Managing Risk Through Financial Processes: Embedding Governance, Risk, and Compliance
Upcoming SlideShare
Loading in...5
×
 

Managing Risk Through Financial Processes: Embedding Governance, Risk, and Compliance

on

  • 865 views

Explore the performance benefits of an embedded and holistic approach to GRC.

Explore the performance benefits of an embedded and holistic approach to GRC.

Statistics

Views

Total Views
865
Views on SlideShare
865
Embed Views
0

Actions

Likes
0
Downloads
37
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Managing Risk Through Financial Processes: Embedding Governance, Risk, and Compliance Managing Risk Through Financial Processes: Embedding Governance, Risk, and Compliance Document Transcript

    • Managing risk through Þnancial processes Embedding governance, risk and compliance A report from the Economist Intelligence Unit Sponsored by SAP
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance Contents Preface 3 Introduction 5 About the survey 5 What the executives are saying 7 Impact on decision-making 10 What to keep in mind 12 Conclusion 14 Appendix: Survey results 15 1
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance Preface M anaging risk through Þnancial processes is an Economist Intelligence Unit report sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this report. The Economist Intelligence Unit’s editorial team conducted the interviews and wrote the report. The Þndings and views expressed in this report do not necessarily reßect the views of the sponsor. Jan Fedorowicz was the author of the report and Dan Armstrong was the editor. Our thanks are due to all of the survey respondents and interviewees for their time and insights. November 2008 3
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance Introduction M ost companies have tried at some point to automate and streamline Þnancial processes. But these initiatives often focus more on reducing costs than on adding value. This may be a mistake. The most valuable processes do not simply stream money and data between different functions, departments and business entities; they also feed reports, tests and controls that help managers become more proactive. Are sensitive transaction processes properly segregated and monitored? How ßawless is the revenue recognition process? Will business decisions still make sense after a spike in oil prices, a bank failure or a drop in demand? The best processes ßag these and other risks, helping managers to make informed decisions and ensuring compliance both with the law and with corporate policy. Adding this kind of value to Þnancial processes stands at the heart of a broader initiative known as governance, risk and compliance (GRC). Governance is the collection of board and C-suite approved policies that guide the company; GRC refers to the way those policies are put into operation as a set of rules, processes and controls. When the components of GRC are embedded within Þnancial processes, they not only track Þnancial ßows but also alert management when things are in danger of going awry. In this way, GRC can help companies modify their processes over time in order to adapt continuously to emerging risks. Companies that fail to use their Þnancial systems in this way may be missing an opportunity to manage risks more efÞciently while improving the quality of decisions. To Þnd out how senior executives view their Þnancial processes, the Economist Intelligence Unit surveyed a global sample of mostly Þnancial executives in September 2008. Some respondents focused on the importance of developing processes that reduced costs and improved efÞciency. Others acknowledged the importance of cost and efÞciency, but also recognised that automated Þnancial processes could be used to control risk, improve decision-making and enhance control. About the survey from locations around the world, with one-third from Western Europe, 20% from North America, 27% from Asia-PaciÞc and the rest from Eastern Europe, the Middle East, Latin America and In September 2008, on behalf of SAP, the Economist Intelligence Africa. Seventy percent of the companies had annual revenue over Unit surveyed 446 senior executives from nine industries about US$500m, and 28% had revenue over US$10bn. Over one-third were their views on their Þnancial processes and their attempts to at the board level or chief ofÞcer level, and another 15% were at the improve them. Survey respondents came from the Þnance, risk, senior vice president level. The industries covered were chemicals, general management, strategy/business development and consumer goods, energy, Þnancial services, the public sector, life information technology (IT) functions. They answered the survey sciences, IT and retailing. 5
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance What executives are saying I n 1998 CFO magazine published an article on how Case Corporation, a US-based manufacturer, was working to automate, simplify and harmonise its Þnancial processes. A decade later, Þnancial executives are still at it. When asked about issues with Þnancial processes, survey respondents cited manual processes, inconsistent methodologies and complex procedures as the major problems (see Figure 1). Incompatible legacy systems, awkward handoffs of data, the lack of institutional knowledge, poor visibility and accountability, the need to spend time reconciling inconsistent and redundant data all continue to plague many chief Þnancial ofÞcers (CFOs). Figure 1: Biggest problems with current financial processes (% respondents) Cost-related concerns Too many manual processes 39 Complex procedures which are difficult to model or automate 33 Inconsistent methodologies around the organisation 32 Lack of visibility and accountability 29 The need to reconcile inconsistent or redundant data from multiple sources 28 Incompatible technology (eg, customised spreadsheets, databases and commercial products) 28 Boundaries between departments, with departmental managers trying to hold on to authority 25 Controls which are too numerous or restrictive 22 Portions of the process depend on individuals who are not always available 21 The need to document audit trails 8 Other, please specify 1 7
    • Managing risk through Þnancial processes © Economist Intelligence Unit 2008 Embedding governance, risk and compliance Figure 2: Drawbacks of investing in standardised/automated financial processes (% respondents) Cost-related concerns High level of investment required 48 Difficulty of modeling complex financial processes 24 Difficulty of getting buy-in from senior management 22 Organisation is too diverse in its business lines 22 Difficulty of getting buy-in from business lines/regions 21 Multiple regulatory regimes make compliance rules unique by business and/or region 19 Business model and operations are unique 11 Financial processes are sufficiently fast, efficient and accurate now 7 Other, please specify 4 One thing has changed, however: the prevalence of risk and the consequences of failing to control it. Now, as in 1998, CFOs often defer decisions to re-engineer Þnancial processes because of the upfront cost. But costs need to be balanced against risks, and the risks arising from out-of-date, incomplete, inaccurate or easy-to-manipulate data have increased. For instance: ! The economic downturn is expected to increase the motivation for individuals to commit fraud, distract the CFOs and regulators charged with guarding against it, and reduce the resources needed to Þght it. ! Not only has credit become difÞcult to obtain, but lenders now focus on the ability of potential borrowers to anticipate risk events and mitigate their impact. To evaluate borrowers, lenders are scrutinising Þnancial controls and visibility into business processes. And starting in the third quarter of 2008, a rating agency, Standard & Poor’s, began to roll out a programme requiring companies to provide evidence of a “formal and effective risk management program” in order to receive a positive rating on their debt. ! Globalisation and higher levels of mergers and acquisitions (M&A) activity have prompted many companies to become more complex and fragmented across functions, business lines and geography. This complexity increases the odds of inaccurate or out-of-date information. ! Regulations that did not exist a decade ago require companies to ensure the integrity of data, processes and controls. This is a global trend, from Sarbanes-Oxley Section 404—which mandates internal Þnancial controls and procedures for publicly-traded US companies—to Japan’s so-called JSOX, Canada’s Bill 198 and changes in EU Directives 4, 7 and 8. 1 Ten things about the ! Restatements of Þnancials among US companies—mostly owing to poor documentation, lack of consequences of financial statement fraud: A look transparency and weak internal controls—have become more prevalent, rising from 116 in 1997 to 1,270 at some of the adverse in 2007, according to a proxy research Þrm, Glass Lewis & Co. consequences companies ! The number of fraud schemes identiÞed in US Securities and Exchange Commission Accounting and have experienced, Deloitte Forensic Center, September Auditing Enforcement Releases doubled between 2000 and 2007. Moreover, the companies cited experienced 2008. stock price drops, restatements, delistings, litigation and bankruptcies at a rate far higher than the norm. 1 8
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance Figure 3: Expected benefits from standardising and automating financial processes (% respondents) Cost-related concerns Cutting back on manual processes, decreasing risk of error 51 Enhancing data integrity 39 Freeing staff from routine number-crunching, redeploying into higher-value activities 38 Meeting compressed deadlines/improve response time 31 Reducing costs 25 Standardisation of methodologies around the enterprise 24 Higher productivity 19 Better visibility into origin of numbers and how they are calculated 19 Better compliance with regulatory requirements 13 Able to identify and resolve bottlenecks 11 Able to set risk thresholds, data access and other controls centrally 7 Fewer opportunities for fraud 5 Other, please specify 1 ! A decade of investments in emerging markets has exposed companies to more potential for corruption. In Ernst & Young’s 2008 global fraud survey, the Middle East, India, Africa and the Far East indicated substantially higher levels of corruption (although the highest level was reported in Japan). Just over one-half of the executives who responded to the survey did acknowledge that automating Þnancial processes would reduce risk, and almost three-quarters said that automation would lead to fewer bad decisions. But many survey respondents did not link automated processes to reductions in the speciÞc risks of fraud, restatements and errors. And relatively few recognised that automation could also be harnessed to improve monitoring, compliance and controls. As Figure 2 demonstrates, many executives remain more focused on cost than risk. If respondents had any hesitation about moving forward with automation, it was because they feared that the costs of the change would be prohibitive. They also feared the challenges of modelling complex or idiosyncratic processes across diverse business lines, all of which might make it difÞcult to secure support from senior executives and business line heads. Ironically, the very complexity of existing processes becomes an argument against committing resources to simpliÞcation. Only one-quarter of the executives cited “reducing costs” as a reason for standardising and automating Þnancial processes. But savings do accrue from eliminating manual processes, unifying multiple systems and embedding controls into Þnancial processes. This lower overhead can be quantiÞed and compared to implementation costs to develop a return on investment. Other advantages of automation—better business decisions and risk management, more robust processes and fewer instances of non- compliance—are harder to quantify. 9
    • Managing risk through Þnancial processes © Economist Intelligence Unit 2008 Embedding governance, risk and compliance Impact on decision-making S urvey respondents certainly pointed to reductions in headcount, speedier execution and fewer errors as a result of Þnancial process initiatives. But, perhaps more importantly, the initiatives also reduced the number of poor decisions. Prioritising controls by the level of risk had an especially signiÞcant impact on decisions. So did automation. Even the segregation of duties led to signiÞcant improvements in decision-making. Executives clearly saw both bottom-line and less tangible beneÞts to improving Þnancial processes. Figure 4: Percentage reporting fewer poor decisions as a result of a given initiative Initiative % reporting fewer poor decisions Prioritising controls based on risk 56% Increased automation 52% Increased automation of internal controls 49% Reduction in redundancies 45% Realignment in segregation of duties 41% Furthermore, the executives surveyed are starting to embed risk assessments into Þnancial processes. About seven in ten said that they had added risk evaluations to their processes. And 73% reported that when risk evaluations were included, the quality of decision-making improved. Six out of ten reported that process efÞciency improved, and 72% said that the prioritisation of controls was enhanced when risk was included. A holistic approach One way of reading the survey results is that a growing number of executives are going beyond the narrow goal of simply automating processes. They are beginning to see that these initiatives can yield additional beneÞts in areas of risk and compliance. 10
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance For instance, Anglo-Dutch consumer goods multi-national Unilever has adopted a holistic approach to the upgrading of its Þnancial processes. According to Khalid Noor, who improved Þnancial processes as CFO of Unilever (Pakistan), the company used the redesign to improve governance and manage risk. It also enhanced speed, transparency and efÞciency, as well as increasing the depth of analytics available to managers as part of a strategic focus on customer service. In Unilever’s case, risk management was focused on issues such as currency exposure, brand health, customer service levels, cash management, inventory management and stock obsolescence, as well as the collection of receivables. Unilever viewed the enhancement of its Þnancial processes as part of a larger initiative to put new tools into the hands of managers, which pushed GRC responsibilities into the ranks and gave managers the ability to act on risk and compliance issues. A holistic approach to GRC can also be used to support initiatives mandated by the board of directors. For example, the board may decide to promote women entrepreneurs by favouring them in procurement, or to position the company as a “green” organisation. These decisions may have the side effect of increasing exposure to smaller or newer suppliers with higher credit risk. To fulÞl the board’s mandate while controlling risks, a company might track and report credit criteria on suppliers and alert Þnance staff once a certain number of suppliers fail to meet the criteria. Then it would be up to the staff whether to take action or to make an exception, which would have to be approved by a more senior executive. 11
    • Managing risk through Þnancial processes © Economist Intelligence Unit 2008 Embedding governance, risk and compliance What to keep in mind T he order of words in the acronym GRC is no accident. Governance comes Þrst because the Þrst step in deÞning a GRC approach is determining the organisation’s strategic direction and constraints, including its risk appetite. Next comes risk assessment, which involves identifying areas of exposure, quantifying their potential impacts and prioritising them by importance. The Þnal and most tactical piece is compliance—not just the traditional deÞnition of obeying regulatory mandates, but also the mechanics of ensuring that day-to-day actions address the company’s risk priorities. Steps often taken when implementing risk and compliance systems include: Identify the full range of risks. The dangers of credit risk have been seared into the consciousness of every business executive. But most risks are more mundane: excessive inventory, high levels of returns, or over-reliance on a handful of customers or suppliers, for instance. Although many of these risks do not fall under the purview of the Þnance department, their measurement and reporting usually do. Establish a risk management culture. The most efÞcient way to mitigate risks is often to take advantage of existing processes. By identifying risks, setting up escalation thresholds, and building in alerts and procedures to be triggered when thresholds are breached, companies can become more systematic and proactive in managing risks. Align controls with risks and embed into processes. When risks are prioritised, controls should follow. Excessive alerts resulting from unnecessary controls or low risk thresholds can be counterproductive. According to Luca Pighi, CFO of GE Capital Finance (Italy), too many red ßags can introduce confusion, not clarity. Similarly, fragmented, redundant and manual GRC processes often result in too much data, leading to delays in recognising and acting on risks. Mr Pighi points out the need to align risks and controls properly at the outset and then reÞne them continuously as the business changes. 12
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Embedding governance, risk and compliance Devise procedures for manual interventions. No matter how much automation is introduced, there is always the need for manual intervention, with its attendant risk of mistakes or fraud. According to Mr Pighi, GE Capital Finance solved the problem by introducing a structured system of authorisation in which line staff could only make manual journal entries with the approval of senior managers. No system can be completely automated; all require the ability to accept exceptions via carefully designed and tracked manual interventions. Consolidate and track controls to ease the auditing process. Having auditors evaluate the effectiveness of thousands of controls across multiple business units can be a time-consuming and expensive process. By identifying and tracking the risks of control violations and consolidating this information in a single place, companies can help auditors prioritise and streamline their recommendations for corrective action. The result can be lower costs and faster audits. 13
    • Managing risk through Þnancial processes © Economist Intelligence Unit 2008 Embedding governance, risk and compliance Conclusion A decade ago, most companies needed to be persuaded of the beneÞts of Þnancial process automation, which was seen largely as a way to reduce headcount and cut costs. Now automation is more widely accepted, and there is an understanding that automation helps with better decision-making, but the implication of automation for risk and compliance are still not fully understood. In a holistic implementation of GRC, governance, risk and compliance are consistently deÞned, closely linked, and manifested in end-to-end processes and controls. Well-designed GRC processes are robust and repeatable. They efÞciently integrate Þnancial reporting, compliance and risk monitoring into daily operations. Moreover, automated processes tend to be easier than manual processes to modify, which helps organisations to adapt quickly to changes in business conditions, regulations or corporate policy—many of which carry risks that are not immediately obvious. Companies can be more proactive in addressing potential risks and more quickly mitigate existing risks, leading to less volatility and greater sustainability in Þnancial results. No system eliminates the need for judgment. Senior executives still need to articulate policy; managers still need to set the parameters that will drive risk management and compliance. Even a high- performance automobile still needs a good driver. And as Warren Buffett once observed, the rear-view mirror is always clearer than the windshield. Integrating GRC into Þnancial processes can help to keep that windshield clean and allows the company to drive into the future with conÞdence. 14
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Appendix Embedding governance, risk and compliance Survey results Appendix: Survey results What are the biggest problems with your current financial processes? Select up to three. (% respondents) Too many manual processes 39 Complex procedures which are difficult to model or automate 33 Inconsistent methodologies around the organisation 32 Lack of visibility and accountability 29 Incompatible technology (eg, customised spreadsheets, databases and commercial products) 28 The need to reconcile inconsistent or redundant data from multiple sources 28 Boundaries between departments, with departmental managers trying to hold on to authority 25 Controls which are too numerous or restrictive 22 Portions of the process depend on individuals who are not always available 21 The need to document audit trails 8 Other, please specify 1 What would be the biggest benefits of an initiative to standardise and automate your financial processes? Select up to three. (% respondents) Cutting back on manual processes, decreasing risk of error 51 Enhancing data integrity 39 Freeing staff from routine number-crunching, redeploying into higher-value activities 38 Meeting compressed deadlines/improve response time 31 Reducing costs 25 Standardisation of methodologies around the enterprise 24 Better visibility into origin of numbers and how they are calculated 19 Higher productivity 19 Better compliance with regulatory requirements 13 Able to identify and resolve bottlenecks 11 Able to set risk thresholds, data access and other controls centrally 7 Fewer opportunities for fraud 5 Other, please specify 1 15
    • Appendix Managing risk through Þnancial processes © Economist Intelligence Unit 2008 Survey results Embedding governance, risk and compliance What would be the biggest drawbacks of an initiative to standardise and automate financial processes? Select up to two. (% respondents) High level of investment required 48 Difficulty of modeling complex financial processes 24 Difficulty of getting buy-in from senior management 22 Organisation is too diverse in its business lines 22 Difficulty of getting buy-in from business lines/regions 21 Multiple regulatory regimes make compliance rules unique by business and/or region 19 Business model and operations are unique 11 Financial processes are sufficiently fast, efficient and accurate now 7 Other, please specify 4 In the past five years, which of the following tasks has your organisation attempted to address by improving its financial processes? Select all that apply. (% respondents) Increase level of automation for processes in general 76 Increase level of automation for internal controls 51 Reduce redundancies 41 Prioritise controls based on risk assessments 41 Realign segregation of duties 37 Other, please specify 3 We have not attempted to improve our financial processes 1 What improvements, if any, have resulted from these attempts? Increase level of automation for processes in general (% respondents) Much higher Higher No change Lower Much lower Don’t know Headcount 2 16 42 35 3 3 Time required 2 13 13 57 14 1 Control errors 2 15 17 50 12 4 Audit costs 2 14 48 24 5 7 Number of poor-quality decisions 1 5 33 42 9 10 16
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Appendix Embedding governance, risk and compliance Survey results What improvements, if any, have resulted from these attempts? Increase level of automation for internal controls (% respondents) Much higher Higher No change Lower Much lower Don’t know Headcount 3 17 45 31 2 3 Time required 2 19 19 54 6 Control errors 3 17 13 52 13 3 Audit costs 2 17 39 30 6 7 Number of poor-quality decisions 2 7 28 45 10 8 What improvements, if any, have resulted from these attempts? Reduce redundancies (% respondents) Much higher Higher No change Lower Much lower Don’t know Headcount 2 13 32 44 5 3 Time required 3 12 15 55 13 2 Control errors 2 11 32 45 7 4 Audit costs 1 10 51 28 4 7 Number of poor-quality decisions 1 9 38 38 6 8 What improvements, if any, have resulted from these attempts? Realign segregation of duties (% respondents) Much higher Higher No change Lower Much lower Don’t know Headcount 4 25 42 23 3 3 Time required 1 23 28 39 6 2 Control errors 2 18 26 41 11 2 Audit costs 1 20 50 21 2 6 Number of poor-quality decisions 1 11 38 40 2 8 What improvements, if any, have resulted from these attempts? Prioritise controls based on risk assessments (% respondents) Much higher Higher No change Lower Much lower Don’t know Headcount 2 18 52 24 1 4 Time required 1 24 30 39 4 3 Control errors 1 19 28 44 7 2 Audit costs 2 19 40 31 3 5 Number of poor-quality decisions 9 31 49 7 5 17
    • Appendix Managing risk through Þnancial processes © Economist Intelligence Unit 2008 Survey results Embedding governance, risk and compliance Does your organisation regularly include risk evaluations as part of its financial processes? (% respondents) Yes 75 No 19 Don’t know 6 What are the results of these risk evaluations? (% respondents) Much better Better No change Worse Much worse Don’t know Quality of decisions 9 66 23 1 1 Efficiency of processes 6 56 34 4 Prioritisation of controls 8 65 24 1 2 In which region are you personally based? (% respondents) Western Europe 34 Asia-Pacific 27 North America 20 Middle East and Africa 8 Latin America 7 Eastern Europe 4 What is your primary industry? What are your organisation's global annual revenues in (% respondents) US dollars? (% respondents) Financial services 26 $500m or less Healthcare, pharmaceuticals and biotechnology 30 12 $500m to $1bn Energy 13 11 $1bn to $5bn Automotive 18 10 $5bn to $10bn Chemicals 11 9 $10bn or more Consumer goods 28 9 Government/Public sector 8 IT and technology 7 Retailing 7 18
    • © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Appendix Embedding governance, risk and compliance Survey results Which of the following best describes your job title? What are your main functional roles? (% respondents) Please choose no more than three functions. (% respondents) Board member 2 Finance CEO/President/Managing director 69 11 Risk CFO/Treasurer/Comptroller 25 17 Strategy and business development CIO/Technology director 24 3 General management Other C-level executive 24 4 IT SVP/VP/Director 22 15 Marketing and sales Head of Business Unit 14 7 Operations and production Head of Department 11 12 Customer service Manager 7 20 R&D Other 6 9 Information and research 6 Procurement 5 Human resources 5 Legal 4 Supply-chain management 4 Other 2 19
    • Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in the white paper. Cover image - © xxxx
    • LONDON 26 Red Lion Square London WC1R 4HQ United Kingdom Tel: (44.20) 7576 8000 Fax: (44.20) 7576 8476 E-mail: london@eiu.com NEW YORK 111 West 57th Street New York NY 10019 United States Tel: (1.212) 554 0600 Fax: (1.212) 586 1181/2 E-mail: newyork@eiu.com HONG KONG 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: hongkong@eiu.com