Synopsis

All organizations use human approvals as a key control in their processes.  But, sometimes the volume of approvals an approver must approve defeats its purpose.  If the volume is large, rejections are rare or the approval itself is delegated, it may show that the control is ineffective.   An optimum number is around 5 per day for an approver.  Educating requesters about their performance, providing approvers with specific contextual information, automating the approval process and being sensitive to the volume during new process design, can make approvals effective and painless.

The Study

In most of the business processes we have audited, we have observed that one of the key controls is an approval by a human being.  This can either be a check point where the process cannot proceed to the next step without an explicit ‘green signal’ or can be a notification of the progress.  Some examples are PO approvals, approval for non-PO invoices, Discount approvals and RMA approvals.

“The question we have asked ourselves and our clients is whether approval by a human is an effective control.”

In a typical complex modern organization, there may be a large number of applications that require a human approval as a control.  Approval notifications are sent to approvers as an email with very little context or information for them to take a decision.

The question we have asked ourselves and our clients is whether approval by a human is an effective control.  There is no doubt that the looming shadow of someone verifying and approving your work does make you want to get it right the first time and dissuade you from bending the rules.   But, using human approvals as a reliable control may not be a good solution.

Measures for the effectiveness of human approval as a control

The following may be some indicators of the health of the approval system.

  • The number of approvals a person must do on the worst approval day. The more the number, the less effective the control.
  • The average number of approvals required from a person on any given day. Again, the more the average is, the less the effectiveness
  • What percentage of approvals are rejected? A small number of rejections could mean than due diligence is missing and too many rejections could be a symptom of a broken process.
  • How many senior executives have delegated the approval to their admins? Obviously, this is an indication that the approvals themselves may be inconsequential.

 

Some typical observations and conclusions during our business process analysis are below

 

 

 

So, can human approval be a key control?

If the approval notification does not have all the information necessary to take the decision, and the approver must consult other sources, we think that it would be difficult for an approver to approve more than 5 a day. Over this number, the effectiveness may start to decline.

“Many approvers go 100s of approvals and a whole year without a single rejection.”

If there are no or very few rejections, due diligence may be missing, or the control must likely be redundant.

If both the above is true, it is strong indication that the approval’s effectiveness as a control is compromised.

What is the solution?

Some changes to the way approvals are designed can make them more effective and efficient.

  • Make requesters self-aware. For example, explain a policy to them and ask them to self-approve if the request deviates from the policy. Create a dashboard where they can monitor their performance (overall or on policies) and compare it with their peers.
  • Design the approval notification so that all the necessary information, or links to it, is included in the communication. Highlight exceptions to the policy. Attempt to make the notification in such a manner than the approver can take a data driven decision in a couple of minutes.
  • Spread the approval burden around.
  • Automate some approvals using a rule engine, especially those originating from outside the organization. For example, a request for additional discount. This will give an impression to the requester that a human control is in place. Occasionally, pick some requests randomly and manually approve them. Build some post mortem analysis to detect misuse or abuse.
  • As a part of the process design, try to forecast the number of approval decisions the controls in the process would create, and make sure that the approvers have the capacity and capability to do them. Also, bake in some of the above-mentioned solutions while implementing the process.

Conclusion

Human approval controls are effective only if they are used selectively. Keep the volume small, and provide contextual information to make the decision easier. Approvals need not be hell if they are designed and implemented thoughtfully.