Master the Art of Business
A world-class business education in a single volume. Learn the universal principles behind every successful business, then use these ideas to make more money, get more done, and have more fun in your life and work.
There’s another simple and effective way to prevent potential misconduct. Limited Authorization is a straightforward principle: it’s best to limit each individual’s ability to act in areas that are outside the scope of their responsibilities.
If access to an asset or authorization isn’t required or necessary, it should be withheld by default. If access or authorization is needed in special cases, it should be granted on a temporary basis and in a way that preserves Segregation of Duties by requiring more than one person to authorize the action. The fewer the people capable of authorizing a payment from the business’s bank account, the lower the likelihood of inappropriate payments, and the easier it is to identify bad actors, fraud, or security breaches.
This principle is useful outside of financial controls. Imagine a software company that grants all of its employees and contractors complete, unlimited, and unsupervised access to its software systems. There might be advantages to doing this: everyone in the company would have the ability to fix or improve any aspect of the system at any time. There is, however, a severe risk inherent in this approach: everyone in the company would also have the ability to break any part of the system at any time.
In the worst case, a disgruntled employee or contractor would be able to shut down the system, access sensitive information, alter critical data, or delete backups and Fail-safes in a way that would make recovery impossible. There’s also nothing preventing a well-meaning employee or contractor from accomplishing the same thing by accident. If any of those things happened, it would cause severe damage, up to and including the potential bankruptcy and closure of the company.
Granting authorization is an exercise in balancing Friction and Cognitive Switching Penalties against risk: there’s a Middle Path between granting too much access and granting too little. Authorization is something that should change over time on the basis of Trust, Earned Regard and current responsibilities.
"Folly is often more cruel in the consequence than malice can be in the intent."
George Savile, First Marquess of Halifax
Master the Art of Business
A world-class business education in a single volume. Learn the universal principles behind every successful business, then use these ideas to make more money, get more done, and have more fun in your life and work.