From Startup to Success: Mastering Business Controls for Growth
It’s a mistake to believe that internal controls are the enemy of growth. Learn how to design smart checks and balances that manage risk while positioning your company to thrive.
It’s a mistake to believe that internal controls are the enemy of growth. Learn how to design smart checks and balances that manage risk while positioning your company to thrive.
Brian is a seasoned finance leader who transitioned from the enterprise world to head up finance operations for numerous startups—including his own. Leveraging his expertise as a KPMG-qualified auditor, he has also led fraud and risk analyses for businesses of every size.
Previous Role
SVP of FinancePREVIOUSLY AT
In the wake of a number of high-profile startup frauds, it’s high time to dispel the myth that business controls impede growth. While excessive or poorly implemented checks and balances can hold back a rapidly scaling company, it is possible to design a progressive control framework that empowers a growing company to achieve the seemingly contradictory objectives of risk management and agility.
We’ve seen what happens when controls go out the window—just look at FTX. When former Enron recovery chair John Ray III took control of FTX following CEO Sam Bankman-Fried’s arrest, he described the company’s corporate controls as a “complete failure,” citing inadequate governance, irresponsible cash management processes, and the concentration of authority within a small, inexperienced group of decision-makers, among other issues.
As a KPMG-qualified auditor with 17 years of experience working in senior finance roles at large enterprises and fast-growing venture-backed startups, I am always surprised at how common lax controls are among smaller businesses and early-stage startups feeling pressure to scale quickly. Unfortunately, these companies are particularly susceptible to avoidable losses due to poorly designed or implemented controls.
There are opportunity costs to lax controls too: The cost of capital has jumped sharply following record interest rate increases, making fundraising considerably more difficult. That increase also makes investors much more cautious, incentivizing them to perform more rigorous due diligence than ever before. I recently assisted an early-stage company with a Series A funding round, and found that the breadth and depth of the diligence was stronger than any other process I had experienced before. For example, the investor asked about the payment release strategy and wanted to know what approval levels the company had in place within the payment processing solution. In the past, this level of detail was uncommon at this investment stage.
In this article, I show you how embracing a thoughtfully designed progressive control system can support your company’s success, both by minimizing risk and reassuring investors.
The Case for Business Controls
Business controls—or internal controls—are the policies, procedures, and practices designed and implemented within a business to safeguard its assets, ensure accurate financial reporting, and promote operational efficiency. Each internal control component, such as segregation of duties, authorization procedures, and regular monitoring, contributes to the overall system of business controls.
The importance of controls grows proportionally with the size of the company, and more specifically, with the number of employees working in that organization. This risk is exacerbated by the trend toward a remote workforce. The post-COVID-19 shift in organizational design has rendered many traditional controls obsolete; for example, physically signing checks to pay suppliers at the end of the month has generally been replaced by a digital payment release strategy.
In a small company with a single decision-maker (the CEO), every choice and action directly reflects that individual’s responsibility. Take the founder of a pre-seed startup looking to contract with an important software vendor. When they personally decide which vendor to partner with, the repercussions of a poor choice fall squarely on their shoulders, affecting both finances and operations. In pursuit of speed, the CEO might choose to forego a rigorous RFP process and accept the associated risks. Just as likely, they may not be aware of what a sound vendor selection review looks like, or even more likely, be so busy that they don’t have the time to undertake such a review.
However, as the company grows, the CEO has to make a choice: Continue to make all the calls and risk creating a bottleneck, or delegate some of those decisions to, for example, a newly hired VP of Operations. However, no matter how much the CEO trusts the new VP, trust is not a scalable solution. Without a control framework, the VP will follow their own selection process, and in doing so may expose the company to excess risk disproportionate to their level of responsibility. Likewise, the CEO may not have a clear sense of those decisions to delegate and those to retain, which can send them veering haphazardly between micromanagement and disengagement.
A progressive internal control framework allows the CEO to manage the risks their company is exposed to while sustaining the heartbeat of the organization.
How to Develop a Control Framework
I have created smart, progressive internal control frameworks for rapidly growing companies by adapting my training and experience at larger, more formally organized corporations. These frameworks are designed to reduce avoidable losses and help secure venture capital funding without sacrificing agility.
Document Specific Risk and Control Factors
My best-practice advice is to begin by assessing and documenting the following risk and control factors for your company. Doing so will ensure that consensus and a common understanding are reached on these key topics, and will allow decision-makers to build efficient workflows while managing risk appropriately.
- Operating complexity considers the current headcount, staffing model (remote versus office-based, W2s versus contractors, onshore versus offshore, etc.), operating locations (single trading location, number of countries, etc.), business model, and customer base. The more complex a company is, the greater the need for closer monitoring.
- Technological sophistication allows a company to deploy a wide range of automated controls and is a key pillar for streamlining a control framework. A large organization typically employs more technology across all departments, which increases complexity but allows for great efficiency in the design of automated business controls.
- Materiality is the threshold below which you would be able to tolerate financial discrepancies, errors, or deviations in your processes. Anything above this materiality threshold must trigger immediate action or reporting. When considering materiality I will look at both the financial and nonfinancial impacts (e.g., loss of reputation or customer trust). A lower threshold for materiality demands greater control.
- Risk tolerance is a form of materiality that is especially useful when it’s difficult to estimate a monetary value. It also allows a CEO or founder to define their judgment and risk tolerance, even if only subjectively, as if to say, “I’m prepared to tolerate unauthorized subscription discounts from the sales team as long as we’re growing.” This sentiment will likely evolve over time, and documenting it now provides a useful comparison for reference. A higher risk tolerance allows for looser controls.
- A fundraising stage is a common and important trigger for a more secure control framework to be implemented, as investors will have higher expectations for larger companies. Angel and other noninstitutional investors will seldom inquire about business controls, whereas a Series D VC fund leading a $100M round is likely to review the company’s business controls in some detail before closing the round.
A good understanding of these factors is the foundation for a progressive control system as they impact how many controls are included in the control framework, how often controls are triggered, and how effective controls are at preventing or detecting unauthorized actions. These factors also directly influence how I use three fundamental levers—value limit (or tolerance), cadence, and objective—to design each control for each area of the organization.
Calibrate the Three Levers of Control
Once the documentation and evaluation of risk and control factors are complete, I use three key levers to calibrate each control with the overall risk assessment and risk appetite of each company:
- Value limit or tolerance: This adjusts the amount or value that triggers the control. Changing this limit greatly impacts the number of exceptions flagged for review.
- Cadence: This adjusts how often a control is performed, from per transaction to daily, monthly, or even annually.
- Objective: This defines whether the control is designed to prevent or detect unapproved events or decisions. While preventive controls are superior at minimizing risk, less disruptive detective controls are a great compromise and work well in conjunction with other core controls.
The three levers can be changed according to a risk continuum:
Lever | Low Risk Tolerance | High Risk Tolerance | Example |
Value limit or tolerance | A lower value limit, which triggers a control more often | A higher value limit, which triggers a control less often | A department store may require a line manager to get approval before granting a refund. The control limit that triggers the need for authorization can be set to a lower value for higher-risk items (e.g., electronic equipment) and to a higher value for lower-risk items (e.g., clothes). |
Cadence | Performing a control review frequently | Performing a control review less frequently | A restaurant needs to maintain tight control over food and beverage inventory. Higher-demand inventory such as alcohol and other beverages should be counted multiple times per day, whereas vegetables and frozen foods may only be counted daily or every other day. |
Objective | Preventive control, which stops an unwanted action before it occurs | Detective control, which identifies an unwanted action after it has occurred | System authorization limits could either prevent an inappropriate credit note from being issued by requiring preapproval, or detect inappropriate issuances through a monthly report reviewed by management. |
At smaller companies, or those with a greater appetite for risk and speed, I will set higher value limits, design controls to be executed less frequently, and rely more on detective controls.
I recently assisted a startup during its attempt to raise a Series A investment round. The company had a relatively small headcount and management was stretched thin trying to deliver on multiple objectives. Considering the practical reality of the company’s position, I designed a control framework that employed more detective controls and had management review these less frequently: We prepared a report at the end of each month detailing all overtime worked for client-facing staff; exceptions were investigated and recorded, and an executive summary and cost impact were shared with the wider executive team via email. We seldom had an issue, but during one month, overtime ballooned, and the VP of Operations responded with a number of corrective measures. While the excess cost could have been avoided, the additional time and effort to do so far exceeded the money lost from this single month.
While some controls have clear best practices attached to them (e.g., perform a bank reconciliation for all business accounts each month), most controls can be dialed up or down to suit each entity’s specific risk appetite. What is more important is that these levers be reviewed on a regular basis (annually at minimum) in the context of the overall risk assessment, and that each control be modified to match the size and complexity of the organization at that particular time.
Decide How to Delegate Authority
Once your control levers are calibrated, it’s time to consider who should be empowered to deploy them. The most common challenge for leaders of growing or medium-sized entities is delegating the responsibility for business control to middle and line management. This is especially common in companies that grew from a startup or family-run business in which the key person of influence was accustomed to performing all controls personally. The majority of smaller companies I have worked with have experienced this problem, and the result is a bottleneck that slows down the business. Even worse is that the valuable time of the founder or CEO is diverted away from high-value work to administrative tasks, an exceptionally expensive situation that is often overlooked.
To help leaders manage the transition, I recommend developing a “delegation of authority” matrix, also known as a “limit of authority” matrix. This is a policy document that instructs and guides all employees regarding approval limits when transacting on behalf of the company. This matrix serves as the foundation of a company’s governance framework by clarifying and quantifying the decision-making authority of each member of the management team.
The matrix to address all functional areas of the business is usually developed by the CFO and approved by the company’s board of directors.
Excerpt From a Typical Delegation of Authority Matrix
Business Area | Sub-area | Topic | Approval Limits | Approval Required |
OpEx/CapEx | Operating Expenses | Nonrecurring Expenditures | Under $5,000 | Line Manager |
Between $5,000 and $20,000 | Senior Manager | |||
Above $20,000 | C-suite | |||
Vendor Contracts | Annualized value under $5,000 | Senior Manager | ||
Annualized value between $5,000 and $20,000 | C-suite | |||
Annualized value above $20,000 | C-suite and CEO |
In this example, the delegation of authority to a line manager to incur an operating expense on behalf of the company is limited to $5,000, and any expense greater than this will require prior approval from the next most senior person noted.
A growing business faces increased complexity across the organization over time as it employs a larger workforce, processes larger transaction volumes, and handles larger sums or quantities of transactions. As complexity grows, so does risk.
While many companies and executives are aware of the delegation of authority matrix and have a working understanding of its purpose, in my experience, few understand how documenting risk factors and implementing the levers I’ve described can achieve an optimal balance between risk reduction and operating efficiency. Following the approach outlined here will also help to get buy-in from the wider management team and result in greater adherence to any implemented business controls. It can also help to rein in finance teams that may default to a standard control framework that doesn’t take into account the complexity or risk tolerance of their particular company.
As the company grows and decision-making authority begins to extend beyond the core founder group, the importance of this matrix becomes increasingly critical. I recommend implementing a simple version as soon as possible, and it should absolutely be done by the time you start hiring middle and line managers—usually once you have about 50 employees or so. Once your framework is in place, I think you’ll be surprised by how unobtrusive it can be, and how seamlessly it can scale with your needs. Not only that, your company will be better protected from risk, your investors will feel more secure, and your business will be better positioned to thrive. As we have learned—not just from FTX, but Theranos, Enron, and others—growth without guardrails can leave your company wide open to risk—both from within and without.
Further Reading on the Toptal Blog:
- The New Risk Management Playbook: Black Swans and the Rise of Scenario Analysis
- Making Your Software Work for You: An ERP Implementation Tutorial
- Cash Flow Optimization: How Small and Medium Businesses Can Unlock Value and Manage Risk
- Strategic Financial Leadership: 6 Skills CFOs Need Now
- Call to Action: The On-demand Business Model
Understanding the basics
Why are controls important in business?
Business controls, or internal controls, are processes and policies designed to standardize operations, protect the company’s assets, and manage risk. Such risks include financial risk, legal risk, operational risk, and others.
What are some examples of control measures in business?
Business controls can be preventive or detective in nature. A preventive financial control may involve requiring a manager’s authorization for junior staff to make certain purchases. A detective control would allow junior staff to make purchases, but require them to file a report for management to review later.
What is the most common control element?
While it is difficult to say which business control is the most common, virtually every company has—or should have—some type of financial control in place. These could be as rudimentary as reconciling monthly bank statements or limiting who can sign checks.
London, United Kingdom
Member since May 20, 2020
About the author
Brian is a seasoned finance leader who transitioned from the enterprise world to head up finance operations for numerous startups—including his own. Leveraging his expertise as a KPMG-qualified auditor, he has also led fraud and risk analyses for businesses of every size.
Previous Role
SVP of FinancePREVIOUSLY AT