) Firearm company executives and owners invest time preparing business plans, financial forecasts, inventory needs and other tools used to run the business. Whether or not they use these tools internally or present them to third party bankers or board members, they become targets for expected performance. Deviations from expected performance, or “surprises,” come at a cost, as we all know. In this industry, they can include quality, customer satisfaction, and liability costs. And, in some cases, surprises pose a serious risk to the longevity of our golden goose – the Federal Firearms License (FFL). Internal Controls attempt to reduce the risk of surprises by: (1) Providing training/education and clear guidance (Directive Control); (2) Assessing the results (Detective Control); and (3) Reducing the ability to deviate from an intended output (Preventative Control). Internal Controls In Action
Every business leader has an obligation to ensure that the objectives of Safety, Quality, Compliance and Profitability can be achieved on repeated basis. That is, to expect the same result each time with little worry. So, how do they make that happen? The following is a list of three common internal control types used to achieve a business outcome. You will see that the strength of the control varies by type, but all are necessary and play an important role in achieving desired results. Table 1 – Internal Control Types Control Type Strength Description
Directive Weakest Directive controls are “instructions” that are typically found in policy documents and trainings. They are a critical part of a control environment but ideally would not stand-alone absent a Detective or Preventive control. They do little to forcefully stop something negative from happening. Detective – Detective controls are the second strongest type of control. They are deployed to monitor low-risk negative events that can be corrected after-the-fact without concern. Detective controls work well in conjunction with Directive and Preventive controls as a secondary measure. Preventive Strongest Preventive controls are strongest and seek to stop an unwanted event from ever occurring. In many cases, prevent controls are system-based and physically (or technically) will not allow an individual to execute an action incorrectly. Preventive controls are not always possible and sometimes the user must rely on a combination of Directive and Detective controls. Organizations with a less formal operating environment drive operational execution with Directive (or policy-based) controls only. They tend to be the same organizations that are surprised by inspection violations, product recalls and lower margins. On the contrary, organizations with a more mature control environment benefit from a balanced control environment which can often provide a financial return. This often comes in terms of lower operating costs, better expense control, reliable compliance and quality. Who wouldn’t want to make more money, pass their regulatory inspections and sleep well at night? In the following table, we provide real examples from the firearms industry. Table 2 – Firearm Industry Internal Control Examples Objective Directive Control Detective Control Preventive Control
Safety Policy requires serial engraving machines to be turned off during maintenance. Shift Supervisor patrols the floor during maintenance periods to monitor safe behavior. Lock-out-Tag-out prevents the operation of a serial engraving machine during maintenance. Compliance Policy requires receiving clerk to validate serial number before Acquisition. Audits are performed daily, weekly or quarterly to identify firearms that were received but not Acquired. System will not permit receiving clerk to Acquire without a four-way match: -Electronic Manifest -Serial Number Scan -Serial Number Hand Key -Purchase Order Profitability Policy requires three bids prior to the selection of a receiver camo coating firm. Purchasing and Product managers meet to review trended purchasing costs and identify outliers. System requires three bid prices to be entered before a Purchase Order can be generated. Look at the “Directive Controls” shown above. Would the controls (alone) be enough to prevent
the wrong thing from occurring? How many times have you used the statement, “we told them that’s not correct, but it keeps happening. The policy clearly states that Acquiring within 7 days is a requirement and that duplicates are not allowed.” Just remember, achieving your objectives starts
with training and policy. But reliance in this manner alone can significantly increase your risk and operating costs. The Cost To-be and the Cost Not-to-be (controlled…)
You might ask, what would a robust control environment cost? Not necessarily that much. The keys to an effective control environment are: (1) balance; and (2) forethought. That is, applying the right combination of Directive, Detective and Preventive controls to the level of risk that you seek to mitigate. A system-based preventive control is not needed in every situation. For example, complying with ATF Ruling 2010-1 (Temporary Assignments) is very important. And, you want to make sure that employees only borrow firearms for bona fide business purposes. But, how much should you invest in a control that forces the employee to return the bona fide loan on the 6th day rather than the 7th? Do you need a prevent control here? Or even a monthly detective control? Or, can you rely upon a system generated report every 90-days that identifies those employees who aren’t following the rules. Alternatively
, you might seek to invest far more in a system-based preventive control that absolutely stops the likelihood of producing a duplicate serial number. You might also ask, what is the cost of NOT
implementing controls. Answer these questions to yourself, privately.
- How much did your last recall cost the company?
- How much labor did you expend trying to research and (legally) correct 4473 errors?
- How much do you spend correcting and re-shipping products associated with a Wrong Gun in Box? Did you suffer any reputation damage?
- How much did you pay that law firm to assist you with your license revocation?
- How much did it cost you to scrap products with mistakenly errant markings?
The following few examples compare various control options and the potential impact to the company. You will notice control operation in a regulated industry often impacts more than one objective at the same time (i.e., Profitability vs Compliance). Finding the appropriate balance is the key to a well run Company. Example #1 – Objective: Profitability and Compliance. You want to find a less expensive vendor/ supplier.
Example #2 – Objective: Profitability, Quality and Compliance. High-dollar laser machines are installed to increase production efficiency, marking quality and compliance.
- Control 1: Policy requiring buyers to contact compliance before making changes that could drive non-compliance with ATF issued variances.
- Control 2: System will not allow a purchase order to be generated from a newly created supplier until compliance conducts a background check and releases the system vendor block.
Example #3 – Objective: Compliance. New employees are hired and put to work at the cash register, selling firearms.
- Control 1: Paper logs are used to record serial numbers used in sequence, requiring sign-off by employees (User access still permits manual entry of serial number to engraver of laser).
- Control 2: System feeds the next available, unused serial number to laser. Optical scanner validates the serial number upon application rendering it “used” in the system. User access prevents override.
Example #4 – Objective: Profitability and Compliance. Distributor installed a new computer system to make dealer orders more efficient.
- Control 1: Policy requires a thorough review of 4473 forms before the customer leaves the dealer.
- Control 2: Employee is trained on firearm regulations prior to working the register. System prevents employee from logging into the eForm 4473 application until the store owner has reviewed the results of their day one training quiz.
- Control 1: Policy requires a certified copy of the FFL in-hand before order may be placed.
- Control 2: Employee must scan the FFL into the system. The FFL number is keyed in by the employee and the data entry is validated by the software against the ATF’s EZ-check database.
If you have questions about aligning operational execution with your strategic objectives, contact Orchid Advisors
. We are the only management consulting firm dedicated to the firearms industry and experts in firearms industry operations.