Upload
tranlien
View
217
Download
2
Embed Size (px)
Citation preview
Managing risk through financial processesEmbedding governance, risk and compliance
A report from the Economist Intelligence Unit Sponsored by SAP
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
�
Managing risk through financial processes is an Economist Intelligence Unit report sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this report. The Economist Intelligence
Unit’s editorial team conducted the interviews and wrote the report. The findings and views expressed in this report do not necessarily reflect the views of the sponsor. Jan Fedorowicz was the author of the report and Dan Armstrong was the editor. Our thanks are due to all of the survey respondents and interviewees for their time and insights.
November 2008
Preface
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
2
Introduction
Most companies have tried at some point to automate and streamline financial processes. But these initiatives often focus more on reducing costs than on adding value. This may be
a mistake. The most valuable processes do not simply stream money and data between different functions, departments and business entities; they also feed reports, tests and controls that help managers become more proactive. Are sensitive transaction processes properly segregated and monitored? How flawless is the revenue recognition process? Will business decisions still make sense after a spike in oil prices, a bank failure or a drop in demand? The best processes flag these and other risks, helping managers to make informed decisions and ensuring compliance both with the law and with corporate policy.
Adding this kind of value to financial processes stands at the heart of a broader initiative known as governance, risk and compliance (GRC). Governance is the collection of board and C-suite approved policies that guide the company; GRC refers to the way those policies are put into operation as a set of rules, processes and controls. When the components of GRC are embedded within financial processes, they not only track financial flows but also alert management when things are in danger of going awry. In this way, GRC can help companies modify their processes over time in order to adapt continuously to emerging risks. Companies that fail to use their financial systems in this way may be missing an opportunity to manage risks more efficiently while improving the quality of decisions.
To find out how senior executives view their financial processes, the Economist Intelligence Unit surveyed a global sample of mostly financial executives in September 2008. Some respondents focused on the importance of developing processes that reduced costs and improved efficiency. Others acknowledged the importance of cost and efficiency, but also recognised that automated financial processes could be used to control risk, improve decision-making and enhance control.
About the survey
In September 2008, on behalf of SAP, the Economist Intelligence Unit surveyed 446 senior executives from nine industries about their views on their financial processes and their attempts to improve them. Survey respondents came from the finance, risk, general management, strategy/business development and information technology (IT) functions. They answered the survey
from locations around the world, with one-third from Western Europe, 20% from North America, 27% from Asia-Pacific and the rest from Eastern Europe, the Middle East, Latin America and Africa. Seventy percent of the companies had annual revenue over US$500m, and 28% had revenue over US$�0bn. Over one-third were at the board level or chief officer level, and another 15% were at the senior vice president level. The industries covered were chemicals, consumer goods, energy, financial services, the public sector, life sciences, IT and retailing.
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
�
In 1998 CFO magazine published an article on how Case Corporation, a US-based manufacturer, was working to automate, simplify and harmonise its financial processes. A decade later, financial
executives are still at it. When asked about issues with financial processes, survey respondents cited manual processes, inconsistent methodologies and complex procedures as the major problems (see Figure 1). Incompatible legacy systems, awkward handoffs of data, the lack of institutional knowledge, poor visibility and accountability, the need to spend time reconciling inconsistent and redundant data all continue to plague many chief financial officers (CFOs).
What executives are saying
39
33
32
29
28
28
25
22
21
8
1
Too many manual processes
Complex procedures which are difficult to model or automate
Inconsistent methodologies around the organisation
Lack of visibility and accountability
The need to reconcile inconsistent or redundant data from multiple sources
Incompatible technology (eg, customised spreadsheets, databases and commercial products)
Boundaries between departments, with departmental managers trying to hold on to authority
Controls which are too numerous or restrictive
Portions of the process depend on individuals who are not always available
The need to document audit trails
Other, please specify
Figure 1: Biggest problems with current financial processes (% respondents)
Cost-related concerns
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
�
� Ten things about the consequences of financial statement fraud: A look at some of the adverse consequences companies have experienced, Deloitte Forensic Center, September 2008.
One thing has changed, however: the prevalence of risk and the consequences of failing to control it. Now, as in 1998, CFOs often defer decisions to re-engineer financial processes because of the upfront cost. But costs need to be balanced against risks, and the risks arising from out-of-date, incomplete, inaccurate or easy-to-manipulate data have increased. For instance:
l The economic downturn is expected to increase the motivation for individuals to commit fraud, distract the CFOs and regulators charged with guarding against it, and reduce the resources needed to fight it.
l Not only has credit become difficult to obtain, but lenders now focus on the ability of potential borrowers to anticipate risk events and mitigate their impact. To evaluate borrowers, lenders are scrutinising financial controls and visibility into business processes. And starting in the third quarter of 2008, a rating agency, Standard & Poor’s, began to roll out a programme requiring companies to provide evidence of a “formal and effective risk management program” in order to receive a positive rating on their debt.
l Globalisation and higher levels of mergers and acquisitions (M&A) activity have prompted many companies to become more complex and fragmented across functions, business lines and geography. This complexity increases the odds of inaccurate or out-of-date information.
l Regulations that did not exist a decade ago require companies to ensure the integrity of data, processes and controls. This is a global trend, from Sarbanes-Oxley Section 404—which mandates internal financial controls and procedures for publicly-traded US companies—to Japan’s so-called JSOX, Canada’s Bill �98 and changes in EU Directives �, 7 and 8.
l Restatements of financials among US companies—mostly owing to poor documentation, lack of transparency and weak internal controls—have become more prevalent, rising from 116 in 1997 to 1,270 in 2007, according to a proxy research firm, Glass Lewis & Co.
l The number of fraud schemes identified in US Securities and Exchange Commission Accounting and Auditing Enforcement Releases doubled between 2000 and 2007. Moreover, the companies cited experienced stock price drops, restatements, delistings, litigation and bankruptcies at a rate far higher than the norm. �
48
24
22
22
21
19
11
7
4
High level of investment required
Difficulty of modeling complex financial processes
Difficulty of getting buy-in from senior management
Organisation is too diverse in its business lines
Difficulty of getting buy-in from business lines/regions
Multiple regulatory regimes make compliance rules unique by business and/or region
Business model and operations are unique
Financial processes are sufficiently fast, efficient and accurate now
Other, please specify
Figure 2: Drawbacks of investing in standardised/automated financial processes (% respondents)
Cost-related concerns
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
5
l A decade of investments in emerging markets has exposed companies to more potential for corruption. In Ernst & Young’s 2008 global fraud survey, the Middle East, India, Africa and the Far East indicated substantially higher levels of corruption (although the highest level was reported in Japan).
Just over one-half of the executives who responded to the survey did acknowledge that automating financial processes would reduce risk, and almost three-quarters said that automation would lead to fewer bad decisions. But many survey respondents did not link automated processes to reductions in the specific risks of fraud, restatements and errors. And relatively few recognised that automation could also be harnessed to improve monitoring, compliance and controls.
As Figure 2 demonstrates, many executives remain more focused on cost than risk. If respondents had any hesitation about moving forward with automation, it was because they feared that the costs of the change would be prohibitive. They also feared the challenges of modelling complex or idiosyncratic processes across diverse business lines, all of which might make it difficult to secure support from senior executives and business line heads. Ironically, the very complexity of existing processes becomes an argument against committing resources to simplification.
Only one-quarter of the executives cited “reducing costs” as a reason for standardising and automating financial processes. But savings do accrue from eliminating manual processes, unifying multiple systems and embedding controls into financial processes. This lower overhead can be quantified and compared to implementation costs to develop a return on investment. Other advantages of automation—better business decisions and risk management, more robust processes and fewer instances of non-compliance—are harder to quantify.
51
39
38
31
25
24
19
19
13
11
7
5
1
Cutting back on manual processes, decreasing risk of error
Enhancing data integrity
Freeing staff from routine number-crunching, redeploying into higher-value activities
Meeting compressed deadlines/improve response time
Reducing costs
Standardisation of methodologies around the enterprise
Higher productivity
Better visibility into origin of numbers and how they are calculated
Better compliance with regulatory requirements
Able to identify and resolve bottlenecks
Able to set risk thresholds, data access and other controls centrally
Fewer opportunities for fraud
Other, please specify
Figure 3: Expected benefits from standardising and automating financial processes(% respondents)
Cost-related concerns
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
�
Survey respondents certainly pointed to reductions in headcount, speedier execution and fewer errors as a result of financial process initiatives. But, perhaps more importantly, the initiatives also reduced
the number of poor decisions. Prioritising controls by the level of risk had an especially significant impact on decisions. So did automation. Even the segregation of duties led to significant improvements in decision-making. Executives clearly saw both bottom-line and less tangible benefits to improving financial processes.
Furthermore, the executives surveyed are starting to embed risk assessments into financial processes. About seven in ten said that they had added risk evaluations to their processes. And 7�% reported that when risk evaluations were included, the quality of decision-making improved. Six out of ten reported that process efficiency improved, and 72% said that the prioritisation of controls was enhanced when risk was included.
A holistic approachOne way of reading the survey results is that a growing number of executives are going beyond the narrow goal of simply automating processes. They are beginning to see that these initiatives can yield additional benefits in areas of risk and compliance.
Impact on decision-making
Figure 4: Percentage reporting fewer poor decisions as a result of a given initiativeInitiative % reporting fewer poor decisions
Prioritising controls based on risk 5�%
Increased automation 52%
Increased automation of internal controls �9%
Reduction in redundancies �5%
Realignment in segregation of duties ��%
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
7
For instance, Anglo-Dutch consumer goods multi-national Unilever has adopted a holistic approach to the upgrading of its financial processes. According to Khalid Noor, who improved financial processes as CFO of Unilever (Pakistan), the company used the redesign to improve governance and manage risk. It also enhanced speed, transparency and efficiency, as well as increasing the depth of analytics available to managers as part of a strategic focus on customer service.
In Unilever’s case, risk management was focused on issues such as currency exposure, brand health, customer service levels, cash management, inventory management and stock obsolescence, as well as the collection of receivables. Unilever viewed the enhancement of its financial processes as part of a larger initiative to put new tools into the hands of managers, which pushed GRC responsibilities into the ranks and gave managers the ability to act on risk and compliance issues.
A holistic approach to GRC can also be used to support initiatives mandated by the board of directors. For example, the board may decide to promote women entrepreneurs by favouring them in procurement, or to position the company as a “green” organisation. These decisions may have the side effect of increasing exposure to smaller or newer suppliers with higher credit risk. To fulfil the board’s mandate while controlling risks, a company might track and report credit criteria on suppliers and alert finance staff once a certain number of suppliers fail to meet the criteria. Then it would be up to the staff whether to take action or to make an exception, which would have to be approved by a more senior executive.
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
8
The order of words in the acronym GRC is no accident. Governance comes first because the first step in defining a GRC approach is determining the organisation’s strategic direction and constraints,
including its risk appetite. Next comes risk assessment, which involves identifying areas of exposure, quantifying their potential impacts and prioritising them by importance. The final and most tactical piece is compliance—not just the traditional definition of obeying regulatory mandates, but also the mechanics of ensuring that day-to-day actions address the company’s risk priorities. Steps often taken when implementing risk and compliance systems include:
Identify the full range of risks. The dangers of credit risk have been seared into the consciousness of every business executive. But most risks are more mundane: excessive inventory, high levels of returns, or over-reliance on a handful of customers or suppliers, for instance. Although many of these risks do not fall under the purview of the finance department, their measurement and reporting usually do.
Establish a risk management culture. The most efficient way to mitigate risks is often to take advantage of existing processes. By identifying risks, setting up escalation thresholds, and building in alerts and procedures to be triggered when thresholds are breached, companies can become more systematic and proactive in managing risks.
Align controls with risks and embed into processes. When risks are prioritised, controls should follow. Excessive alerts resulting from unnecessary controls or low risk thresholds can be counterproductive. According to Luca Pighi, CFO of GE Capital Finance (Italy), too many red flags can introduce confusion, not clarity. Similarly, fragmented, redundant and manual GRC processes often result in too much data, leading to delays in recognising and acting on risks. Mr Pighi points out the need to align risks and controls properly at the outset and then refine them continuously as the business changes.
What to keep in mind
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
9
Devise procedures for manual interventions. No matter how much automation is introduced, there is always the need for manual intervention, with its attendant risk of mistakes or fraud. According to Mr Pighi, GE Capital Finance solved the problem by introducing a structured system of authorisation in which line staff could only make manual journal entries with the approval of senior managers. No system can be completely automated; all require the ability to accept exceptions via carefully designed and tracked manual interventions.
Consolidate and track controls to ease the auditing process. Having auditors evaluate the effectiveness of thousands of controls across multiple business units can be a time-consuming and expensive process. By identifying and tracking the risks of control violations and consolidating this information in a single place, companies can help auditors prioritise and streamline their recommendations for corrective action. The result can be lower costs and faster audits.
© Economist Intelligence Unit 2008Managing risk through financial processesEmbedding governance, risk and compliance
�0
A decade ago, most companies needed to be persuaded of the benefits of financial process automation, which was seen largely as a way to reduce headcount and cut costs. Now automation is more widely
accepted, and there is an understanding that automation helps with better decision-making, but the implication of automation for risk and compliance are still not fully understood.
In a holistic implementation of GRC, governance, risk and compliance are consistently defined, closely linked, and manifested in end-to-end processes and controls. Well-designed GRC processes are robust and repeatable. They efficiently integrate financial reporting, compliance and risk monitoring into daily operations. Moreover, automated processes tend to be easier than manual processes to modify, which helps organisations to adapt quickly to changes in business conditions, regulations or corporate policy—many of which carry risks that are not immediately obvious. Companies can be more proactive in addressing potential risks and more quickly mitigate existing risks, leading to less volatility and greater sustainability in financial results.
No system eliminates the need for judgment. Senior executives still need to articulate policy; managers still need to set the parameters that will drive risk management and compliance. Even a high-performance automobile still needs a good driver. And as Warren Buffett once observed, the rear-view mirror is always clearer than the windshield. Integrating GRC into financial processes can help to keep that windshield clean and allows the company to drive into the future with confidence.
Conclusion
��
© Economist Intelligence Unit 2008AppendixSurvey results
Managing risk through financial processesEmbedding governance, risk and compliance
Appendix: Survey results
39
33
32
29
28
28
25
22
21
8
1
Too many manual processes
Complex procedures which are difficult to model or automate
Inconsistent methodologies around the organisation
Lack of visibility and accountability
Incompatible technology (eg, customised spreadsheets, databases and commercial products)
The need to reconcile inconsistent or redundant data from multiple sources
Boundaries between departments, with departmental managers trying to hold on to authority
Controls which are too numerous or restrictive
Portions of the process depend on individuals who are not always available
The need to document audit trails
Other, please specify
What are the biggest problems with your current financial processes? Select up to three. (% respondents)
51
39
38
31
25
24
19
19
13
11
7
5
1
Cutting back on manual processes, decreasing risk of error
Enhancing data integrity
Freeing staff from routine number-crunching, redeploying into higher-value activities
Meeting compressed deadlines/improve response time
Reducing costs
Standardisation of methodologies around the enterprise
Better visibility into origin of numbers and how they are calculated
Higher productivity
Better compliance with regulatory requirements
Able to identify and resolve bottlenecks
Able to set risk thresholds, data access and other controls centrally
Fewer opportunities for fraud
Other, please specify
What would be the biggest benefits of an initiative to standardise and automate your financial processes? Select up to three. (% respondents)
�2
© Economist Intelligence Unit 2008AppendixSurvey results
Managing risk through financial processesEmbedding governance, risk and compliance
48
24
22
22
21
19
11
7
4
High level of investment required
Difficulty of modeling complex financial processes
Difficulty of getting buy-in from senior management
Organisation is too diverse in its business lines
Difficulty of getting buy-in from business lines/regions
Multiple regulatory regimes make compliance rules unique by business and/or region
Business model and operations are unique
Financial processes are sufficiently fast, efficient and accurate now
Other, please specify
What would be the biggest drawbacks of an initiative to standardise and automate financial processes? Select up to two. (% respondents)
Increase level of automation for processes in general
Increase level of automation for internal controls
Reduce redundancies
Prioritise controls based on risk assessments
Realign segregation of duties
Other, please specify
We have not attempted to improve our financial processes
76
51
41
41
37
3
1
In the past five years, which of the following tasks has your organisation attempted to address by improving its financial processes? Select all that apply. (% respondents)
Headcount
Time required
Control errors
Audit costs
Number of poor-quality decisions
What improvements, if any, have resulted from these attempts? Increase level of automation for processes in general(% respondents)
2
2
2
2
1
16
13
15
14
5
42
13
17
48
35
24
33
57
50
42
3
5
14
12
3
7
1
4
9 10
Much higher Higher No change Lower Much lower Don’t know
��
© Economist Intelligence Unit 2008AppendixSurvey results
Managing risk through financial processesEmbedding governance, risk and compliance
Headcount
Time required
Control errors
Audit costs
Number of poor-quality decisions
What improvements, if any, have resulted from these attempts? Increase level of automation for internal controls(% respondents)
3
2
3
2
2
17
19
17
17
45
19
13
39
7 28
31
54
52
30
45
2 3
6
13
6
10
3
7
8
Much higher Higher No change Lower Much lower Don’t know
Headcount
Time required
Control errors
Audit costs
Number of poor-quality decisions
What improvements, if any, have resulted from these attempts? Reduce redundancies(% respondents)
2
3
2
1
1
13
12
11
10
9
32
15
32
51
38
44
55
45
28
38
5
13
7
4
6
3
2
4
7
8
Much higher Higher No change Lower Much lower Don’t know
Headcount
Time required
Control errors
Audit costs
Number of poor-quality decisions
What improvements, if any, have resulted from these attempts? Realign segregation of duties (% respondents)
4
1
2
1
1
25
23
18
20
11
42
28
26
50
38
23
39
41
21
40
3
6
11
2
2
3
2
2
6
8
Much higher Higher No change Lower Much lower Don’t know
Headcount
Time required
Control errors
Audit costs
Number of poor-quality decisions
What improvements, if any, have resulted from these attempts? Prioritise controls based on risk assessments (% respondents)
2
1
1
2
18
24
19
19
9
52
30
28
40
31
24
39
44
31
49
1
4
7
3
7
4
3
2
5
5
Much higher Higher No change Lower Much lower Don’t know
��
© Economist Intelligence Unit 2008AppendixSurvey results
Managing risk through financial processesEmbedding governance, risk and compliance
Quality of decisions
Efficiency of processes
Prioritisation of controls
What are the results of these risk evaluations? (% respondents)
9
6
8
66
56
65
23
34
24
1
4
1
1
2
0
0
0
0
0
0
0
0
0
0
Much better Better No change Worse Much worse Don’t know
Yes
No
Don’t know
75
19
6
Does your organisation regularly include risk evaluations as part of its financial processes? (% respondents)
Western Europe
Asia-Pacific
North America
Middle East and Africa
Latin America
Eastern Europe
34
27
20
8
7
4
In which region are you personally based? (% respondents)
Financial services
Healthcare, pharmaceuticals and biotechnology
Energy
Automotive
Chemicals
Consumer goods
Government/Public sector
IT and technology
Retailing
26
12
11
10
9
9
8
7
7
What is your primary industry? (% respondents)
$500m or less
$500m to $1bn
$1bn to $5bn
$5bn to $10bn
$10bn or more
30
13
18
11
28
What are your organisation's global annual revenues inUS dollars? (% respondents)
�5
© Economist Intelligence Unit 2008AppendixSurvey results
Managing risk through financial processesEmbedding governance, risk and compliance
Board member
CEO/President/Managing director
CFO/Treasurer/Comptroller
CIO/Technology director
Other C-level executive
SVP/VP/Director
Head of Business Unit
Head of Department
Manager
Other
2
11
17
3
4
15
7
12
20
9
Which of the following best describes your job title? (% respondents)
Finance
Risk
Strategy and business development
General management
IT
Marketing and sales
Operations and production
Customer service
R&D
Information and research
Procurement
Human resources
Legal
Supply-chain management
Other
69
25
24
24
22
14
11
7
6
6
5
5
4
4
2
What are your main functional roles?Please choose no more than three functions. (% respondents)
Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in the white paper.
Cover image © iStockphoto.com/seanrmcdermid
LONDON26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]
NEW YORK111 West 57th StreetNew York NY 10019United StatesTel: (1.212) 554 0600Fax: (1.212) 586 1181/2E-mail: [email protected]
HONG KONG6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]