In a lot of organisations, controls don’t grow… they accumulate.
Incident? Add a control.
Audit finding? Add a control.
New regulation? Definitely add a control.
What almost never happens is the opposite conversation: “Which of these can we retire?”
After a few years, you’re staring at a sprawling control matrix. Dozens or hundreds of line items, overlapping reviews, manual checks that predate your current systems. The organization got busier, but not necessarily safer. It’s time to rationalise and simplify.
The shift that changes everything is simple:
Don’t start from controls. Start from risk. Then design the minimum effective dose of controls that keeps those risks in check.
1. Start with risks: what are you actually afraid of?
Before you look at a single control, you need an honest picture of what can actually hurt you.
Take each core process—Order-to-Cash, Procure-to-Pay, Record-to-Report, Payroll—and ask in plain language:
- What could realistically go wrong here?
- If it did, who would care—CFO, CEO, regulator, major customer?
- Would it cost us money, credibility, or our ability to operate?
You don’t need a 30-page risk methodology. You need a shared understanding of the big dangers.
The goal of this step is clarity. Not every risk needs a control. Not every control needs to be “key”.
2. Map reality: one risk, many controls
Once you’re clear on the real risks, then you bring your control environment into the conversation.
Instead of asking, “What controls do we have?”, you ask, “What are we doing today that actually keeps these risks under control?”
You build a single view of controls where each one has to declare its purpose. For every control, note:
- What really happens (in straightforward language, not policy speak)
- Which process it belongs to
- Which risk or risks it’s supposed to reduce
- How often it happens and who owns it
- What evidence it leaves behind
When you group controls by the risks they’re meant to cover, patterns appear immediately. You start seeing:
- Three people in three teams reviewing the same report in slightly different ways
- Manual checks that made sense before your last ERP or system upgrade, still running out of habit
- Activities no one can clearly tie back to a meaningful risk
The neat thing is that nothing “new” has happened here—you’ve just changed the view. You’re no longer staring at a wall of controls; you’re looking at clusters of risk mitigation effort around specific risks.
3. Find your “minimum effective dose” of control
This is where you find the leverage.
For each significant risk, look at the bundle of controls mapped to it and ask:
“What’s the minimum effective dose of control that keeps this risk at a level we can live with/we have appetite for?”
Not the maximum we can afford. The minimum that actually works.
As you scan the list, certain controls will stand out:
- Preventive controls that stop problems at source
- Automated or system-based controls that don’t rely on heroics
- Activities that produce clear, objective evidence they happened
Those are your candidates for key controls—the ones you’d be comfortable explaining to a board or regulator if the risk ever materialised.
A simple test works well here:
If this control failed tomorrow, would we feel meaningfully more exposed?
- If yes, it’s probably key.
- If no, it’s supporting at best.
Most teams discover that a single risk is surrounded by a ring of “comfort” controls—extra reviews and checks that make people feel busy but don’t really move the risk needle.
You don’t have to slash everything at once. But you do want to stop pretending everything is equally important.
4. Rationalise without compromising on governance
The word “rationalise” can make people nervous. They hear “cutting controls” and imagine awkward conversations with auditors.
The way to de-risk this is to make your decisions explicitly risk-based and traceable.
When you decide to keep, merge, replace, or remove a control, capture a few essentials:
- Which risk(s) it relates to
- Which other controls cover that risk, and how
- Why the change doesn’t increase residual risk (for example, you replaced three weak manual checks with one strong automated control)
- Who agreed to the change—process owner, risk/compliance, internal audit
Now, if someone comes back six months later asking, “Why did we stop doing this?”, you’re not relying on memory. You have a simple log that tells the story in a risk language management and auditors understand.
The conversation also shifts. You’re not saying, “We’re cutting your control.” You’re saying, “We looked at the risk, looked at everything we’re doing, and agreed these specific controls give us enough protection. Here’s why.”
5. Make it a risk decision, not a political one
Controls are emotional. People feel ownership over “their” review, “their” sign-off, “their” report.
If you try to rationalise from the control list downwards, you risk turning it into a turf war.
So keep anchoring everything in risk.
Bring risk owners into the room along with process owners. Put the risk at the top of the page and list all the controls underneath it. Then walk through a simple, shared question:
“If we rely mainly on these two or three strong controls, and remove or downgrade these others, are we still comfortable with this risk?”
You’re no longer arguing about individual tasks. You’re co-owning a risk appetite decision. That’s a very different dynamic.
The psychology matters. People are much more willing to let go of their favourite check if they see a stronger, more coherent set of controls around the underlying risk.
6. Design forward: fewer, stronger, easier controls
Once you’ve stripped out the noise, you can invest more in what remains.
Look at your key controls and design them for strength and ease:
- Move what you can from manual routines to system rules, configuration, or automated reports.
- Where manual work is unavoidable, tighten the “script”: who does what, when, and what evidence they produce.
- Shift from reviewing everything to monitoring exceptions where possible.
You want to end up with a framework where, for each major risk, you could sit down with a new CFO or external auditor and explain in a few minutes:
- This is the risk.
- These are the key controls we rely on.
- This is how they work and how we know they operated.
If that conversation is simple and credible, you’re in a better place than an organisation with three times as many controls and no clear narrative.
7. Stop control bloat from coming back
Rationalisation isn’t a one-time project. If you do nothing, bloat creeps back.
A few simple guardrails keep things under control:
- Review risks and controls together once a year or after major changes, not just “test controls” in isolation.
- Treat big events—new systems, new products, new markets, new regulations—as triggers to revisit the relevant risks and their key controls.
- Make it normal to ask, whenever someone proposes a new control:
“Which risk is this for, what’s wrong with current coverage, and what can we remove or simplify if we add this?”
You’re teaching the organisation a new habit: risk first, controls second.
Closing thought: control less to control better
Most organisations don’t suffer from too few controls. They suffer from too many half-effective ones.
When you start with the risks that truly matter, map what you’re actually doing today, and look for the minimum effective dose of control, you get a framework that’s:
- Leaner and easier to run
- Clearer to explain to boards, auditors, and investors
- More honest about where you are genuinely protected—and where you’re not
If you want a shortcut—templates for risk–control mapping, example sets of key controls—you’ll find practical tools in our Products Page.
It’s a simple way to turn a bloated control environment into something sharper, lighter, and actually useful.
Leave a Reply