Smart ControlTransforming controls to reduce cost, enable growth and keep the business safe
Insights on governance, risk and compliance
January 2013
iii Insights on governance, risk and compliance | January 2013
Introduction ........................................ 1
Value of Smart Control ........................ 2
Discovering pain points in your control environment ............................ 4
Our approach to achieving Smart Control ..................................... 6
Risk and Controls Analysis Platform (RiCAPTM) ........................... 10
Want to learn more about Smart Control? ................................. 12
Contents
Companies that align risk management with strategy protect and enhance shareholder value. Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%. Financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions.Source: Turning risk into results, Ernst & Young, 2012.
1Insights on governance, risk and compliance | January 2013
IntroductionThere is a common failure to recognize controls as foundational to all business processes and a key contributor to process costs. Our experience indicates that up to 30% of process cost relates to controlling activities including reviewing, approving and reconciling process activities as well as securing access and data. In addition, there are significant testing and assurance costs associated with control-related activities.
Despite this significant spend, today’s control environment is not fit for purpose. A company’s control environment should support the execution of a profitable growth strategy. However, many organizations view their control environment as expensive, of limited value and, in some cases, a hindrance to the agility needed to respond to a dynamic economic environment. The following are common trends in controls for large multinational companies:
• Companies spend increasing amounts on control without any real ability to quantify the outflow or gain certainty that they are achieving the expected return on investment. Despite these expenditures, companies still experience significant control deficiencies and, as a result, are still exposed to risks.
• As companies have allocated material resources in response to years of growing regulatory pressures, they have accumulated layers of redundant, ineffective and misaligned controls. Moreover, attempts to optimize these controls have primarily focused on reducing the level of testing and monitoring, forfeiting any real opportunities to drive efficiencies in the operation of controls.
• Companies have developed control systems that are complex, duplicative, manual and disconnected from business operations. Instead of addressing the root cause of deficiencies, many organizations respond by installing controls in duplicate or even triplicate. We frequently find that up to 40% of controls are duplicative or can be removed because they are misaligned with the risks deemed most important to the business.
• ► ERP systems are generally underutilized. While companies have invested heavily in ERP systems, which often have built-in features to monitor financial or business controls, most only harness a fraction of their value. A 2011 Ernst & Young survey on risk management (Turning risk into results, 2012) revealed that only 3% of the executives surveyed have fully automated more than half of the key controls available through the system, while only 22% had automated more than a quarter of the key controls.
• Organizations also have to contend with a lack of transparency and confidence. Despite the significant investment we’ve mentioned, many stakeholders still report that they are not confident that controls will mitigate unforeseen risks from internal influences (e.g., operational deficiencies, employee turnover) or external influences (regulations, economy, customers and suppliers).
In addition, strategic initiatives such as process transformation, shared service and outsourcing, offshoring, enterprise cost reduction, and mergers and acquisitions often change the risk profile of an organization, including risk tolerance, likelihood and impact. Organizations often fail to consider the impact of these initiatives on controls and often do not realign controls with the new strategic focus of the organization. This can and does strain performance and drive up execution costs.
2 Insights on governance, risk and compliance | January 2013
Organizations have been reluctant to consider opportunities to remove excessive costs from controls. There is a common fear that streamlining controls would reduce quality and expose the enterprise to risk. Even where organizations recognize there is an opportunity to improve their approach to controls, we believe they often adopt a suboptimal response that does not realize the full potential benefit. For example:
• Deploying a monitoring tool on top of the existing controls rather than addressing the root cause of control deficiencies
• Retrofitting instead of integrating controls to an existing transformation program such as an ERP implementation or shared services program
• Not considering the changes needed in organizational design, technical proficiencies and behavior to reduce risk
• Using compliance or assurance requirements as a lever to enforce change instead of motivating change as a business imperative
Value of Smart Control
Companies are not fully leveraging automated controls• More than one out of five companies (22%) do not leverage
automated tools to manage governance, risk and compliance (GRC) and rely solely on manual efforts.
• Four out of 10 companies indicate that too much staff time is consumed in managing IT risk issues, but only 14% of respondents indicated that 51% or more of their GRC-related controls are automated.
Source: Joseph McKendrick, Moving to New ERP Environments: 2011 OAUG Governance, Risk and Compliance Best Practices Survey, Unisphere Research, February 2011.
3Insights on governance, risk and compliance | January 2013
We have challenged these paradigms by helping our clients simplify their process and controls to be efficient (optimal costs and timely) and effective (preventive and detective) and focused on the risks that matter most. Ernst & Young has developed a Smart Control approach that helps companies realize reductions in the cost of controls, enable growth and keep the business safe by creating an integrated, streamlined and dynamic control environment.
Our Smart Control solution can deliver the following:
• Reduced controls spend considers the key drivers for controlling spending, calculating the costs, and comparing financial outlay to risks and acceptable levels of risk exposure. This approach identifies any spend on controls that is not aligned with the company’s risk profile and initiates an effort to transform or overhaul the process.
• Improved accountability for risk supports the assignment of key risk assessment and mitigation activities to key people throughout the organization, empowering employees to manage risk through ongoing communication, training and reporting.
• Accelerated process execution eliminates or automates labor intensive, duplicative or unnecessary process and control activities.
• Alignment with strategy to confirm how well strategic objectives are supported by clearly defined and prioritized risks, as well as risk management effort/resources. When strategies, risks and controls are misaligned, the organization needs to look for ways to transform processes and realign workflows as necessary.
An integrated,streamlined anddynamic control
environmentprovides the agility
to anticipate andrespond to changes.
Align with strategy
Reduce controls
spend
Improve accountability
for risk
Accelerate process
execution
SmartControl
Balancing value, cost and risk intheir processesand controls helpscompanies createa competitiveadvantage.
We help companies realize 20% to 40% reductions in the cost of controls by creating an integrated, streamlined and dynamic control environment.
4 Insights on governance, risk and compliance | January 2013
Discovering pain points in your control environment
Complete the following questionnaire to evaluate key indicators of maturity for your control environment — controls spend, accountability for risk, process execution and strategic alignment.
Attributes of your control environment
Rating1 – Strongly disagree5 – Strongly agree
1 2 3 4 5
Controls spend
Amount spent on control design, execution and monitoring is visible
Controls are aligned with risk tolerances
Automated controls are fully leveraged
Preventive and detective controls are properly balanced
Ownership (responsibility) for each control is defined
Controls are standardized across business units
Entity-level and monitoring controls exist and are reliable
Control redundancies are minimal
Accountability for risk
Board and management are structured to provide effective oversight and management of risk
Communication to stakeholders is consistent and effective
The assignment of responsibilities for risk and control activities is timely and consistent
The organization is effective in leveraging technology
Elements assessed below 3 (agree) may be indicative of an opportunity for improvement to confirm your control environment is well designed, understood and operating effectively. Leading control environments affirm agreement to strong agreement with each of the elements presented in this questionnaire.
5Insights on governance, risk and compliance | January 2013
Attributes of your control environment
Rating1 – Strongly disagree5 – Strongly agree
1 2 3 4 5
Process execution
Internal controls make process execution more effective
Metrics and reporting are used to monitor process effectiveness
Processes and initiatives directly support strategic objectives
Processes are standardized throughout business
Policies and operating procedures are periodically reviewed and updated
Resources and competencies are sufficient to support process objectives
Information technology is used to make processes more efficient
Alignment with strategy
Risks taken are aligned to your business strategies and objectives
Risk management activities are integrated with planning and execution
Your acceptable level of risk is defined and communicated
Change management is employed and tracked to support new strategies
Your enterprise risk management plan is robust and well communicated
Metrics and reporting are used to monitor strategic initiatives
Strategic plans and initiatives are documented and communicated
6 Insights on governance, risk and compliance | January 2013
Ernst & Young’s Smart Control approach is a well-defined work plan that leverages normative process and control models and data analysis to help clients build a business case, design and implementation plan for controls transformation. In the same way that shared services have driven the efficiency of finance functions, the ultimate goal of this approach is to provide “controls as a service” to realize efficiencies, embed new working practices and create a sustainable operating model for controls.
Our approach to achieving Smart Control
Optimizing a control environment Ernst & Young helped the company create a single streamlined set of controls and embed the controls into its ERP system (SAP) to provide real-time assurance that the control environment was working effectively. The company anticipates that the new control environment will help it reduce control costs by 50% and absorb future growth in the business without incurring higher costs.
Controls are not well aligned with the risks that matter• A study by the Economist Intelligence Unit found that half of
those responding had gaps in their coverage of risks — even though a majority had seven or more risk and control functions across the business.
• Only 55% of respondents plan to use a formal risk management methodology when they upgrade their ERP system.
Source: The future of risk, Ernst & Young, 2009.
7Insights on governance, risk and compliance | January 2013
Run and operateDesign and buildDevelop strategy
Understand the opportunity
Embed low-cost, effective, sustainable operating model
► Create clarity, alignment and commitment in the business
Understand the current state of the control environment including the proficiency of risk management functions
Understand control cost drivers and compare to benchmarks
Align business case to overall enterprise strategy
►
►
►
►
►
Zero-based controls framework − a single, global, streamlined set of controls aligned to risks that matter, leveraging technology and implementing continuous monitoring capabilities
►
►
►
►
1Create “zero-based”controls framework
Leverageexisting or invest in newtechnology enablers
2
34
►
Create a business case and execution plan
Design a zero-based controls framework aligned to process objectives
Evaluate technology enablers and integrate into existing technology infrastructure
Create a functional operating model
Execute new control capabilities applying a cost-effective operating model
Document revised control model
Execute, monitor and remediate new controls
Measure return on investment
►
8 Insights on governance, risk and compliance | January 2013
Smart Control — a four-step approach
Key steps Ernst & Young’s input
1. Understand the opportunity • Align stakeholders across the organization — create a shared understanding of the opportunity
• Benchmark performance against Ernst & Young’s reference models
• Evaluate the alignment of process and control activities to business and strategic objectives
• Identify high control cost areas as well as over- and under-controlled areas, and prioritize improvement opportunities
• Deploy proven reference models for Smart Control covering process, risks, controls, and system design and build for financial and operational processes
• ►Acceleration event to stimulate and engage
• ►Cost and alignment analysis through Ernst & Young’s proprietary RiCAP™ tool
• ►Risk tolerance maturity framework for business processes
• Benchmarking and peer comparison to challenge perception and illustrate potential
• ►Process- and industry-specific normative models and ERP controls models
• ►Business case preparation
2. Create a zero-based controls framework
• ► Design and build zero-based control set that is aligned to and supportive of business and strategic objectives
• Challenge and justify every control in alignment with risk tolerance levels
• Eliminate unnecessary manual activities
• Risk management and governance organizational design that defines accountability for risks and controls
• Control environment maturity assessment►
• Process, risk and controls mapping and automated process control playbook
• Control automation and optimization advice
9Insights on governance, risk and compliance | January 2013 9
Key steps Ernst & Young’s input
3. Leverage existing or invest in new technology enablers
• ► Implement automated “prevent” controls within existing IT systems and processes►
• Make better use of out-of-the-box systems’ capability to turn on prevent controls►
• Review master data standards and processes►
• Embed control operation into the fabric of the business process and governance structure
• Target the most labor-intensive areas first to drive efficiency
• Select and implement relevant GRC tools to automate control execution and monitoring activities
• ► Promote transparency through dynamic dashboards and reporting
• Accelerate benefits delivery through insightful analytics
• ERP design/architecture
• Automated control implementation
• Controls design
• Process, risk and controls analytics
• ERP GRC module implementation
• Controls testing
• Continuous controls/process monitoring design
• Control self-assessment
• Program risk management
4. Embed low-cost, effective, sustainable operating model
• Design the operating approach, consolidating control monitoring and reporting activity to a single controls shared services function►
• Implement new ways of working►
• Continuously improve and automate controls life cycle (design, operate, monitor, remediate and report)
• Organizational design
• Change management
• Service implementation guidance
• Benefits realization advice
Top-performing organizations use analytics five times more than lower performers. Leading companies were twice as likely to use analytics to guide future strategies as well as to guide their day-to-day operations as lower performers.Source: Turning risk into results, Ernst & Young, 2012
10 Insights on governance, risk and compliance | January 2013
Ernst & Young has developed a technology platform called RiCAPTM to evaluate an organization’s control environment and identify opportunities for Smart Control. This platform evaluates key inputs, such as enterprise objectives, risks, controls, cost drivers and acceptable risk levels. The results provide insight on areas that are over- and under-controlled.
Risk and Controls Analysis Platform (RiCAPTM)
RiCAPTM
(Risk and Controls Analysis Platform)
Collect process, risk and control data (including cost of controls)
Understand the control environment and alignment with strategic objectives
Analyze risk and control data
Identify gaps and improvement opportunities
Over/under controlled
Prioritized improvement opportunities
Future state design
Cont
inuo
us m
onito
ring
Output reanalyzed by RiCAPTM
Needs improvement
Strategicobjectives
Business objectives
Entity- level risks Processes Transactional
level risks Controls
Degree of risk(risk tolerance) Control cost drivers
Current state inputs
IT impact
11Insights on governance, risk and compliance | January 2013
RiCAPTM and our overall Smart Control approach are designed to accommodate the unique needs of more than 16 principal sectors. We combine our industry-specific perspectives and deep risk and controls experiences to create tailored solutions for our clients.
RiCAPTM provides actionable data and reports that can be shared with multiple stakeholders and used to support a business case for transformation. The output helps organizations to:
• Align control expenditures to meet organizational objectives►
• Compare spend to the risk profile and degree of risk
• Identify potential process inefficiencies and risk exposure►
• Identify controls that are unmapped to any risk resulting in immediate cost savings
Standardized datacollection templates
RiCAP data analysis platform
Dynamic reportingtools for analysis results
Assessmentreport design
Tools and enablers
Client Name – Controls Transformation Detailed Assessment SummaryPage 9
Detailed Assessment ResultsAlignment with strategy – Risks that do not correlate to strategic objectives
Description of Risk Process Name
Estimated cost of controls
Other impacts Improvement Opportunity
The following risks are included in the current risk listing but do not directly correlate to the <Organization’s Name>’s strategic/business (select one) objectives:
This slide should be used to list out risks that are currently being tracked and mitigated by the process but do not directly correlate or impact the defined strategic or business objectives of the process and organization. The objective of this analysis is to determine the cost that is being spent on managing risks that do not matter and identify improvement opportunities to address this issue.
Example:
Description of Risk Process Name
Estimated cost of controls
Other impacts Improvement Opportunity
Manual depreciation entries for fixed assets are not accurately calculated and recorded.
Record to Report
$200K Current ERP system is not being fully leveraged
• Evaluate current risk management function at a process level
• Consider automating manual controls
12 Insights on governance, risk and compliance | January 2013
Want to learn more about Smart Control? After an initial exploratory discussion to understand the challenges you are seeking to address or that have been revealed through your completion of the questionnaire in this brochure, Ernst & Young will conduct a free interactive workshop for your executive team to help your organization in exploring the potential benefits of the Smart Control approach.
12 Insights on governance, risk and compliance | January 2013
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.
© 2013 EYGM Limited. All Rights Reserved.
EYG no. AU1355In line with Ernst & Young’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
ED none
At Ernst & Young, our services focus on our clients’ specific business needs and issues because we recognize that these are unique to that business.
Effective risk management is critical to helping modern organizations achieve their goals and it offers the opportunity to accelerate performance while protecting against the uncertainties, barriers and pitfalls inherent in any business. Integrating sound risk management principles and practices throughout operational, financial and even cultural aspects of the organization can provide a competitive advantage in the market and drive cost-effective risk processes internally.
Our 6,000 Risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective support — wherever you are in the world. We work with you to develop an integrated, holistic approach to managing risk and can provide resources to address specific risk issues. We understand that to achieve your potential, you need tailored services as much as consistent methodologies. We work to give you the benefit of our broad sector experience, our deep subject-matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference.
For more information on how we can make a difference in your organization, contact your local Ernst & Young professional or a member of our team listed below.
Contact details of our Risk leaders
How Ernst & Young makes a difference
Global RISK Leader
Paul van Kessel +31 88 40 71271 [email protected]
Area RISK Leaders
Americas
Jay Layman +1 312 879 5071 [email protected]
EMEIA
Jonathan Blackmore +44 20 795 11616 [email protected]
Asia-Pacific
Iain Burnet +61 8 9429 2486 [email protected]
Japan
Shohei Harada +81 3 3503 1100 [email protected]