Introduction

Unfortunately, this drill down approach focused on the financial statements part by part and did not pay as much attention to creating a positive ethical environment or addressing the type of entity level control that asks about whether the objectives of the organization are being achieved. Although Sarbanes-Oxley refers to ‘tone at the top’, little in the way of concrete direction was offered to keep it sound except in Section 404. It ‘directs the SEC to require each issuer to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code’ and to report any changes in it. The requirements that CEO’s and CFO’s sign that they stand behind the financial reports and the internal control structure is not unreasonable. But, it does seem to have the effect of focusing attention on financial and internal control procedures with a corresponding lessening in the amount of attention they can give to other matters such as values. It seems to assume that the proliferation of controls, will enhance control but that is not an assumption without risk. The approach focuses on the ‘don’ts to constrain fraud and error but it misses the opportunity to engage people in the ‘dos’, failing to take advantage of the beneficial effect on the control environment of shared purpose and enthusiasm for accomplishing objectives.

Enron and Worldcom would not have happened unless their ethical environments had been seriously polluted. Turning one’s back on one’s values doesn’t necessarily happen overnight. The boiled frog metaphor is relevant here: if the changes happen incrementally or because there is a sense that ‘everyone is doing it and we’ll lose if we don’t go along’, an organization can become severely compromised over time.

Compliance-based controls cover control risk and detection risk but do not address inherent risk in the current business environment in a comprehensive or systemic manner. Systemic approaches to addressing inherent risk do exist and have been explored in publications sponsored by the Canadian Institute of Chartered Accountants and KPMG. These approaches, the Viable Systems Model (Beer 1979, 1981, Bradshaw and Leonard, 1993), Seven Models of Risk (Bradshaw and Willis, 1998) and Auditing Organizations through a Strategic Systems Lens (Bell, 1997) take a broader view. Systems approaches may usefully be employed to enhance control, although not at the expense of neglecting controls and the internal control procedures that implement them.

Quite often, a cybernetic model such as the VSM, will map a network of feedback loops in which both error-correcting (or negative) feedback loops and trend-enhancing (or positive) feedback loops provide control through information. The analysis would look at what behaviour is rewarded, and what sanctioned, and how that matches up with the values of the ethics guidelines or mission statement. It would look for virtuous circles and how to encourage them and vicious circles that should be damped. It would look at how boundaries are drawn around ‘the system’ and what perspectives its different stakeholders have on what is or is not important. Some models, such as six of the Seven Models of Risk are conceptual, although the conceptual conversations lead to action over time. These models begin in the realm of values to create the conditions and parameters within which events will be anticipated or interpreted. Taken together they complement each other and can engage the organization in a valuable learning process.

The Viable System Model

The Viable System model was developed by Stafford Beer based on cybernetic principles, particularly Ashby’s (1956) concepts of variety, McCulloch’s (1943) nervous nets and his own work in the steel industry (Harnden and Leonard, 1994). The VSM is an organic model, reflecting on human neurophysiology to determine the criteria for any living system to be viable – that is capable of independent existence within its environment. It describes the necessary and sufficient conditions of survival for any viable system. The VSM is a recursive model. That is, each aspect of its structure is similarly scaled; nested within more comprehensive systems and with less comprehensive systems nested within it. It distinguishes five management functions that support its operational engagement with its environment. These functions, which it must be stressed are not people, provide different takes on the services management provides and the balance between them. The functions are connected and informed by seven vertical communications channels and two sets of horizontal channels communicating directly to the entity’s present and future environments. For purposes of handling variety through effective regulation, the vertical channels must be able to match the variety generated on the horizontal channels. [ See Beer (1985) for diagrams, including some that are explicitly in the public domain.] Each function addresses a different aspect of variety and deals with the type and level or risk associated with its activities.

System One units consist of operations that serve a customer or client and their managements handling the operations and their interactions with their environments. It and the other management functions serve these interactions. Each System One unit makes a product or performs a service that is rewarded in the environment. An organization may have a number of System One Units and may distinguish them according to different criteria, such as by type of business or customer, geographical location, regulatory jurisdiction or cycle time of products. Noting the distinctions made and the assumptions behind them is one way of improving the control environment of that level of recursion and making sure that operational risk and areas of inherent risk are addressed and that there are no gaps. System One operations communicate with one another, sharing information and sometimes inter-process stocks. Much use of this communication channel is informal. System One operations also monitor communications within their environments to understand what is required of them.

System Two exists to damp oscillations between System One units. It implements routine decisions and protocols that keep System One units from getting in each other’s way. System Two functions include many of the protocols of internal control as well as such services as ‘house style’, safety procedures, routine training requirements, IT protocols and use of common resources. Many aspects of System Two today are automated. Its lines of communication connect to the System One operations and management and to System Three.

System Three makes decisions that look for synergy among the System One units and distributes resources accordingly, making sure that the well being of individual parts is pursued within the well being of the whole. Effective System Three management does not permit unhealthy levels of internal competition to get in the way. It communicates directly with System One management along two channels: the command channel and the resource bargaining channel. The command channel is one way and conveys decisions and requirements. Skillful managements make sparing use of this channel except with regard to legal and regulatory compliance. Two- way communications travel along the resource bargaining channel. In the interests of the whole, one System One unit may receive additional resources to complete a project or take advantage of an opportunity, or on the other hand, be held back while others catch up or to address more pressing needs.

System Three Star is a special aspect of System Three that delves directly into System One operations to perform an audit function. It includes the financial audit but also may examine other specific factors, such as utilization of space, need for IT upgrades, and patterns of anomalies. It is responsible for addressing audit risk – or the risk that its audit procedures will not be able to detect relevant errors. Some internal control procedures reside here if they are sporadic and specific; continuous control procedures being the role of System Two.

Systems One, Two, Three and Three Star management functions take care of the ‘inside and now’ of an organization. The control requirements of Sarbanes-Oxley are concentrated here. In neurophysiological terms, we may compare them to the peripheral nervous system, the sympathetic and para-sympathetic systems and the brain functions that make up the autonomic nervous system. If the management functions stopped here, the organization (or organism for that matter) would be able to react to stimuli but would not be able to anticipate or evaluate circumstances as a conscious and reflective entity.

System Four focuses on the future and provides the facility to anticipate. In a typical organization, probes are sent out to see what is new and developing in their fields, new products are developed with their attendant marketing and public relations campaigns, strategic planning takes place and alternative directions are considered. System Four is concerned with the ‘outside and then’. It, like the System One operations, has direct links to the outside environment. The management of System One, and Systems Two, Three, and Five rely on System Four and the System One operations’ connections for their information about the external world. All individuals occupying roles in the VSM do interact with the outside environment. However, they do so either from these contexts or from their participation in these contexts at another level of recursion - down to the level of an individual who is, in that capacity, a customer, a member of the public, and so on.

System Five pulls it all together. Its job is to balance the homeostat between Systems Three and Four, maintain a coherent identity and provide closure. Within this mandate, it may entertain alternatives for pursuing different purposes put forward by System Four in the context of its identity. It sets the ‘tone at the top’ and is where the organization’s culture, values and reason for being are expressed. System Five is sometimes described as providing normative control. An alarm channel, called the algedonic (from two words meaning pain and pleasure) signal may arise anywhere in the organization but goes straight to the top, over-riding all usual protocols about how and when information is shared. It marshals all of the resources of the organization to avoid an immediate threat or seize an opportunity.

Systems Three, Four and Five together comprise the metasystem that exercises oversight and direction over the ‘inside and now’ of Systems One, Two and Three. In turn, it comprises the management of System One activities at the next higher level of recursion. One way of making a distinction between the One/Two/Three and the Three/Four/Five is to think of the difference between doing things right, which is the ‘inside and now’ business of the system, and doing the right things which is the business of the metasystem. Sarbanes-Oxley requirements focus on known sources of risk and uncertainty in the One/Two/Three domain. Indeed, the presence of control procedures indicates that sufficient familiarity with the situation exists to establish routine means for dealing with it. They do not and cannot respond to emerging changes or novel threats.

Roles in the metasystem are difficult for many people in an organization to play, especially as many times individuals perform more than one of the functions of the VSM. Beer (1984, p.19) discussed problems at this level as a pathology diagnosed by the model. He cited circumstances where people who were supposed to be acting in Systems Four and Five became distracted by events and reverted to their familiar activities of managing System Three (from which they have usually been promoted) and System One. Beer compared organizations whose metasystem had collapsed with a decerebrate cat that

“responds reactively, from the autonomic control centres at Three, and is incapable of planning and foresight (Four) and will and judgement (Five). But, it will react to prods by a reflexive kicking back …”

When planning, foresight, will and judgement take a back seat to the here and now and short term management, the control environment suffers. New sources of uncertainty and risk will always arise in an increasingly complex business world but cannot be addressed unless they are recognized. If the capacity to reflect on policy and consider future alternatives receives little attention, an organization may begin to react like a decerebrate cat. Requiring personal attention from the board and top executives to the veracity of reports and the effectiveness of internal control procedures does not extend their capabilities in the strategic and normative domains and may effectively diminish them.

Of course, it doesn’t have to be that way. For some organizations who badly needed to update their internal control procedures to contain present variety, it was a timely wake-up call. Other organizations used the requirement to comply with Sarbanes-Oxley to re-examine and redesign their internal control environment and made themselves more efficient and effective. But if the word on the street is reliable, for many it was a costly exercise in rearranging the internal control furniture. It did little to address the source of the problems that had more to do with a breakdown in values – a culture of greed and arrogance among some and somnambulant complacency among others. This is a failure in Systems Four and Five. People attempting to commit fraud already know that their behaviour is against the law. Especially if they occupy high positions in the organization, they may simply be able to exploit gaps in the control system or override it altogether.

The Canadian Institute of Chartered Accountants and The Seven Models of Risk

The CICA’s Criteria of Control Board researched and offered guidance on matters of control, risk and governance to help organizations achieve objectives. Its first publication, Guidance on Control (C.I.C.A., 1995) introduced a framework that came to be known as the CoCo Model. It links four aspects required for control.

They are:
• purpose (people must understand what is to be achieved),
• commitment (they must buy into that purpose),
• capability (they must have the necessary resources to accomplish the objectives) and
• a facility for monitoring and learning (to have access to the feedback that tells them what is working well and what should be changed).

Depending on the situation, each of these four elements may be subdivided; for example, capability might be divided into personnel, equipment, finance, information and access to markets, or some other breakdown. The Seven Models of Risk provides a different framework – one that places greater emphasis on values and the self-reflective work needed to take it to more comprehensive level.

The CICA publication “Learning about Risk: Choices, Connections and Competencies (Bradshaw and Willis, 1998) discuses approaches to control and risk identification and assessment that go beyond traditional approaches. It puts forward seven models of risk for consideration. These models make the assumption that the external world will always generate risk and uncertainty. What is within the control of the organization is to strengthen its own capability to respond. Flexibility, self-knowledge and transparency are among the qualities deemed to be necessary. These are the Seven Models.

Strategic choices are where decisions are made about what opportunities to pursue and how the risks associated with them are managed. These are typically the alternatives explored by System Four that lead to decisions made within the VSM’s Three/Four/Five metasystem.

Operational risk and control choices address the risks that can be ‘prevented, detected, corrected and managed through effective systems of internal control.’ These form the majority of traditional risk management activities and are the ones most clearly addressed by the Sarbanes-Oxley requirements. In the VSM, some of these controls are built into the communications between the operations and their current environments, within and between the operations themselves and with their System One management. Most of the rest are handled along the lines of communication with System Two, with excess variety mopped up by System Three Star.

Crisis choices are the decisions made in decisive moments following (or sometimes before) a catastrophe that mitigate or compound its effects. These choices may be prepared for and practiced within System Two if System Four has run scenarios and designed procedures to deal with response to catastrophe or breakdown. However, this function draws heavily on the values and culture embodied in System Five. One important aspect is that the algedonic, or alarm channel of communication in the VSM must be in good working order so that people in a position to make decisions for and speak on behalf of the organization can be contacted immediately if something serious occurs. Organizations win praise for the sensitivity and efficiency of their response to a catastrophe or, conversely, suffer a loss of reputation for a clumsy or self-serving one.

Resilience and survival choices are the steps that are taken to prepare for the possibility of a catastrophe or sudden change such as cash reserves, computer back-up, security plans and developing robust, redundant communications channels and skill sets. Again, these choices are made by Systems Three, Four and Five but are implemented by System Two and the System One operations. System Three Star may periodically check that these provisions are being followed and are up to date.

Leadership choices set the tone at the top and throughout the organization at all places where leadership exists. Attitudinal factors like openness to challenging assumptions, willingness to value and learn from mistakes and listening to a range of stakeholder perspectives determine how the leadership of an organization handles risk. These are essentially System Five choices, with the proviso that a healthy System Five will display itself among many individuals and at many levels in the organization.

Choosing to be aware stimulates the process of knowledge of ones-self and others. It involves being perceptive about sources of uncertainty whether they arise from external events or internal constraints. In practical terms, choosing to be aware may involve questioning one’s own assumptions, strengths and weaknesses or making sure that there are communications channels and protections available to whistle-blowers. Choosing to be aware and its self-reflective mode arises in a System Five context and is implemented throughout the organization on both its vertical and its horizontal communications channels. This model of risk directly engages the question of variety. It asks ‘if something is happening, will we know about it, and know about it in time?’ and ‘will we have the inner as well as the outer resources to rise to the challenge?’. Choosing to be aware also involves making sure that the algedonic (or alarm) channel of communication is robust and inclusive.

Intuition and the choice to deny or act may mean the difference between survival and disaster. Intuition is capable of instantly seeing patterns in our subconscious that indicate that something is not right and can do so far more quickly than can our rational processes. Its signals may not always be urgent but are never without foundation. As individuals, we have experienced hunches that have led us to hesitate or pull back before we are quite sure what we have perceived. Sometimes we have listened and avoided trouble, sometimes we have not and experienced the consequences. Individuals can and should hone their intuitive capacities, but organizations can and should as well.

Seven Models and the VSM

To recap, if one maps the Seven Models of Risk onto the VSM, one finds that they may be used to further explore and diagnose the organization’s viability.
• System Five encompasses Crisis choices, Resilience choices, Leadership choices, Choosing to be aware, and Intuition and the choice to deny or act.
  
System Four concentrates on Strategic choices and Choosing to be aware, but also contributes to preparing for Crisis choices and Resilience choices and should work to develop Intuition.
• System Three deals with Leadership Choices and Operational risk and control choices. It will probably be responsible for implementing Crisis choices and must rely on Choosing to be aware and Intuition to tell it when to act.
• System Three Star is primarily responsible for sporadically evaluating Resilience choices and Operational risk and control choices at the request of System Three but may be asked to examine any aspect of the Seven Models.
• System Two implements many of the Operational risk and control choices and may oversea the implementation of Resilience choices. It has a responsibility with respect to Choosing to be aware and Intuition to quickly notify Systems Three and One when something unexpected happens so that non-routine matters are quickly identified and handed off.
• System One’s management handles the Five/Four/Three of the next lower level of recursion. Its operations and the communications between them will be focused on Operational risk and control choices and it must have the capacity for Choosing to be aware and Intuition.

Conclusion

An approach to control that takes most of its impetus from the Sarbanes-Oxley legislation is likely to come up short with respect to the six non-operational Models of Risk and the System Three/Four/Five metasystem of the VSM. And, although the purpose of the legislation was to protect investors and shore up confidence in the business community, the needed improvements can only come from a renewed emphasis on values throughout the organization. Too many people and too many organizations have skated close to and sometimes over the line of ethical behaviour. Globalization has made it possible for manufacturing and service industries to 'shop around’ for the lowest costs and regulatory standards and highest profits. While this behaviour is condoned in the market economy, it also splashes back to erode ethical standards at home and transfer consequences to a public sector that may not have the resources to pay its costs. An appreciation of the Viable System Model and its higher levels of recursion leads one to the conclusion that in local, national and global economies, viability must be available to all or the viability of the whole is at risk. An appreciation of the Seven Models of Risk invites us to look within as well as without for answers about dealing with risk and uncertainty. Both remind us that we, and our organizations, are whole systems existing in and dependent on the larger systems in which we are embedded. Requisite control will keep that in mind.

References

Ashby, W.R. (1956) Introduction to Cybernetics. London: Chapman & Hall

Beer, S. (1979) Heart of Enterprise. Chichester: John Wiley & Sons.

Beer, S. (1981) Brain of the Firm, 2nd. Ed. Chichester: John Wiley & Sons.

Beer, S. (1984) ‘The Viable System Model: its provenance, development, methodology and pathology’ Journal of the Operations Research Society Vol. 35. # 1 pp 7-25.

Beer, S. (1985) Diagnosing the System for Organizations. Chichester: John Wiley & Sons.

Bell, T. et al (1997) Auditing Organizations through a Strategic Systems Lens. New York: KPMG Business Management Press.

Bradshaw, W. and Leonard, A. (1993) Assessing Management Control: a systems approach. Toronto: Canadian Institute of Chartered Accountants.

Bradshaw, W. and Willis, A. (1995) Learning About Risk: Choices, Connections and Competencies. Toronto: Canadian Institute of Chartered Accountants.

Canadian Institute of Chartered Accountants (1995) Guidance on Control. Toronto: C.I.C.A.

Harnden, R. and Leonard, A. (1994) ‘Towards the Cybernetic factory’ in How Many Grapes Went into the Wine: Stafford Beer on the art and science of management. Chichester, John Wiley & Sons, pp.

McCulloch, W.S. and Pitts, W. (1943)‘A Logical calculus of the ideas immanent in nervous activity’ Bulletin of Mathematical Biophysics Vol. 5 in Collected Works of Warren S. McCulloch. Salinas CA: Intersystems Publications, 1989, pp.343-361.

Sarbanes-Oxley Act of 2002. Public Law 107-104, July 30, 2002.