Control Decay
Control Decay (n.) The gradual weakening of risk controls as the organization grows and changes around them.
Explanation
Controls are designed for a specific context. The business grows. New products launch. New channels open. The controls stay the same. Gaps appear where new activity meets old rules.
Operational Example
A payment fraud control was designed for card-present transactions. The company launches an online channel. The control does not cover card-not-present. Online fraud grows unchecked for a year.
Why It Matters
Control decay is invisible until a loss event reveals the gap. By then, the gap has been exploitable for months or years.
What Most Teams Get Wrong
They set controls and forget them. They do not review controls when the business changes.
What Strong Teams Do Differently
Review controls every time a new product, channel, or process launches. Map controls to current risk, not historical risk.