Have you ever noticed that organizations are great at creating controls and policies to prevent incidents that have already happened? Once the proverbial cow escapes the barn, they adeptly make sure it won't happen again by, say, authorizing only certain people to man the exit and constructing barn-door status reports.
While this kind of organizational response does indeed prevent the recurrence of the exact same negative instance (they won't lose the same cow in the same way again), the accumulation of these "reactive" controls often creates complexity, confusion, and unnecessary cost. Even worse, the new controls usually don't prevent future incidents of a different kind from occurring.
To be better prepared, organizations should periodically step back and check their operations for these common problems arising from after-the-fact solutions:
1. Static controls for dynamic issues. Anyone who has flown lately -- particularly on flights to the United States -- has seen the continued accretion of security controls at the airports and on the planes. For example, upon returning to the U.S. from Canada recently, I went through three newly created screenings in three different staging areas. The TSA created these procedures -- along with previous ones such as fortifying cockpit doors and not allowing carry-on liquids -- to prevent repeats of past attacks, and so far they have worked. However, the continued accumulation of more and more security procedures is not sustainable -- and does nothing to prevent new and different attacks. At some point the various security services, along with technology experts and the airlines, will need to come together to develop more preventative, proactive, and streamlined security controls. The only other alternative will be to have nobody fly.
2. Cost of controls higher than the cost of no controls. A few years ago I observed a factory that employed high-speed lathe operators. When the operators' gloves wore out, they needed to shut down their machines, go to another building, fill out a form, show their old gloves to a materials clerk, and only then get a new pair of gloves. When I asked why that procedure was used, I was told that once upon a time some boxes of gloves had gone missing and that this system prevented such losses. Unfortunately, it also reduced productivity and made the lathe operators feel like they could not be trusted. In short, the cost of controlling for lost gloves was far higher than all the possible lost gloves themselves.
3. Controls applied across the board, whether needed or not. The third common problem with controls created after the fact is that they often become blunt instruments, solutions applied to everyone, everywhere even though the problem to be solved was more narrow. Sarbanes Oxley is an example of that type of approach -- well-meaning legislation meant to insure financial transparency and prevent certain types of fraudulent activities -- but applied to all types of businesses, the vast majority of whom were being perfectly honest and compliant without SOX.
Every organization has control procedures and policies, many of them created after the fact with the perfectly logical intention of preventing problems from happening again. But unless you periodically step back and assess the cost and benefit of these procedures, you run the danger of creating more complexity than competitive advantage.
So take a look at your organization's controls. Could they benefit from an update?