Managing risk through financial processes Embedding ...graphics.eiu.com/marketing/pdf/SAP GRC.pdf · governance, risk and compliance (GRC). Governance is the collection of board and

Managing risk through financial processesEmbedding governance, risk and compliance

A report from the Economist Intelligence Unit Sponsored by SAP

© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance

�

Managing risk through financial processes is an Economist Intelligence Unit report sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this report. The Economist Intelligence

Unit’s editorial team conducted the interviews and wrote the report. The findings and views expressed in this report do not necessarily reflect the views of the sponsor. Jan Fedorowicz was the author of the report and Dan Armstrong was the editor. Our thanks are due to all of the survey respondents and interviewees for their time and insights.

November 2008

Preface


2

Introduction

Most companies have tried at some point to automate and streamline financial processes. But these initiatives often focus more on reducing costs than on adding value. This may be

a mistake. The most valuable processes do not simply stream money and data between different functions, departments and business entities; they also feed reports, tests and controls that help managers become more proactive. Are sensitive transaction processes properly segregated and monitored? How flawless is the revenue recognition process? Will business decisions still make sense after a spike in oil prices, a bank failure or a drop in demand? The best processes flag these and other risks, helping managers to make informed decisions and ensuring compliance both with the law and with corporate policy.

Adding this kind of value to financial processes stands at the heart of a broader initiative known as governance, risk and compliance (GRC). Governance is the collection of board and C-suite approved policies that guide the company; GRC refers to the way those policies are put into operation as a set of rules, processes and controls. When the components of GRC are embedded within financial processes, they not only track financial flows but also alert management when things are in danger of going awry. In this way, GRC can help companies modify their processes over time in order to adapt continuously to emerging risks. Companies that fail to use their financial systems in this way may be missing an opportunity to manage risks more efficiently while improving the quality of decisions.

To find out how senior executives view their financial processes, the Economist Intelligence Unit surveyed a global sample of mostly financial executives in September 2008. Some respondents focused on the importance of developing processes that reduced costs and improved efficiency. Others acknowledged the importance of cost and efficiency, but also recognised that automated financial processes could be used to control risk, improve decision-making and enhance control.

About the survey

In September 2008, on behalf of SAP, the Economist Intelligence Unit surveyed 446 senior executives from nine industries about their views on their financial processes and their attempts to improve them. Survey respondents came from the finance, risk, general management, strategy/business development and information technology (IT) functions. They answered the survey

from locations around the world, with one-third from Western Europe, 20% from North America, 27% from Asia-Pacific and the rest from Eastern Europe, the Middle East, Latin America and Africa. Seventy percent of the companies had annual revenue over US$500m, and 28% had revenue over US$�0bn. Over one-third were at the board level or chief officer level, and another 15% were at the senior vice president level. The industries covered were chemicals, consumer goods, energy, financial services, the public sector, life sciences, IT and retailing.


�

In 1998 CFO magazine published an article on how Case Corporation, a US-based manufacturer, was working to automate, simplify and harmonise its financial processes. A decade later, financial

executives are still at it. When asked about issues with financial processes, survey respondents cited manual processes, inconsistent methodologies and complex procedures as the major problems (see Figure 1). Incompatible legacy systems, awkward handoffs of data, the lack of institutional knowledge, poor visibility and accountability, the need to spend time reconciling inconsistent and redundant data all continue to plague many chief financial officers (CFOs).

What executives are saying

39

33

32

29

28

28

25

22

21

8

1

Too many manual processes

Complex procedures which are difficult to model or automate

Inconsistent methodologies around the organisation

Lack of visibility and accountability

The need to reconcile inconsistent or redundant data from multiple sources

Incompatible technology (eg, customised spreadsheets, databases and commercial products)

Boundaries between departments, with departmental managers trying to hold on to authority

Controls which are too numerous or restrictive

Portions of the process depend on individuals who are not always available

The need to document audit trails

Other, please specify

Figure 1: Biggest problems with current financial processes (% respondents)

Cost-related concerns


�

� Ten things about the consequences of financial statement fraud: A look at some of the adverse consequences companies have experienced, Deloitte Forensic Center, September 2008.

One thing has changed, however: the prevalence of risk and the consequences of failing to control it. Now, as in 1998, CFOs often defer decisions to re-engineer financial processes because of the upfront cost. But costs need to be balanced against risks, and the risks arising from out-of-date, incomplete, inaccurate or easy-to-manipulate data have increased. For instance:

l The economic downturn is expected to increase the motivation for individuals to commit fraud, distract the CFOs and regulators charged with guarding against it, and reduce the resources needed to fight it.

l Not only has credit become difficult to obtain, but lenders now focus on the ability of potential borrowers to anticipate risk events and mitigate their impact. To evaluate borrowers, lenders are scrutinising financial controls and visibility into business processes. And starting in the third quarter of 2008, a rating agency, Standard & Poor’s, began to roll out a programme requiring companies to provide evidence of a “formal and effective risk management program” in order to receive a positive rating on their debt.

l Globalisation and higher levels of mergers and acquisitions (M&A) activity have prompted many companies to become more complex and fragmented across functions, business lines and geography. This complexity increases the odds of inaccurate or out-of-date information.

l Regulations that did not exist a decade ago require companies to ensure the integrity of data, processes and controls. This is a global trend, from Sarbanes-Oxley Section 404—which mandates internal financial controls and procedures for publicly-traded US companies—to Japan’s so-called JSOX, Canada’s Bill �98 and changes in EU Directives �, 7 and 8.

l Restatements of financials among US companies—mostly owing to poor documentation, lack of transparency and weak internal controls—have become more prevalent, rising from 116 in 1997 to 1,270 in 2007, according to a proxy research firm, Glass Lewis & Co.

l The number of fraud schemes identified in US Securities and Exchange Commission Accounting and Auditing Enforcement Releases doubled between 2000 and 2007. Moreover, the companies cited experienced stock price drops, restatements, delistings, litigation and bankruptcies at a rate far higher than the norm. �

48

24

22

22

21

19

11

7

4

High level of investment required

Difficulty of modeling complex financial processes

Difficulty of getting buy-in from senior management

Organisation is too diverse in its business lines

Difficulty of getting buy-in from business lines/regions

Multiple regulatory regimes make compliance rules unique by business and/or region

Business model and operations are unique

Financial processes are sufficiently fast, efficient and accurate now


Figure 2: Drawbacks of investing in standardised/automated financial processes (% respondents)



5

l A decade of investments in emerging markets has exposed companies to more potential for corruption. In Ernst & Young’s 2008 global fraud survey, the Middle East, India, Africa and the Far East indicated substantially higher levels of corruption (although the highest level was reported in Japan).

Just over one-half of the executives who responded to the survey did acknowledge that automating financial processes would reduce risk, and almost three-quarters said that automation would lead to fewer bad decisions. But many survey respondents did not link automated processes to reductions in the specific risks of fraud, restatements and errors. And relatively few recognised that automation could also be harnessed to improve monitoring, compliance and controls.

As Figure 2 demonstrates, many executives remain more focused on cost than risk. If respondents had any hesitation about moving forward with automation, it was because they feared that the costs of the change would be prohibitive. They also feared the challenges of modelling complex or idiosyncratic processes across diverse business lines, all of which might make it difficult to secure support from senior executives and business line heads. Ironically, the very complexity of existing processes becomes an argument against committing resources to simplification.

Only one-quarter of the executives cited “reducing costs” as a reason for standardising and automating financial processes. But savings do accrue from eliminating manual processes, unifying multiple systems and embedding controls into financial processes. This lower overhead can be quantified and compared to implementation costs to develop a return on investment. Other advantages of automation—better business decisions and risk management, more robust processes and fewer instances of non-compliance—are harder to quantify.

51

39

38

31

25

24

19

19

13

11

7

5

1

Cutting back on manual processes, decreasing risk of error

Enhancing data integrity

Freeing staff from routine number-crunching, redeploying into higher-value activities

Meeting compressed deadlines/improve response time

Reducing costs

Standardisation of methodologies around the enterprise

Higher productivity

Better visibility into origin of numbers and how they are calculated

Better compliance with regulatory requirements

Able to identify and resolve bottlenecks

Able to set risk thresholds, data access and other controls centrally

Fewer opportunities for fraud


Figure 3: Expected benefits from standardising and automating financial processes(% respondents)



�

Survey respondents certainly pointed to reductions in headcount, speedier execution and fewer errors as a result of financial process initiatives. But, perhaps more importantly, the initiatives also reduced

the number of poor decisions. Prioritising controls by the level of risk had an especially significant impact on decisions. So did automation. Even the segregation of duties led to significant improvements in decision-making. Executives clearly saw both bottom-line and less tangible benefits to improving financial processes.

Furthermore, the executives surveyed are starting to embed risk assessments into financial processes. About seven in ten said that they had added risk evaluations to their processes. And 7�% reported that when risk evaluations were included, the quality of decision-making improved. Six out of ten reported that process efficiency improved, and 72% said that the prioritisation of controls was enhanced when risk was included.

A holistic approachOne way of reading the survey results is that a growing number of executives are going beyond the narrow goal of simply automating processes. They are beginning to see that these initiatives can yield additional benefits in areas of risk and compliance.

Impact on decision-making

Figure 4: Percentage reporting fewer poor decisions as a result of a given initiativeInitiative % reporting fewer poor decisions

Prioritising controls based on risk 5�%

Increased automation 52%

Increased automation of internal controls �9%

Reduction in redundancies �5%

Realignment in segregation of duties ��%


7

For instance, Anglo-Dutch consumer goods multi-national Unilever has adopted a holistic approach to the upgrading of its financial processes. According to Khalid Noor, who improved financial processes as CFO of Unilever (Pakistan), the company used the redesign to improve governance and manage risk. It also enhanced speed, transparency and efficiency, as well as increasing the depth of analytics available to managers as part of a strategic focus on customer service.

In Unilever’s case, risk management was focused on issues such as currency exposure, brand health, customer service levels, cash management, inventory management and stock obsolescence, as well as the collection of receivables. Unilever viewed the enhancement of its financial processes as part of a larger initiative to put new tools into the hands of managers, which pushed GRC responsibilities into the ranks and gave managers the ability to act on risk and compliance issues.

A holistic approach to GRC can also be used to support initiatives mandated by the board of directors. For example, the board may decide to promote women entrepreneurs by favouring them in procurement, or to position the company as a “green” organisation. These decisions may have the side effect of increasing exposure to smaller or newer suppliers with higher credit risk. To fulfil the board’s mandate while controlling risks, a company might track and report credit criteria on suppliers and alert finance staff once a certain number of suppliers fail to meet the criteria. Then it would be up to the staff whether to take action or to make an exception, which would have to be approved by a more senior executive.


8

The order of words in the acronym GRC is no accident. Governance comes first because the first step in defining a GRC approach is determining the organisation’s strategic direction and constraints,

including its risk appetite. Next comes risk assessment, which involves identifying areas of exposure, quantifying their potential impacts and prioritising them by importance. The final and most tactical piece is compliance—not just the traditional definition of obeying regulatory mandates, but also the mechanics of ensuring that day-to-day actions address the company’s risk priorities. Steps often taken when implementing risk and compliance systems include:

Identify the full range of risks. The dangers of credit risk have been seared into the consciousness of every business executive. But most risks are more mundane: excessive inventory, high levels of returns, or over-reliance on a handful of customers or suppliers, for instance. Although many of these risks do not fall under the purview of the finance department, their measurement and reporting usually do.

Establish a risk management culture. The most efficient way to mitigate risks is often to take advantage of existing processes. By identifying risks, setting up escalation thresholds, and building in alerts and procedures to be triggered when thresholds are breached, companies can become more systematic and proactive in managing risks.

Align controls with risks and embed into processes. When risks are prioritised, controls should follow. Excessive alerts resulting from unnecessary controls or low risk thresholds can be counterproductive. According to Luca Pighi, CFO of GE Capital Finance (Italy), too many red flags can introduce confusion, not clarity. Similarly, fragmented, redundant and manual GRC processes often result in too much data, leading to delays in recognising and acting on risks. Mr Pighi points out the need to align risks and controls properly at the outset and then refine them continuously as the business changes.

What to keep in mind


9

Devise procedures for manual interventions. No matter how much automation is introduced, there is always the need for manual intervention, with its attendant risk of mistakes or fraud. According to Mr Pighi, GE Capital Finance solved the problem by introducing a structured system of authorisation in which line staff could only make manual journal entries with the approval of senior managers. No system can be completely automated; all require the ability to accept exceptions via carefully designed and tracked manual interventions.

Consolidate and track controls to ease the auditing process. Having auditors evaluate the effectiveness of thousands of controls across multiple business units can be a time-consuming and expensive process. By identifying and tracking the risks of control violations and consolidating this information in a single place, companies can help auditors prioritise and streamline their recommendations for corrective action. The result can be lower costs and faster audits.


�0

A decade ago, most companies needed to be persuaded of the benefits of financial process automation, which was seen largely as a way to reduce headcount and cut costs. Now automation is more widely

accepted, and there is an understanding that automation helps with better decision-making, but the implication of automation for risk and compliance are still not fully understood.

In a holistic implementation of GRC, governance, risk and compliance are consistently defined, closely linked, and manifested in end-to-end processes and controls. Well-designed GRC processes are robust and repeatable. They efficiently integrate financial reporting, compliance and risk monitoring into daily operations. Moreover, automated processes tend to be easier than manual processes to modify, which helps organisations to adapt quickly to changes in business conditions, regulations or corporate policy—many of which carry risks that are not immediately obvious. Companies can be more proactive in addressing potential risks and more quickly mitigate existing risks, leading to less volatility and greater sustainability in financial results.

No system eliminates the need for judgment. Senior executives still need to articulate policy; managers still need to set the parameters that will drive risk management and compliance. Even a high-performance automobile still needs a good driver. And as Warren Buffett once observed, the rear-view mirror is always clearer than the windshield. Integrating GRC into financial processes can help to keep that windshield clean and allows the company to drive into the future with confidence.

Conclusion

��

© Economist Intelligence Unit 2008AppendixSurvey results


Appendix: Survey results

39

33

32

29

28

28

25

22

21

8

1

Too many manual processes

Complex procedures which are difficult to model or automate

Inconsistent methodologies around the organisation

Lack of visibility and accountability

Incompatible technology (eg, customised spreadsheets, databases and commercial products)

The need to reconcile inconsistent or redundant data from multiple sources

Boundaries between departments, with departmental managers trying to hold on to authority

Controls which are too numerous or restrictive

Portions of the process depend on individuals who are not always available

The need to document audit trails


What are the biggest problems with your current financial processes? Select up to three. (% respondents)

51

39

38

31

25

24

19

19

13

11

7

5

1

Cutting back on manual processes, decreasing risk of error

Enhancing data integrity

Freeing staff from routine number-crunching, redeploying into higher-value activities

Meeting compressed deadlines/improve response time

Reducing costs

Standardisation of methodologies around the enterprise

Better visibility into origin of numbers and how they are calculated

Higher productivity

Better compliance with regulatory requirements

Able to identify and resolve bottlenecks

Able to set risk thresholds, data access and other controls centrally

Fewer opportunities for fraud


What would be the biggest benefits of an initiative to standardise and automate your financial processes? Select up to three. (% respondents)

�2



48

24

22

22

21

19

11

7

4

High level of investment required

Difficulty of modeling complex financial processes

Difficulty of getting buy-in from senior management

Organisation is too diverse in its business lines

Difficulty of getting buy-in from business lines/regions

Multiple regulatory regimes make compliance rules unique by business and/or region

Business model and operations are unique

Financial processes are sufficiently fast, efficient and accurate now


What would be the biggest drawbacks of an initiative to standardise and automate financial processes? Select up to two. (% respondents)

Increase level of automation for processes in general

Increase level of automation for internal controls

Reduce redundancies

Prioritise controls based on risk assessments

Realign segregation of duties


We have not attempted to improve our financial processes

76

51

41

41

37

3

1

In the past five years, which of the following tasks has your organisation attempted to address by improving its financial processes? Select all that apply. (% respondents)

Headcount

Time required

Control errors

Audit costs

Number of poor-quality decisions

What improvements, if any, have resulted from these attempts? Increase level of automation for processes in general(% respondents)

2

2

2

2

1

16

13

15

14

5

42

13

17

48

35

24

33

57

50

42

3

5

14

12

3

7

1

4

9 10

Much higher Higher No change Lower Much lower Don’t know

��



Headcount

Time required

Control errors

Audit costs


What improvements, if any, have resulted from these attempts? Increase level of automation for internal controls(% respondents)

3

2

3

2

2

17

19

17

17

45

19

13

39

7 28

31

54

52

30

45

2 3

6

13

6

10

3

7

8


Headcount

Time required

Control errors

Audit costs


What improvements, if any, have resulted from these attempts? Reduce redundancies(% respondents)

2

3

2

1

1

13

12

11

10

9

32

15

32

51

38

44

55

45

28

38

5

13

7

4

6

3

2

4

7

8


Headcount

Time required

Control errors

Audit costs


What improvements, if any, have resulted from these attempts? Realign segregation of duties (% respondents)

4

1

2

1

1

25

23

18

20

11

42

28

26

50

38

23

39

41

21

40

3

6

11

2

2

3

2

2

6

8


Headcount

Time required

Control errors

Audit costs


What improvements, if any, have resulted from these attempts? Prioritise controls based on risk assessments (% respondents)

2

1

1

2

18

24

19

19

9

52

30

28

40

31

24

39

44

31

49

1

4

7

3

7

4

3

2

5

5


��



Quality of decisions

Efficiency of processes

Prioritisation of controls

What are the results of these risk evaluations? (% respondents)

9

6

8

66

56

65

23

34

24

1

4

1

1

2

0

0

0

0

0

0

0

0

0

0

Much better Better No change Worse Much worse Don’t know

Yes

No

Don’t know

75

19

6

Does your organisation regularly include risk evaluations as part of its financial processes? (% respondents)

Western Europe

Asia-Pacific

North America

Middle East and Africa

Latin America

Eastern Europe

34

27

20

8

7

4

In which region are you personally based? (% respondents)

Financial services

Healthcare, pharmaceuticals and biotechnology

Energy

Automotive

Chemicals

Consumer goods

Government/Public sector

IT and technology

Retailing

26

12

11

10

9

9

8

7

7

What is your primary industry? (% respondents)

$500m or less

$500m to $1bn

$1bn to $5bn

$5bn to $10bn

$10bn or more

30

13

18

11

28

What are your organisation's global annual revenues inUS dollars? (% respondents)

�5



Board member

CEO/President/Managing director

CFO/Treasurer/Comptroller

CIO/Technology director

Other C-level executive

SVP/VP/Director

Head of Business Unit

Head of Department

Manager

Other

2

11

17

3

4

15

7

12

20

9

Which of the following best describes your job title? (% respondents)

Finance

Risk

Strategy and business development

General management

IT

Marketing and sales

Operations and production

Customer service

R&D

Information and research

Procurement

Human resources

Legal

Supply-chain management

Other

69

25

24

24

22

14

11

7

6

6

5

5

4

4

2

What are your main functional roles?Please choose no more than three functions. (% respondents)

Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in the white paper.

Cover image © iStockphoto.com/seanrmcdermid

LONDON26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]

NEW YORK111 West 57th StreetNew York NY 10019United StatesTel: (1.212) 554 0600Fax: (1.212) 586 1181/2E-mail: [email protected]

HONG KONG6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]

Documents

Managing risk through financial processes Embedding ...graphics.eiu.com/marketing/pdf/SAP GRC.pdf · governance, risk and compliance (GRC). Governance is the collection of board and