• Mike Gassewitz

Actually, this IS rocket science

“It’s not rocket science” is often used to refer to something that’s not overly challenging. It’s a common phrase that gives respect to the math and science involved in getting rockets to perform near impossible feats. Is holding up the complexities of financial operations protection to those of rocket science a fair comparison? The answer is yes, and if you’ll indulge me in a few puns, I’ll launch right into why.

Let’s start with what rocket science is. Many engineering and science disciplines fall under this broad term, but in a simple model there are two main design aspects. First, design a system that can generate a tremendous amount of force. And second, design a system that controls that tremendous amount of force to reach the desired objective.

Now think of your company’s stakeholders (employees, customer, suppliers, shareholders) and processes (services, manufacturing, R&D, marketing) as a system that can generate a tremendous amount of economic force on your enterprise’s P&L. Like a rocket, that force has the potential to unleash devastating effects on your enterprise without a robust control system in place. To meet your enterprise objectives, you need both aspects of rocket science — a system that generates economic force and a system that controls that force to protect the enterprise.

The parallels to rocket science don’t end there. Let’s boldly go deeper. As an electrical engineer, I studied control theory. The principle of control theory is quite simple. You put a signal into a system that produces an output signal that attempts to control a force to provide a desired outcome. This is called the forward path.

To ensure the desired outcome is achieved in an environment with many unpredictable variables (e.g. instantaneous changes in wind speed), you measure and process the output, and compare it to what you were aiming to achieve. If the output isn’t on target due to an unpredictable variable, you adjust the input signal and check the output again. This path of the output signal back to the input for processing and comparison is called the feedback path, and the process of checking input to output happens continuously. I’ve simplified how the system works, but the take-away here is this: for any control system to operate effectively, it needs a continuous feedback path.

Enterprises do put controls in place. These can be rules and constraints implemented within systems, or written policies that are attested to by select stakeholders. While these controls are necessary and important, they don’t constitute a control system. These elements take various inputs in an attempt to meet desired outcomes – the forward path in control theory. But an enterprise has many unpredictable variables within its system known as “humans”. Without a feedback path providing continuous monitoring and adjustments, the enterprise lacks an effective control system.

Isn’t this continuous monitoring (the feedback path) the role of internal and external auditors? Audits and auditors are an important part of managing enterprise risk, but they aren’t the feedback path of an enterprise control system. In our rocket science analogy, auditors and audits are the people and processes that periodically check that the control system is operating correctly. Audits and auditors are the quality assurance (QA) for your enterprise control system, but they aren’t the actual system. SpaceX doesn’t rely on their QA team to be an integral part of the control system for their rockets while in flight. Nor should management teams and boards rely on audit to be an integral part of the control system for the running of their enterprises. Unfortunately, many management teams and boards do just that, resulting in fraud, waste and abuse continuing to occur despite advances in audit techniques and digital transformation strategies. It’s also why blame continues to be mistakenly placed on auditors when this occurs. Say it with me: “Damn it Jim, I’m an auditor not a rocket scientist!”

Enterprise protection is rocket science. Without a properly functioning control system, including a feedback path, enterprises can suffer devastating results. Fortunately, there are solutions emerging that ease the complexity for enterprises to implement control systems. These solutions continuously monitor data from various inputs, rapidly detect incidents and weaknesses, and then enable quick remediation for a responsive feedback path that keeps the enterprise on its charted course. And, through automation and data science, the costs are low enough that CFOs won’t feel like they’re funding the next mission to Mars.

It’s rocket science. That’s why CTRLmatters.

Mike Gassewitz

CEO and Founder (and amateur “Trekkie”)