Contenu connexe Similaire à Managing Risk Through Financial Processes: Embedding Governance, Risk, and Compliance (20) Plus de FindWhitePapers (20) Managing Risk Through Financial Processes: Embedding Governance, Risk, and Compliance1. Managing risk through Þnancial processes
Embedding governance, risk and compliance
A report from the Economist Intelligence Unit Sponsored by SAP
3. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
Contents
Preface 3
Introduction 5
About the survey 5
What the executives are saying 7
Impact on decision-making 10
What to keep in mind 12
Conclusion 14
Appendix: Survey results 15
1
5. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
Preface
M anaging risk through Þnancial processes is an Economist Intelligence Unit report sponsored by SAP.
The Economist Intelligence Unit bears sole responsibility for this report. The Economist Intelligence
Unit’s editorial team conducted the interviews and wrote the report. The Þndings and views expressed
in this report do not necessarily reßect the views of the sponsor. Jan Fedorowicz was the author of
the report and Dan Armstrong was the editor. Our thanks are due to all of the survey respondents and
interviewees for their time and insights.
November 2008
3
7. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
Introduction
M ost companies have tried at some point to automate and streamline Þnancial processes.
But these initiatives often focus more on reducing costs than on adding value. This may be
a mistake. The most valuable processes do not simply stream money and data between different
functions, departments and business entities; they also feed reports, tests and controls that help
managers become more proactive. Are sensitive transaction processes properly segregated and
monitored? How ßawless is the revenue recognition process? Will business decisions still make sense
after a spike in oil prices, a bank failure or a drop in demand? The best processes ßag these and other
risks, helping managers to make informed decisions and ensuring compliance both with the law and
with corporate policy.
Adding this kind of value to Þnancial processes stands at the heart of a broader initiative known as
governance, risk and compliance (GRC). Governance is the collection of board and C-suite approved
policies that guide the company; GRC refers to the way those policies are put into operation as a set of
rules, processes and controls. When the components of GRC are embedded within Þnancial processes,
they not only track Þnancial ßows but also alert management when things are in danger of going awry.
In this way, GRC can help companies modify their processes over time in order to adapt continuously
to emerging risks. Companies that fail to use their Þnancial systems in this way may be missing an
opportunity to manage risks more efÞciently while improving the quality of decisions.
To Þnd out how senior executives view their Þnancial processes, the Economist Intelligence Unit
surveyed a global sample of mostly Þnancial executives in September 2008. Some respondents focused on
the importance of developing processes that reduced costs and improved efÞciency. Others acknowledged
the importance of cost and efÞciency, but also recognised that automated Þnancial processes could be
used to control risk, improve decision-making and enhance control.
About the survey from locations around the world, with one-third from Western
Europe, 20% from North America, 27% from Asia-PaciÞc and the
rest from Eastern Europe, the Middle East, Latin America and
In September 2008, on behalf of SAP, the Economist Intelligence Africa. Seventy percent of the companies had annual revenue over
Unit surveyed 446 senior executives from nine industries about US$500m, and 28% had revenue over US$10bn. Over one-third were
their views on their Þnancial processes and their attempts to at the board level or chief ofÞcer level, and another 15% were at the
improve them. Survey respondents came from the Þnance, risk, senior vice president level. The industries covered were chemicals,
general management, strategy/business development and consumer goods, energy, Þnancial services, the public sector, life
information technology (IT) functions. They answered the survey sciences, IT and retailing.
5
9. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
What executives are saying
I n 1998 CFO magazine published an article on how Case Corporation, a US-based manufacturer,
was working to automate, simplify and harmonise its Þnancial processes. A decade later, Þnancial
executives are still at it. When asked about issues with Þnancial processes, survey respondents cited
manual processes, inconsistent methodologies and complex procedures as the major problems (see
Figure 1). Incompatible legacy systems, awkward handoffs of data, the lack of institutional knowledge,
poor visibility and accountability, the need to spend time reconciling inconsistent and redundant data all
continue to plague many chief Þnancial ofÞcers (CFOs).
Figure 1: Biggest problems with current financial processes
(% respondents)
Cost-related concerns
Too many manual processes
39
Complex procedures which are difficult to model or automate
33
Inconsistent methodologies around the organisation
32
Lack of visibility and accountability
29
The need to reconcile inconsistent or redundant data from multiple sources
28
Incompatible technology (eg, customised spreadsheets, databases and commercial products)
28
Boundaries between departments, with departmental managers trying to hold on to authority
25
Controls which are too numerous or restrictive
22
Portions of the process depend on individuals who are not always available
21
The need to document audit trails
8
Other, please specify
1
7
10. Managing risk through Þnancial processes © Economist Intelligence Unit 2008
Embedding governance, risk and compliance
Figure 2: Drawbacks of investing in standardised/automated financial processes
(% respondents)
Cost-related concerns
High level of investment required
48
Difficulty of modeling complex financial processes
24
Difficulty of getting buy-in from senior management
22
Organisation is too diverse in its business lines
22
Difficulty of getting buy-in from business lines/regions
21
Multiple regulatory regimes make compliance rules unique by business and/or region
19
Business model and operations are unique
11
Financial processes are sufficiently fast, efficient and accurate now
7
Other, please specify
4
One thing has changed, however: the prevalence of risk and the consequences of failing to control
it. Now, as in 1998, CFOs often defer decisions to re-engineer Þnancial processes because of the upfront
cost. But costs need to be balanced against risks, and the risks arising from out-of-date, incomplete,
inaccurate or easy-to-manipulate data have increased. For instance:
! The economic downturn is expected to increase the motivation for individuals to commit fraud, distract
the CFOs and regulators charged with guarding against it, and reduce the resources needed to Þght it.
! Not only has credit become difÞcult to obtain, but lenders now focus on the ability of potential borrowers
to anticipate risk events and mitigate their impact. To evaluate borrowers, lenders are scrutinising Þnancial
controls and visibility into business processes. And starting in the third quarter of 2008, a rating agency,
Standard & Poor’s, began to roll out a programme requiring companies to provide evidence of a “formal and
effective risk management program” in order to receive a positive rating on their debt.
! Globalisation and higher levels of mergers and acquisitions (M&A) activity have prompted many
companies to become more complex and fragmented across functions, business lines and geography. This
complexity increases the odds of inaccurate or out-of-date information.
! Regulations that did not exist a decade ago require companies to ensure the integrity of data,
processes and controls. This is a global trend, from Sarbanes-Oxley Section 404—which mandates internal
Þnancial controls and procedures for publicly-traded US companies—to Japan’s so-called JSOX, Canada’s
Bill 198 and changes in EU Directives 4, 7 and 8.
1
Ten things about the ! Restatements of Þnancials among US companies—mostly owing to poor documentation, lack of
consequences of financial
statement fraud: A look
transparency and weak internal controls—have become more prevalent, rising from 116 in 1997 to 1,270
at some of the adverse in 2007, according to a proxy research Þrm, Glass Lewis & Co.
consequences companies
! The number of fraud schemes identiÞed in US Securities and Exchange Commission Accounting and
have experienced, Deloitte
Forensic Center, September Auditing Enforcement Releases doubled between 2000 and 2007. Moreover, the companies cited experienced
2008. stock price drops, restatements, delistings, litigation and bankruptcies at a rate far higher than the norm. 1
8
11. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
Figure 3: Expected benefits from standardising and automating financial processes
(% respondents)
Cost-related concerns
Cutting back on manual processes, decreasing risk of error
51
Enhancing data integrity
39
Freeing staff from routine number-crunching, redeploying into higher-value activities
38
Meeting compressed deadlines/improve response time
31
Reducing costs
25
Standardisation of methodologies around the enterprise
24
Higher productivity
19
Better visibility into origin of numbers and how they are calculated
19
Better compliance with regulatory requirements
13
Able to identify and resolve bottlenecks
11
Able to set risk thresholds, data access and other controls centrally
7
Fewer opportunities for fraud
5
Other, please specify
1
! A decade of investments in emerging markets has exposed companies to more potential for corruption.
In Ernst & Young’s 2008 global fraud survey, the Middle East, India, Africa and the Far East indicated
substantially higher levels of corruption (although the highest level was reported in Japan).
Just over one-half of the executives who responded to the survey did acknowledge that automating
Þnancial processes would reduce risk, and almost three-quarters said that automation would lead to
fewer bad decisions. But many survey respondents did not link automated processes to reductions in the
speciÞc risks of fraud, restatements and errors. And relatively few recognised that automation could also
be harnessed to improve monitoring, compliance and controls.
As Figure 2 demonstrates, many executives remain more focused on cost than risk. If respondents
had any hesitation about moving forward with automation, it was because they feared that the costs of
the change would be prohibitive. They also feared the challenges of modelling complex or idiosyncratic
processes across diverse business lines, all of which might make it difÞcult to secure support from senior
executives and business line heads. Ironically, the very complexity of existing processes becomes an
argument against committing resources to simpliÞcation.
Only one-quarter of the executives cited “reducing costs” as a reason for standardising and automating
Þnancial processes. But savings do accrue from eliminating manual processes, unifying multiple systems
and embedding controls into Þnancial processes. This lower overhead can be quantiÞed and compared
to implementation costs to develop a return on investment. Other advantages of automation—better
business decisions and risk management, more robust processes and fewer instances of non-
compliance—are harder to quantify.
9
12. Managing risk through Þnancial processes © Economist Intelligence Unit 2008
Embedding governance, risk and compliance
Impact on decision-making
S urvey respondents certainly pointed to reductions in headcount, speedier execution and fewer errors
as a result of Þnancial process initiatives. But, perhaps more importantly, the initiatives also reduced
the number of poor decisions. Prioritising controls by the level of risk had an especially signiÞcant
impact on decisions. So did automation. Even the segregation of duties led to signiÞcant improvements
in decision-making. Executives clearly saw both bottom-line and less tangible beneÞts to improving
Þnancial processes.
Figure 4: Percentage reporting fewer poor decisions as a result of a given initiative
Initiative % reporting fewer poor decisions
Prioritising controls based on risk 56%
Increased automation 52%
Increased automation of internal controls 49%
Reduction in redundancies 45%
Realignment in segregation of duties 41%
Furthermore, the executives surveyed are starting to embed risk assessments into Þnancial processes.
About seven in ten said that they had added risk evaluations to their processes. And 73% reported that
when risk evaluations were included, the quality of decision-making improved. Six out of ten reported
that process efÞciency improved, and 72% said that the prioritisation of controls was enhanced when risk
was included.
A holistic approach
One way of reading the survey results is that a growing number of executives are going beyond the narrow
goal of simply automating processes. They are beginning to see that these initiatives can yield additional
beneÞts in areas of risk and compliance.
10
13. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
For instance, Anglo-Dutch consumer goods multi-national Unilever has adopted a holistic approach
to the upgrading of its Þnancial processes. According to Khalid Noor, who improved Þnancial processes
as CFO of Unilever (Pakistan), the company used the redesign to improve governance and manage risk. It
also enhanced speed, transparency and efÞciency, as well as increasing the depth of analytics available to
managers as part of a strategic focus on customer service.
In Unilever’s case, risk management was focused on issues such as currency exposure, brand health,
customer service levels, cash management, inventory management and stock obsolescence, as well as the
collection of receivables. Unilever viewed the enhancement of its Þnancial processes as part of a larger
initiative to put new tools into the hands of managers, which pushed GRC responsibilities into the ranks
and gave managers the ability to act on risk and compliance issues.
A holistic approach to GRC can also be used to support initiatives mandated by the board of directors.
For example, the board may decide to promote women entrepreneurs by favouring them in procurement,
or to position the company as a “green” organisation. These decisions may have the side effect of
increasing exposure to smaller or newer suppliers with higher credit risk. To fulÞl the board’s mandate
while controlling risks, a company might track and report credit criteria on suppliers and alert Þnance
staff once a certain number of suppliers fail to meet the criteria. Then it would be up to the staff whether
to take action or to make an exception, which would have to be approved by a more senior executive.
11
14. Managing risk through Þnancial processes © Economist Intelligence Unit 2008
Embedding governance, risk and compliance
What to keep in mind
T he order of words in the acronym GRC is no accident. Governance comes Þrst because the Þrst step
in deÞning a GRC approach is determining the organisation’s strategic direction and constraints,
including its risk appetite. Next comes risk assessment, which involves identifying areas of exposure,
quantifying their potential impacts and prioritising them by importance. The Þnal and most tactical piece
is compliance—not just the traditional deÞnition of obeying regulatory mandates, but also the mechanics
of ensuring that day-to-day actions address the company’s risk priorities. Steps often taken when
implementing risk and compliance systems include:
Identify the full range of risks. The dangers of credit risk have been seared into the consciousness of
every business executive. But most risks are more mundane: excessive inventory, high levels of returns,
or over-reliance on a handful of customers or suppliers, for instance. Although many of these risks do not
fall under the purview of the Þnance department, their measurement and reporting usually do.
Establish a risk management culture. The most efÞcient way to mitigate risks is often to take advantage
of existing processes. By identifying risks, setting up escalation thresholds, and building in alerts and
procedures to be triggered when thresholds are breached, companies can become more systematic and
proactive in managing risks.
Align controls with risks and embed into processes. When risks are prioritised, controls
should follow. Excessive alerts resulting from unnecessary controls or low risk thresholds can be
counterproductive. According to Luca Pighi, CFO of GE Capital Finance (Italy), too many red ßags can
introduce confusion, not clarity. Similarly, fragmented, redundant and manual GRC processes often
result in too much data, leading to delays in recognising and acting on risks. Mr Pighi points out
the need to align risks and controls properly at the outset and then reÞne them continuously as the
business changes.
12
15. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes
Embedding governance, risk and compliance
Devise procedures for manual interventions. No matter how much automation is introduced, there is
always the need for manual intervention, with its attendant risk of mistakes or fraud. According to Mr
Pighi, GE Capital Finance solved the problem by introducing a structured system of authorisation in which
line staff could only make manual journal entries with the approval of senior managers. No system can
be completely automated; all require the ability to accept exceptions via carefully designed and tracked
manual interventions.
Consolidate and track controls to ease the auditing process. Having auditors evaluate the effectiveness
of thousands of controls across multiple business units can be a time-consuming and expensive process.
By identifying and tracking the risks of control violations and consolidating this information in a single
place, companies can help auditors prioritise and streamline their recommendations for corrective action.
The result can be lower costs and faster audits.
13
16. Managing risk through Þnancial processes © Economist Intelligence Unit 2008
Embedding governance, risk and compliance
Conclusion
A decade ago, most companies needed to be persuaded of the beneÞts of Þnancial process automation,
which was seen largely as a way to reduce headcount and cut costs. Now automation is more widely
accepted, and there is an understanding that automation helps with better decision-making, but the
implication of automation for risk and compliance are still not fully understood.
In a holistic implementation of GRC, governance, risk and compliance are consistently deÞned, closely
linked, and manifested in end-to-end processes and controls. Well-designed GRC processes are robust
and repeatable. They efÞciently integrate Þnancial reporting, compliance and risk monitoring into
daily operations. Moreover, automated processes tend to be easier than manual processes to modify,
which helps organisations to adapt quickly to changes in business conditions, regulations or corporate
policy—many of which carry risks that are not immediately obvious. Companies can be more proactive in
addressing potential risks and more quickly mitigate existing risks, leading to less volatility and greater
sustainability in Þnancial results.
No system eliminates the need for judgment. Senior executives still need to articulate policy;
managers still need to set the parameters that will drive risk management and compliance. Even a high-
performance automobile still needs a good driver. And as Warren Buffett once observed, the rear-view
mirror is always clearer than the windshield. Integrating GRC into Þnancial processes can help to keep
that windshield clean and allows the company to drive into the future with conÞdence.
14
17. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Appendix
Embedding governance, risk and compliance Survey results
Appendix: Survey results
What are the biggest problems with your current financial processes? Select up to three.
(% respondents)
Too many manual processes
39
Complex procedures which are difficult to model or automate
33
Inconsistent methodologies around the organisation
32
Lack of visibility and accountability
29
Incompatible technology (eg, customised spreadsheets, databases and commercial products)
28
The need to reconcile inconsistent or redundant data from multiple sources
28
Boundaries between departments, with departmental managers trying to hold on to authority
25
Controls which are too numerous or restrictive
22
Portions of the process depend on individuals who are not always available
21
The need to document audit trails
8
Other, please specify
1
What would be the biggest benefits of an initiative to standardise and automate your financial processes? Select up to three.
(% respondents)
Cutting back on manual processes, decreasing risk of error
51
Enhancing data integrity
39
Freeing staff from routine number-crunching, redeploying into higher-value activities
38
Meeting compressed deadlines/improve response time
31
Reducing costs
25
Standardisation of methodologies around the enterprise
24
Better visibility into origin of numbers and how they are calculated
19
Higher productivity
19
Better compliance with regulatory requirements
13
Able to identify and resolve bottlenecks
11
Able to set risk thresholds, data access and other controls centrally
7
Fewer opportunities for fraud
5
Other, please specify
1
15
18. Appendix Managing risk through Þnancial processes © Economist Intelligence Unit 2008
Survey results Embedding governance, risk and compliance
What would be the biggest drawbacks of an initiative to standardise and automate financial processes? Select up to two.
(% respondents)
High level of investment required
48
Difficulty of modeling complex financial processes
24
Difficulty of getting buy-in from senior management
22
Organisation is too diverse in its business lines
22
Difficulty of getting buy-in from business lines/regions
21
Multiple regulatory regimes make compliance rules unique by business and/or region
19
Business model and operations are unique
11
Financial processes are sufficiently fast, efficient and accurate now
7
Other, please specify
4
In the past five years, which of the following tasks has your organisation attempted to address by improving its financial processes?
Select all that apply.
(% respondents)
Increase level of automation for processes in general
76
Increase level of automation for internal controls
51
Reduce redundancies
41
Prioritise controls based on risk assessments
41
Realign segregation of duties
37
Other, please specify
3
We have not attempted to improve our financial processes
1
What improvements, if any, have resulted from these attempts? Increase level of automation for processes in general
(% respondents)
Much higher Higher No change Lower Much lower Don’t know
Headcount
2 16 42 35 3 3
Time required
2 13 13 57 14 1
Control errors
2 15 17 50 12 4
Audit costs
2 14 48 24 5 7
Number of poor-quality decisions
1 5 33 42 9 10
16
19. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Appendix
Embedding governance, risk and compliance Survey results
What improvements, if any, have resulted from these attempts? Increase level of automation for internal controls
(% respondents)
Much higher Higher No change Lower Much lower Don’t know
Headcount
3 17 45 31 2 3
Time required
2 19 19 54 6
Control errors
3 17 13 52 13 3
Audit costs
2 17 39 30 6 7
Number of poor-quality decisions
2 7 28 45 10 8
What improvements, if any, have resulted from these attempts? Reduce redundancies
(% respondents)
Much higher Higher No change Lower Much lower Don’t know
Headcount
2 13 32 44 5 3
Time required
3 12 15 55 13 2
Control errors
2 11 32 45 7 4
Audit costs
1 10 51 28 4 7
Number of poor-quality decisions
1 9 38 38 6 8
What improvements, if any, have resulted from these attempts? Realign segregation of duties
(% respondents)
Much higher Higher No change Lower Much lower Don’t know
Headcount
4 25 42 23 3 3
Time required
1 23 28 39 6 2
Control errors
2 18 26 41 11 2
Audit costs
1 20 50 21 2 6
Number of poor-quality decisions
1 11 38 40 2 8
What improvements, if any, have resulted from these attempts? Prioritise controls based on risk assessments
(% respondents)
Much higher Higher No change Lower Much lower Don’t know
Headcount
2 18 52 24 1 4
Time required
1 24 30 39 4 3
Control errors
1 19 28 44 7 2
Audit costs
2 19 40 31 3 5
Number of poor-quality decisions
9 31 49 7 5
17
20. Appendix Managing risk through Þnancial processes © Economist Intelligence Unit 2008
Survey results Embedding governance, risk and compliance
Does your organisation regularly include risk evaluations as
part of its financial processes?
(% respondents)
Yes
75
No
19
Don’t know
6
What are the results of these risk evaluations?
(% respondents)
Much better Better No change Worse Much worse Don’t know
Quality of decisions
9 66 23 1 1
Efficiency of processes
6 56 34 4
Prioritisation of controls
8 65 24 1 2
In which region are you personally based?
(% respondents)
Western Europe
34
Asia-Pacific
27
North America
20
Middle East and Africa
8
Latin America
7
Eastern Europe
4
What is your primary industry? What are your organisation's global annual revenues in
(% respondents) US dollars?
(% respondents)
Financial services
26 $500m or less
Healthcare, pharmaceuticals and biotechnology 30
12 $500m to $1bn
Energy 13
11 $1bn to $5bn
Automotive 18
10 $5bn to $10bn
Chemicals 11
9 $10bn or more
Consumer goods 28
9
Government/Public sector
8
IT and technology
7
Retailing
7
18
21. © Economist Intelligence Unit 2008 Managing risk through Þnancial processes Appendix
Embedding governance, risk and compliance Survey results
Which of the following best describes your job title? What are your main functional roles?
(% respondents) Please choose no more than three functions.
(% respondents)
Board member
2 Finance
CEO/President/Managing director 69
11 Risk
CFO/Treasurer/Comptroller 25
17 Strategy and business development
CIO/Technology director 24
3 General management
Other C-level executive 24
4 IT
SVP/VP/Director 22
15 Marketing and sales
Head of Business Unit 14
7 Operations and production
Head of Department 11
12 Customer service
Manager 7
20 R&D
Other 6
9 Information and research
6
Procurement
5
Human resources
5
Legal
4
Supply-chain management
4
Other
2
19
22. Whilst every effort has been taken to verify the
accuracy of this information, neither The Economist
Intelligence Unit Ltd. nor the sponsor of this report can
accept any responsibility or liability for reliance by any
person on this white paper or any of the information,
opinions or conclusions set out in the white paper.
Cover image - © xxxx
23. LONDON
26 Red Lion Square
London
WC1R 4HQ
United Kingdom
Tel: (44.20) 7576 8000
Fax: (44.20) 7576 8476
E-mail: london@eiu.com
NEW YORK
111 West 57th Street
New York
NY 10019
United States
Tel: (1.212) 554 0600
Fax: (1.212) 586 1181/2
E-mail: newyork@eiu.com
HONG KONG
6001, Central Plaza
18 Harbour Road
Wanchai
Hong Kong
Tel: (852) 2585 3888
Fax: (852) 2802 7638
E-mail: hongkong@eiu.com