This week, I had the pleasure of speaking with Tamara Berben, an independent Governance, Risk, and Compliance (GRC) professional with over 18 years of international experience in Internal Control, Audit, and IT Governance. Her career spans both advisory at PwC and senior in-house leadership roles across the Netherlands, Germany, and broader Europe, giving her a strong combination of strategic insight and hands-on implementation expertise.
Tamara previously served as Head of Internal Control at Bilfinger SE, where she drove large-scale transformations of the internal control frameworks, including the roll-out of global GRC tooling. Today, she works as an independent GRC professional, supporting organizations in strengthening and modernizing their control environments, with a focus on IT compliance, ESG assurance, and scalable governance frameworks.
Beyond her technical expertise, Tamara is recognized for her clear, pragmatic leadership style and her ability to navigate complex stakeholder environments. She combines deep subject-matter knowledge with a strong sense of direction and authenticity, making her not only a trusted advisor, but also an inspiring leader within her field.
There are several definitions for Internal Control System (ICS) including the company’s ethical tone and structure, risk assessments and control instances such as segregation of duties, approval processes, and physical controls. What does Internal Control mean in practice for you?
In practice, Internal Control is less about ticking boxes and more about creating a system that quietly prevents chaos while nobody notices it’s working. If everything runs smoothly, it often means internal controls are doing their job perfectly ironically: success looks a bit like invisibility.
For me, it’s about deliberately designing an environment where the right behaviour is embedded into the process itself, not left to chance, personality, or last-minute heroics. Good controls don’t rely on people catching mistakes; they make it difficult to make them in the first place.
That means segregation of duties that genuinely reduces risk instead of creating workarounds, approvals that serve as real decision points rather than rubber stamps, and systems that enforce logic and consistency without slowing the business down.
In short: Internal Control is not a safety net, it’s a steering mechanism. It ensures that “doing things right” is not just encouraged, but structurally inevitable.
Internal control systems have been the focus of numerous legislative efforts, meaning there are sometimes strict laws and established frameworks governing ICS, including the post-ENRON U.S. Sarbanes-Oxley Act (SOX) and OECD Guidelines, as well as private sector attempts at self-regulation, such as the COSO model. What kind of trends do you see regarding the regulatory framework for ICS?
The regulatory landscape is definitely not getting lighter. We see a shift from purely financial controls (think SOX) toward broader, integrated frameworks that include ESG, IT security, data privacy, and operational resilience. Regulators are no longer satisfied with companies saying “we have controls”: they want evidence that controls work in practice, ideally in real time.
Another key trend is automation. Controls are moving away from manual spreadsheets (which, let’s be honest, have caused their fair share of “creative accounting”) toward embedded, system-driven controls.
So the future of ICS lies in integration and intelligent design, where controls are fully embedded into processes, continuously monitored, and directly aligned with business performance and risk appetite.
Despite this regulatory environment, one of the most significant failures of internal control systems, resulting in massive financial penalties, was the Volkswagen diesel emissions scandal in 2015, which cost the company over 30 billion USD in fines, penalties, and settlements. What do you think we can learn from the case?
The Volkswagen diesel emissions scandal is a powerful reminder that even the most sophisticated control systems cannot compensate for the wrong tone at the top.
You can have the best frameworks, policies, and controls on paper, but if the culture implicitly rewards results over integrity, people will find ways around those controls, or worse, design ways to bypass them entirely. What failed at Volkswagen was not the absence of controls, but the environment in which those controls operated.
It also highlights a critical weakness in many organizations: controls are often designed to detect errors, but not to challenge intent. When pressure, hierarchy, or fear override accountability, even well-designed controls can become ineffective or ignored.
The key lesson is that Internal Control is not just a technical system; it’s a cultural one. It requires consistent leadership behaviour, clear accountability, and an environment where speaking up is genuinely encouraged and protected, not just formally documented in policies.
Controls should therefore not only detect issues but also reinforce the right behaviours. Because ultimately, the effectiveness of any control system depends on the people operating within it.
Or put differently: if your controls are excellent but nobody feels safe using them, they are just very expensive decorations.
We live in a globalized world where mergers and acquisitions happen every day. According to PricewaterhouseCoopers, the first half of 2025 alone saw 21 "megadeals" (valued over 1 billion USD) the EU’s DACH region (Germany, Austria and Switzerland). How can you ensure that an internal control system of a company remains dynamic and aligns with expanded or changed business goals and acquisition strategies?
An Internal Control System should never be treated as a static “one-size-fits-all” framework, especially during mergers and acquisitions, where “one size fits none” is often closer to reality.
The real challenge in an M&A context is balancing consistency with adaptability. You need a strong core framework that defines principles, minimum standards, and governance expectations, while allowing enough flexibility to accommodate different business models, geographies, levels of maturity, and risk profiles.
This starts already in the due diligence phase, where understanding the control environment of the target company is just as important as understanding its financials. Too often, control integration is treated as a post-deal exercise, while in reality it should be part of the value creation strategy from day one.
In practice, this means prioritizing what truly matters: identifying key risks, aligning controls with business objectives, and sequencing implementation in a way that supports continuity rather than disruption. Overloading a newly acquired entity with a full control framework immediately can create resistance, inefficiencies, and even new risks.
Equally important is stakeholder alignment. Controls only work if they are understood, accepted, and owned by the business. This requires clear communication, pragmatic implementation, and a strong focus on accountability across both legacy and newly integrated teams.
Ultimately, an effective ICS in an M&A environment is not about enforcing uniformity, it’s about enabling integration while maintaining control. A strong ICS evolves with the business; a truly effective one anticipates where the business is going and supports that trajectory.
When I think about what kind of skills might be needed if someone to be an ICS Control specialist, I think about a high level of conscientiousness, analytical thinking, calmness under pressure, and a meticulous attention to detail. Do you recall any case throughout your career when you needed any of these skills to decrease operational or human risk? Why are these skills so essential in a job like this?
Throughout my career, there have been moments where complexity, time pressure, and differing perspectives all came together at once. In those situations, what really matters is the ability to stay structured and objective.
Analytical thinking allows you to break down complexity into something manageable, while calmness under pressure ensures that decisions remain well-considered rather than reactive. Especially in Internal Control, where conclusions often have broader implications, reacting too quickly can create more risk than it resolves.
Attention to detail plays a different but equally important role. In many cases, it’s not the obvious issues that matter most, but the small inconsistencies that indicate something deeper. Recognizing those early can prevent much larger problems down the line.
These skills are essential because working in Internal Control means navigating complexity across processes, systems, and people. It’s not just about identifying risks, it’s about understanding their root cause and addressing them in a way that is both effective and sustainable.
If you let me ask a few personal questions: I watched recently a documentary where I saw a photo about Mary Ann Gates, mother of Bill Gates, sitting in a room full of high-level managers and executives. She was the only woman in the photo. Has this happened to you before as a female leader? In addition, what would be your message for women who experience this for the first time in their career or are just dreaming about something similar in their future?
Yes, that has definitely happened. But over time, it simply became part of the professional environment rather than something I actively focused on.
In my experience, what matters most is not who else is in the room, but what you bring to the discussion. If you are well-prepared, have a clear perspective, and add value, you establish your position naturally.
That said, it would be unrealistic to ignore that in some environments and cultures, women are still more easily overlooked or less actively listened to. Being aware of that dynamic is important, not as a limitation, but as context you may need to navigate.
For women experiencing this for the first time, I would say: don’t overinterpret the situation, but also don’t underestimate your voice. Focus on your contribution, be consistent in speaking up, and ensure your perspective is heard. Credibility is built through clarity, substance, and presence.
At the same time, it’s equally important to recognize when an environment is not ready for your perspective or values. Not every room is the right room, and that’s not a reflection of your capability, but of the environment itself. Knowing when to invest your energy and when to move on is part of professional strength.
And perhaps most importantly, stay close to your own style. You don’t need to adapt to a certain mold to be effective. Strong perspectives and thoughtful input speak for themselves, regardless of who delivers them.
Image: pixabay.com