The only Blogs for Finance and for your Business Growth.

From Startup to Success: Mastering Business Controls for Growth

In the wake of a number of high-profile startup frauds, it’s high time to dispel the myth that business controls impede growth. While excessive or poorly implemented checks and balances can hold back a rapidly scaling company, it is possible to design a progressive control framework that empowers a growing company to achieve the seemingly contradictory objectives of risk management and agility.

We’ve seen what happens when controls go out the window—just look at FTX. When former Enron recovery chair John Ray III took control of FTX following CEO Sam Bankman-Fried’s arrest, he described the company’s corporate controls as a “complete failure,” citing inadequate governance, irresponsible cash management processes, and the concentration of authority within a small, inexperienced group of decision-makers, among other issues.

As a KPMG-qualified auditor with 17 years of experience working in senior finance roles at large enterprises and fast-growing venture-backed startups, I am always surprised at how common lax controls are among smaller businesses and early-stage startups feeling pressure to scale quickly. Unfortunately, these companies are particularly susceptible to avoidable losses due to poorly designed or implemented controls.

There are opportunity costs to lax controls too: The cost of capital has jumped sharply following record interest rate increases, making fundraising considerably more difficult. That increase also makes investors much more cautious, incentivizing them to perform more rigorous due diligence than ever before. I recently assisted an early-stage company with a Series A funding round, and found that the breadth and depth of the diligence was stronger than any other process I had experienced before. For example, the investor asked about the payment release strategy and wanted to know what approval levels the company had in place within the payment processing solution. In the past, this level of detail was uncommon at this investment stage.

In this article, I show you how embracing a thoughtfully designed progressive control system can support your company’s success, both by minimizing risk and reassuring investors.

The Case for Business Controls

Business controls—or internal controls—are the policies, procedures, and practices designed and implemented within a business to safeguard its assets, ensure accurate financial reporting, and promote operational efficiency. Each internal control component, such as segregation of duties, authorization procedures, and regular monitoring, contributes to the overall system of business controls.

The importance of controls grows proportionally with the size of the company, and more specifically, with the number of employees working in that organization. This risk is exacerbated by the trend toward a remote workforce. The post-COVID-19 shift in organizational design has rendered many traditional controls obsolete; for example, physically signing checks to pay suppliers at the end of the month has generally been replaced by a digital payment release strategy.

In a small company with a single decision-maker (the CEO), every choice and action directly reflects that individual’s responsibility. Take the founder of a pre-seed startup looking to contract with an important software vendor. When they personally decide which vendor to partner with, the repercussions of a poor choice fall squarely on their shoulders, affecting both finances and operations. In pursuit of speed, the CEO might choose to forego a rigorous RFP process and accept the associated risks. Just as likely, they may not be aware of what a sound vendor selection review looks like, or even more likely, be so busy that they don’t have the time to undertake such a review.

However, as the company grows, the CEO has to make a choice: Continue to make all the calls and risk creating a bottleneck, or delegate some of those decisions to, for example, a newly hired VP of Operations. However, no matter how much the CEO trusts the new VP, trust is not a scalable solution. Without a control framework, the VP will follow their own selection process, and in doing so may expose the company to excess risk disproportionate to their level of responsibility. Likewise, the CEO may not have a clear sense of those decisions to delegate and those to retain, which can send them veering haphazardly between micromanagement and disengagement.

A progressive internal control framework allows the CEO to manage the risks their company is exposed to while sustaining the heartbeat of the organization.

How to Develop a Control Framework

I have created smart, progressive internal control frameworks for rapidly growing companies by adapting my training and experience at larger, more formally organized corporations. These frameworks are designed to reduce avoidable losses and help secure venture capital funding without sacrificing agility.

Document Specific Risk and Control Factors

My best-practice advice is to begin by assessing and documenting the following risk and control factors for your company. Doing so will ensure that consensus and a common understanding are reached on these key topics, and will allow decision-makers to build efficient workflows while managing risk appropriately.

  • Operating complexity considers the current headcount, staffing model (remote versus office-based, W2s versus contractors, onshore versus offshore, etc.), operating locations (single trading location, number of countries, etc.), business model, and customer base. The more complex a company is, the greater the need for closer monitoring.
  • Technological sophistication allows a company to deploy a wide range of automated controls and is a key pillar for streamlining a control framework. A large organization typically employs more technology across all departments, which increases complexity but allows for great efficiency in the design of automated business controls.
  • Materiality is the threshold below which you would be able to tolerate financial discrepancies, errors, or deviations in your processes. Anything above this materiality threshold must trigger immediate action or reporting. When considering materiality I will look at both the financial and nonfinancial impacts (e.g., loss of reputation or customer trust). A lower threshold for materiality demands greater control.
  • Risk tolerance is a form of materiality that is especially useful when it’s difficult to estimate a monetary value. It also allows a CEO or founder to define their judgment and risk tolerance, even if only subjectively, as if to say, “I’m prepared to tolerate unauthorized subscription discounts from the sales team as long as we’re growing.” This sentiment will likely evolve over time, and documenting it now provides a useful comparison for reference. A higher risk tolerance allows for looser controls.
  • fundraising stage is a common and important trigger for a more secure control framework to be implemented, as investors will have higher expectations for larger companies. Angel and other noninstitutional investors will seldom inquire about business controls, whereas a Series D VC fund leading a $100M round is likely to review the company’s business controls in some detail before closing the round.

A good understanding of these factors is the foundation for a progressive control system as they impact how many controls are included in the control framework, how often controls are triggered, and how effective controls are at preventing or detecting unauthorized actions. These factors also directly influence how I use three fundamental levers—value limit (or tolerance), cadence, and objective—to design each control for each area of the organization.

Calibrate the Three Levers of Control

Once the documentation and evaluation of risk and control factors are complete, I use three key levers to calibrate each control with the overall risk assessment and risk appetite of each company:

  • Value limit or tolerance: This adjusts the amount or value that triggers the control. Changing this limit greatly impacts the number of exceptions flagged for review.
  • Cadence: This adjusts how often a control is performed, from per transaction to daily, monthly, or even annually.
  • Objective: This defines whether the control is designed to prevent or detect unapproved events or decisions. While preventive controls are superior at minimizing risk, less disruptive detective controls are a great compromise and work well in conjunction with other core controls.

Related Articles

Jaber Hussain

Financial Advisor & Blogger

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Jaber Hussain

Sponsor

Sponsor goes here

Browse