Refresh or retire your internal controls?

The question is uncomfortable but necessary. We invest time, energy, and resources in building internal controls, but when did we last review them in earnest? Not to tick off a list, but to ask ourselves the question: do they still protect us, or have they become part of the routine? Organizations change. Systems are replaced. Processes are restructured. The risk landscape shifts. But the controls? They tend to stay put.

What the Code requires, and what it doesn't say

The Swedish Corporate Governance Code sets clear requirements: the board is responsible for formalized internal control procedures, and the corporate governance report must describe how the system works. It's a responsibility that is taken seriously.

But there is a difference between meeting the requirement and fulfilling the purpose behind it. A report can be well organized, the controls documented and signed off, and yet, if they no longer address the risks that actually expose the company to risk, they are effectively empty.

The Code doesn't require a maximum of controls. It requires sound internal control. That's a distinction that easily gets lost in day-to-day work.

More controls are not the same as better governance

There's a built-in logic in compliance work that drives us to add rather than remove. But the question is rarely asked the other way around: what does it cost to keep controls that no longer add value?

The answer is more than you'd think. Control fatigue. Less focus on what's material. Lower engagement among control owners. A cluttered control environment can weaken governance just as much as an actual control gap.

Consider the monthly bank reconciliations. They're performed, reviewed, and signed off. Month after month, items pile up with no owner, no follow-up, no action. A strong control should reduce risk exposure and trigger action. If it only produces documentation, it's time to ask: does this control change anything, or does it merely prove that someone completed a task?

Start with the risk, not the control

The most common mistake in a review is to start with the existing controls. That's the wrong starting point. Start instead with the risks: what risks exist today, who owns them, and which risk-mitigating activities address them directly?

When you map controls against clearly defined risks, the overlaps become visible. Organizations are happy to add layer upon layer of controls, but rarely remove them. This is simplification that increases clarity and accountability, not complexity. And the same applies when implementing technology: if you digitize controls as they are, you risk automating what wasn't working in the first place.

Retiring requires as much discipline as introducing

It isn't enough to decide to retire a control in a meeting. It requires documenting why the control was retired, what compensates for it, and clear communication to those who performed it. Without that, the control reappears six months later, because no one knew it had been removed on purpose.

The same goes for exceptions. Those that aren't handled in a structured way are slowly normalized, until they've become part of the culture without anyone consciously choosing it.

Governance is about relevance

Internal controls are essential to an organization's ability to manage risk. But only if they are designed for the reality the organization actually operates in, not the one that existed when they were created. For boards with responsibilities under the Code, the same holds true: it isn't the number of controls that delivers sound internal control. It's their relevance.

Sometimes stronger governance starts with a single, simple question:

Which of our internal controls and activities actually protect us, and which are mostly part of the routine?

This article was originally published in Swedish by FAR. Read the original here.