Written by Erick Schaefer, Diego Garza, and Santiago Jiménez
Governance Without Bureaucracy: The New Internal Control for Growing Business Groups
The Growth Challenge
When a business group expands — whether by incorporating new business units, expanding its geographic footprint, or integrating corporate functions — the complexity of its management increases significantly. Decision-making is no longer concentrated in a single CEO or within the close circle of founding partners; it now involves multiple companies, boards, and committees with different levels of authority.
In this context, there arises a need to establish a control system that ensures all companies within the group operate in alignment with a common strategy, manage risks consistently, and uphold standards of transparency and accountability. However, designing such a system is not straightforward: each business unit has its own distinct realities, varying levels of maturity, and its own priorities. The challenge lies in building a governance structure that provides order and control without eliminating the flexibility that keeps the group’s companies competitive.
Governance is the mechanism that articulates how decisions are made, how performance is monitored, and how each company is kept aligned with the group’s shared purpose. In practice, this translates into defining how information flows, who approves what, and under what criteria.
As the group grows, this balance becomes increasingly difficult to maintain. If internal control becomes too rigid, the organization slows down: decisions take too long, opportunities are missed, and operational teams become frustrated. But if control is weak or ambiguous, risks multiply: unsupported decisions arise, financial deviations occur, conflicts of interest emerge, and execution becomes inconsistent across companies. Finding the middle ground is key for any expanding group: enough control to ensure order and traceability, without that control becoming an obstacle to operations.
In holdings or conglomerates where corporate functions (finance, procurement, legal, HR, or technology) must support multiple companies with different realities, this tension is even more visible. The strategic question becomes unavoidable: how can the group operate with discipline and control without sacrificing its speed of execution or the autonomy of each business? That balance between control and efficiency is at the heart of the concept explored in this article: governance without bureaucracy.
Governance Without Bureaucracy
Governance in a business group goes beyond creating rules or hierarchical structures; its true purpose is to ensure that decisions are made with reliable information, that risks are under control, and that all companies in the group operate aligned with a shared purpose. However, when growth accelerates and control mechanisms fail to evolve at the same pace, many organizations fall into an excess of sign-offs, reports, and meetings. What is intended to bring order ends up generating the opposite: slow processes, unclear roles, and decisions trapped in hierarchy. This phenomenon, known as bureaucratic governance, erodes the agility that originally drove the group’s growth.
Among the most common mistakes observed in these structures:
Duplicated or poorly defined functions: this occurs when both the corporate entity and the operating companies assume similar responsibilities — for example, two procurement teams validating the same purchase order — generating rework, wasted time, and confusion over who has the final word.
Conflicts of interest or cross-dependency: such as when an operational manager reports simultaneously to the business unit director and to a corporate management team with different objectives, leading to contradictory or diluted decisions.
Sequential and physical sign-off flows: cases where a contract or payment must pass through multiple printed signatures or confirmation emails, delaying by weeks decisions that could be resolved in hours.
These dynamics not only affect efficiency, but also team morale and the group’s ability to respond quickly to market demands. The solution is not to eliminate controls, but to redesign them so they are proportionate to the risk and executed in an agile, digital manner.
Governance without bureaucracy rests on five key principles, aimed at maintaining control without losing momentum:
Clear and simple processes: Control does not depend on how many steps exist, but on whether each step has a clear purpose. For example, establishing spend policies by threshold and automating their approval in the system can replace dozens of manual authorizations. A well-designed flow allows teams to operate with confidence and enables executives to focus their time on strategic decisions.
Well-defined roles without duplication: Every function must have clarity on what it decides, what it executes, and what it oversees. Tools such as RACI matrices or authority limits help prevent the same activity from having two owners or none at all. In practice, this avoids conflicts between the corporate entity and business units, ensuring each exercises control within its own domain.
Smart and automated controls: Not every control requires a signature. Workflow systems, compliance dashboards, and automatic alerts make it possible to maintain visibility without slowing down operations. For example, a dashboard showing in real time which contracts are pending approval replaces the need to send dozens of weekly emails or reports.
Dynamic governance: Control mechanisms must evolve alongside the group. What works in a small structure can become unsustainable as the number of companies and management layers grows. Reviewing critical processes annually and adjusting roles or workflows according to the group’s maturity keeps governance relevant and alive.
Recognized and adaptable methodology: Adopting frameworks such as COSO or ISO 31000 provides structure and legitimacy, but their real value emerges when adapted to the operational context. For example, applying COSO’s continuous control and monitoring principles without replicating the full documentation burden allows organizations to balance formality with practicality.
In short, governance without bureaucracy does not mean less control — it means better control. It is a model where information flows, responsibilities are clear, and oversight mechanisms are integrated naturally into day-to-day operations. When governance functions as a support system rather than a bottleneck, the group can grow with confidence, agility, and order.
Internal Control Systems
Several internal control systems can be implemented in an organization to ensure operational security and efficiency. The most widely known and used models include COSO (Committee of Sponsoring Organizations of the Treadway Commission), COCO (Criteria of Control), COBIT (Control Objectives for Information and Related Technology), ISO 31000, and MICIL (Integrated Internal Control Model for Latin America).
COSO is the most widely recognized and globally adopted internal control framework. It provides an integrated and comprehensive structure for designing, implementing, and evaluating internal control. It focuses on three main objectives: operations, financial/operational information, and compliance. The framework includes five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. This framework seeks to provide reasonable assurance while achieving organizational objectives.
COCO is a similar system, viewed as an evolution and simplification of COSO — more flexible, conceptual, and criteria-based rather than rule-driven. Unlike COSO’s five components, COCO focuses on 20 criteria grouped into four elements (Purpose, Commitment, Capability, and Monitoring and Learning). It emphasizes action and purpose, and is a good alternative — more agile and straightforward — that may be ideal for smaller or less complex organizations.
COBIT is a framework with a stronger focus on the governance and management of information technology (IT). Unlike the previous frameworks, COBIT specializes in ensuring that information technologies are aligned with business objectives, that related risks are managed, and that technology resources are optimized. It provides detailed guidance for the governance and management of information and technology assets.
ISO 31000 is a standard issued by the International Organization for Standardization that provides principles and guidelines for risk management. It serves as a universal guide applicable to any type of risk in any organization, regardless of size or industry. One of its key advantages is its flexibility, as it allows organizations to adapt risk management principles to their specific needs.
MICIL is a framework adapted to the particularities and needs of the Latin American context. It places greater emphasis on ethical principles and the values of personnel, serving as a practical support tool for managers of organizations of various sizes in the region. It seeks to integrate international best practices — such as those from COSO and COCO — into a more accessible and culturally relevant framework for Latin America.
Below is a comparative table summarizing the main characteristics, advantages, disadvantages, and applications of the internal control systems mentioned above. This can serve as a reference for selecting the most appropriate approach based on the organization’s needs.
Having an adequate internal control system is essential to ensure that an organization operates with efficiency, transparency, and accountability. Various models can be adapted to the size and needs of each organization. Implementing one of these systems not only strengthens management and compliance, but also provides leadership with a reliable foundation for making strategic decisions and fostering an organizational culture oriented toward control, continuous improvement, and confidence in internal processes.
Success Story: Process Redesign and Control Tools
A construction company faced the challenge of growing as a group without losing visibility or slowing down operations. To address this, a comprehensive solution was designed around two workstreams, with the goal of establishing reliable controls that simultaneously streamlined the work of functional teams.
For the first workstream on internal control, various frameworks and systems were analyzed to address the company’s specific challenges. The decision was made to work with the COSO framework due to its international recognition and its integrated, adaptable structure, which allows risks to be addressed in a holistic manner.
First Workstream: Internal Control with the COSO Framework
The first step was to work on internal control and risk management using the COSO framework, which is based on five fundamental elements:
Control Environment: The first element involved establishing the organizational culture that would shape how decisions are made. In practice, this meant defining clear policies, aligning leadership around the company’s values, and reinforcing the importance of making decisions with transparency and in line with strategic objectives. When teams have a clear understanding of how the company operates, controls stop feeling like administrative burdens and become a natural part of daily operations.
Risk Assessment: A critical step for identifying where the most vulnerable points in operations lay. Key activities across business units were analyzed and prioritization exercises were carried out: What happens if this process fails? What would be the impact on finances, customers, or operations? This assessment allowed the team to focus control resources on the most impactful processes, avoiding excessive controls in low-risk areas.
Control Activities: Translated into practical mechanisms for reducing risk: from clear authorization policies and defined approval levels to the integration of automated validations in systems. The goal was not to add unnecessary steps, but to ensure that each control had a real purpose and reduced the likelihood of errors.
Information and Communication: The focus was on ensuring that key information reached the right person at the right time. This involved implementing clear reporting through integrated indicator dashboards and establishing more agile communication channels between departments. The objective was to make decisions based on results rather than perceptions or isolated reports, ensuring that decisions are made with reliable information shared across the relevant areas.
Monitoring: Understood as the ongoing capacity to review whether controls are functioning properly. Rather than waiting for annual audits, periodic review mechanisms were established with internal owners capable of adjusting processes on the fly. This makes controls dynamic: if something isn’t working, it gets corrected before it becomes a larger problem.
This first workstream laid the foundation for clarity on what needed to be controlled and how — with a structured methodology that gave leadership confidence across each business unit. This is how one key process, the Project Closeout, went from being an operational headache to becoming more efficient and less demanding in terms of human effort.
Before the redesign, Project Closeout relied on informal follow-up through emails, phone calls, messages, and local Excel files. This led to lack of visibility, lost deliverables, duplicated efforts, and delays in the final validation needed to confirm a proper project closing. Through the practical application of COSO framework principles, a more orderly control environment was established where each company and department knew exactly what to deliver, when, and under what conditions — all through control mechanisms such as RACI matrices and compliance dashboards.
Risk assessment identified critical points in the process, such as document loss and the accumulation of deliverables without designated owners. From this, controls were designed to allow proactive tracking of each project closeout across the different stages of the process. Additionally, a single communication and monitoring channel was established through a central collaborative platform where each responsible party can check their progress and the overall status of project deliverables.
The result was a Project Closeout process with greater traceability and transparency. What was previously resolved in the final days of a project is now managed from the very start, with deliverables aligned to the construction schedule and controls that ensure timely and proper completion. This case clearly illustrates how combining a culture of control, risk management, and effective communication can transform the way work is done — shifting from complex, reactive processes to ones that are more organized, agile, and efficient for all teams involved.
Second Workstream: Operational Process Redesign
The second workstream was key to transforming how the group operated day to day. If the first workstream (COSO framework) provided structure, this one provided fluidity. It involved redesigning the operational processes of five business units to make them more efficient — eliminating tasks that slowed operations and leveraging technology to free up time and capacity. The objective was to rethink how departments collaborate, make decisions, and use information to move faster and with less friction.
The starting point was a detailed process mapping — from planning to execution — which allowed every step to be visualized and the flow of work between departments to be understood. Teams were so accustomed to their way of working that they didn’t realize the unnecessary or duplicated steps they were performing. It was only when the process was laid out in a visual flow map that bottlenecks and friction points became apparent.
Once those areas for improvement were identified, an inefficiency diagnostic was conducted, analyzing activities that added no value, repeated approvals, idle time between steps, or tasks being performed twice across different departments. The focus was on distinguishing between what truly generates value and what simply slows operations down.
With that foundation in place, the process redesign phase began — aiming to make processes clearer, faster, and easier to execute. This involved reorganizing work sequences, defining who decides what, and consolidating dispersed activities. The goal was not to have shorter processes, but smarter ones — where people can focus on what matters and let technology handle the rest.
Before implementation, a critical step was taken: technology integration and intelligent automation. This involved evaluating in which processes it made sense to incorporate digital tools, artificial intelligence, or automated workflows to eliminate manual tasks. For example, flows that notify responsible parties when an activity is ready to move forward, or bots that consolidate data into reports without human intervention. These solutions — while straightforward — can achieve levels of automation that previously seemed reserved for companies with much larger infrastructure.
In some cases, generative AI was evaluated for creating executive reports or classifying operational incidents, as well as process automation tools for repetitive operations. The key principle was to keep technology at the service of people — not adding complexity, but rather simplifying the day-to-day operational workload for the team.
Phased implementation plans were established to lay the groundwork. A common mistake in process redesigns is trying to change everything at once, which generates resistance and confusion. In this case, the implementation plans were structured in stages, starting with pilot programs in key processes to fine-tune details before a full rollout. This allowed teams to adapt progressively, build confidence in the new way of operating, and experience the benefits firsthand in their daily work.
The expected result is a more agile operation: less rework, less idle time, and greater coordination between departments. By eliminating duplicated steps and leveraging technology, internal capacity is freed up — enabling more efficient operations without the need to add more headcount or infrastructure.
In the case of the Project Closeout process, the redesign standardized the complete sequence — from physical progress validation to formal project release — integrating contract information, estimates, and deliverables into a single workflow. Previously, each department managed its own controls, generating rework and delays. Now the process runs on a unified platform with automatic alerts, defined owners, and a real-time tracking dashboard showing the status of all pending items. Additionally, the Field Orders process was digitized using technology tools, allowing scope changes to be formalized directly in the system — providing full traceability from the initial request through final approval. These tools automatically link orders to the budget, contract, and construction schedule, so any change made in the field is recorded in the system. Approval workflows with maximum response times (SLAs) and automatic notifications were also implemented, reducing the approval cycle from weeks to days. This redesign not only improved efficiency but also strengthened financial control and coordination between operational and administrative teams.
Integration of Both Workstreams
The strength of this solution lies in how both workstreams connect. On one hand, the COSO framework established an internal control structure that clarified how decisions should be made, how risks should be assessed, and how to monitor whether processes are functioning correctly. This laid the foundation for solid governance — which, on its own, would be difficult to sustain without being accompanied by efficient operations.
This is where the second workstream becomes essential: the process redesign ensured that the control structure would not become a burden, but an enabler. By simplifying workflows, reducing inefficiencies, and leveraging technology, the company not only improved its operational performance but also made it easier to apply the controls defined under COSO.
Moreover, although the initial need arose from the Finance department, the scope of the project demonstrated that governance is not solely a CFO concern. For the model to work, all directors — Operations, Engineering, Legal, Procurement, IT, and Human Resources — must be involved, as each contributes information, decisions, and controls that sustain the entire system.
In this way, both workstreams converge into a comprehensive solution: an organization that combines governance with efficiency, prepared both to grow and to maintain control going forward — with an executive committee aligned around a shared way of operating and making decisions.
Conclusion and Key Takeaways
The growth of a business group cannot come hand in hand with slow processes or structures that stifle operations. On the contrary: good governance must ensure control and visibility while enhancing agility. The key lies in designing systems that guarantee leaders have reliable information to support decision-making, without slowing down the pace at which the business needs to move.
When governance is understood as a support system rather than an obstacle, teams stop wasting time on unnecessary approvals and start focusing on the activities that generate value and make the company more efficient. As a result, the risk of errors, fraud, or misalignment is reduced, while clarity in execution improves. And most importantly: a solid foundation is built for growing in an orderly manner, even as the group adds new business units or takes on more complex operations.
The true competitive advantage does not lie in having more rules or controls, but in having the right ones — applied in an agile way that supports day-to-day operations. Governance without bureaucracy means giving the business group the best of both worlds: security and control, alongside dynamism and flexibility.
