[Compliance. Curated. webinar recap] Refresh or retire your internal controls

Internal controls are rarely designed to fail. Most were introduced to address real risks, regulatory pressure or governance gaps.

But organizations change. Systems evolve. Processes shift. Risk landscapes move.

So here’s the question that we explored in the latest session of our webinar series Compliance. Curated. focused on inspiring risk & internal control professionals:

Do your internal controls still add value – or have they quietly become routine?

Together with Annette Pihlkjær Jensen from PA Consulting and Tim Buckley from Beyond the Lines and Integral Assurance, we discussed how to critically assess your internal control environment and decide what to refresh, redesign or retire.

Here are the key takeaways.

Change is the clearest trigger to reassess controls

One of the strongest signals that a control may no longer be fit for purpose is change.

This often happens when you:

• Move from manual to automated processes
• Implement new systems
• Redesign workflows
• Restructure teams
• Receive critical audit remarks

The process changes. The risk profile shifts. But the control often stays the same.

Tim also highlighted that sometimes the risk itself evolves. A control may still be performed and documented, but it no longer addresses what truly matters.

If a control no longer mitigates a relevant risk, it is not protecting you. It is just activity.

Controls should drive outcomes – not paperwork

We discussed a common example: monthly balance sheet reconciliations.

They are prepared. Reviewed. Signed off.

But if reconciling items continue to build up without action, ownership or resolution, what is the control actually achieving?

A strong control should:

• Reduce risk exposure
• Trigger action
• Improve decision-making

If it only produces documentation, it may be time to challenge it.

A simple but powerful question emerged during the session:

Does this control change behavior or outcomes – or does it simply prove that someone completed a task?

Start with the risk, not the control

Many organizations begin optimization by reviewing existing controls. Instead, Annette encouraged participants to start with risk. Ask:

• What risks do we face in this process today?
• Who is taking ownership of those risks?
• Which controls directly mitigate those risks?
• Are multiple controls addressing the same issue?

When you map controls back to clearly defined risks, duplication often becomes visible. Over time, organizations tend to layer controls on top of each other. Rarely do they remove them.

However despite it being a natural human reaction to assure compliance, more controls does not automatically mean stronger governance.

In many cases, it is actually simplification increases clarity, accountability and effectiveness.

Regulatory change can be a catalyst – not a burden

Regulatory developments, such as the UK’s Provision 29 requirements, are prompting organizations to reassess principal risks and identify material controls.

This can easily lead to adding more controls.

But it can also serve as a structured opportunity to step back and ask: which controls truly matter?

Change does not have to mean complexity. It can mean clarity.

Key controls are often well documented and intended. However, a shift towards more continuous controlling also means a shift to prioritizing human validation on exceptions, rather than the norm.

Controls that are performed within normal business hours and scope, do not require the same level of scrutiny as controls designed as a reactionary activity to an issue. Controls and evidence are critical to mitigating risk, but setting a time limit is vital to maintaining a sustainable and balanced control environment over time.

Why retiring controls feels uncomfortable

Letting go of a control is often harder than introducing one.

Risk and control professionals are trained to reduce exposure, not remove safeguards. So retiring a control can feel risky. What if something goes wrong? What if auditors question it?

However, outdated controls carry risks too, such as:

• Control fatigue
• Reduced focus on material risks
• Increased administrative burden
• Lower engagement from control owners

A cluttered control environment can weaken governance just as much as a gap.

How to get started

If you are considering refreshing or retiring controls, here are practical starting points from the discussion:

• Use system changes or automation initiatives as natural review triggers
• Map every control explicitly to a defined risk
• Identify overlap and duplication
• Focus on material controls linked to principal risks
• Instil a joint sense of responsibility for retiring and refreshing what does not work

Refreshing your control framework is not about doing less. It is about doing what matters when it comes to mitigating your organization’s risk.

In a risk landscape that continues to evolve, you cannot rely on a control environment designed for a different time.

Sometimes strengthening governance starts with a simple question:

Which of our controls genuinely protect us – and which are just part of the routine?

If you want to dive deeper into the discussion and hear the practical examples shared during the live Q&A, you can watch the full recording here.