but also supports impartial review of the controls aligned with risk appetite.

Regular review of control environment

Regular review outside of the processing team linked to risk appetite will result in a current and fit for purpose model. Understanding where controls sit in a given process or journey, the risk they aim to mitigate, and the effectiveness of the controls allows gaps to be addressed and duplication to be removed.

Controls should be designed to be durable and withstand reasonable predicted change rather than addressing short term issues.

Maximise use of automation

Manual controls should be a last resort where IT and automated options are not possible or financially viable.
Where manual controls are required – operators must be competent, with clear understanding of the control required. They should be evidenced through MI and documented audit trail. Single points of dependency and cover (holiday / sickness) should be built into operational plans.

The future of the control environment

We anticipate that the expectations of the control environment across Wealth will increase in the future with a more holistic approach to embedding customer outcomes across the industry.  Alongside provider level controls assessment, there could be a drive for cross industry assessments required to mitigate the consumer risk of reliance on key IT providers infrastructure, Cloud services and other financial portals. In the meantime, getting the basics right for process controls will be a solid basis on which future requirements can be built and demonstrate prioritisation of customer outcomes.

How can we help?

Simplify can help assessing and improving your controls environment – please get in touch to discuss


Emma Norris

Head of Portfolio